当前位置:网站首页>Software testing knowledge reserve: how much do you know about the basic knowledge of "login security"?
Software testing knowledge reserve: how much do you know about the basic knowledge of "login security"?
2022-07-07 06:14:00 【Software testing Fairy】
As a test , Give us a keyword “ Sign in ”, We may think of more user names for use case design 、 Whether the password verification is legal 、 Is it empty 、 Whether it is correct, and so on .
But in today's information age ,“ Login security ” It has been a very popular and common topic , Today, I would like to share with you my personal knowledge about 「 Login security 」 Basic knowledge of .
Concept popularization
Before understanding login security , Let's popularize two basic concepts :“ Storehouse ” and “ Crash Bay ”.
Baidu to the original introduction is :“ Hit the database is a hacker through the collection of Internet users and password information that has been leaked , Generate corresponding dictionary table , After trying to log in other websites in batch , Get a list of users who can log in . And many users use the same account password on different websites , Therefore, hackers can obtain the user's A Website account to try to login B website , This can be interpreted as a collision attack .”
From another angle, you can understand this , Many users' accounts and passwords are aggregated , Formed a “ library ”, Many criminals steal the user's account information , I will try my best to get the real account information of users through various means . This “ Keep trying to get ” Action process of , We can call it “ Collision ”.
There are criminals “ Collision ”, Of course, there are official envoys “ prevent ”, To improve the security of user account information , The programmer ( Just messenger ) When designing login, we will protect the user's account information security layer by layer through a series of means .
Common login security problems
Here, let's popularize the common scenarios that can be determined that the account may be stolen :
1、 The same code & Different accounts , There are many errors ;
2、 Same account number & Different passwords , There are many errors ;
3、 Get SMS verification code frequently .
The above scenarios have two commonalities , Namely “ In a short period of time ” and“ Same device ”, Because hackers or other criminals , When constantly trying to obtain user account and password information, it is basically to try different account and password combinations on the same device in a short time .
Solution
Based on the commonness of the above common login security problems (“ In a short period of time ” and“ Same device ”), There is a corresponding and clear solution :
1、 adopt IP Limit the upper limit of SMS requests for the same user ;
2、 adopt IP Limit the maximum number of password errors for the same user ;
3、 Limit the upper limit of password error of the same user through the account .
Test case design
As a professional tester , Before designing use cases , Besides attention UI Design draft 、 Outside the requirements document , You can also pay attention to the technical documents provided by the development , If conditions permit, we can further understand the corresponding basic implementation principle of development , To some extent, it can help us improve the coverage of our designed test cases , So that we can be more comprehensive 、 More in-depth testing , So as to improve the quality of our products .
From the technical documents developed, we don't need to understand deep technical principles , Just understand the following questions :
1、 How to control login risk ?
2、 After the user's login behavior is judged as a risk , What corresponding measures will be taken ?
3、 After the user's login behavior is judged as a risk , What can be reused ?
4、 Is there any way to appeal ?
Finally, according to the above idea, you can supplement the corresponding functional test cases , Here is a brief list of some test cases :
in addition , While supplementing business test cases , Synchronization can focus on the corresponding interface request specification , In order to get the truth of users as much as possible IP, Interfaces may refer to HTTP Request header specification , Require downstream to transmit through when requesting X_FORWARDED_FOR, To distinguish real users IP.
This can be used as an interface testing concern , Reduce due to IP Risk misjudgment caused by reporting errors , Causes normal users to be unable to use product functions normally .
from HTTP Get the user's authenticity in the request IP There are two ways to address , One is from Remote Address gain , The other is from X-Forward-For gain , But their security and usage scenarios are different , If you want to know more knowledge, you can expand it by yourself according to keywords ~
Learn a little every day , Sooner or later, you can change from a rookie to a big man ~
Last :
You can go to my personal number :atstudy-js, You can get one for free 10G Software Test Engineer interview classic documents . And the corresponding video learning tutorial is free to share ! It includes basic knowledge 、Linux necessary 、Mysql database 、 Caught tools 、 Interface testing tool 、 Test advanced -Python Programming 、Web automated testing 、APP automated testing 、 Interface automation testing 、 Testing advanced continuous integration 、 Test architecture development test framework 、 Performance test, etc .
These test data , For doing 【 software test 】 For our friends, it should be the most comprehensive and complete war preparation warehouse , This warehouse also accompanied me through the most difficult journey , I hope it can help you !
边栏推荐
- Jinfo of JVM command: view and modify JVM configuration parameters in real time
- [solved] record an error in easyexcel [when reading the XLS file, no error will be reported when reading the whole table, and an error will be reported when reading the specified sheet name]
- 3428. Put apples
- Understand the deserialization principle of fastjson for generics
- Qtthread, one of many methods of QT multithreading
- 绕过open_basedir
- Jcmd of JVM command: multifunctional command line
- 为不同类型设备构建应用的三大更新 | 2022 I/O 重点回顾
- EMMC print cqhci: timeout for tag 10 prompt analysis and solution
- Loss function and positive and negative sample allocation in target detection: retinanet and focal loss
猜你喜欢
Bbox regression loss function in target detection -l2, smooth L1, IOU, giou, Diou, ciou, focal eiou, alpha IOU, Siou
How to improve website weight
A freshman's summary of an ordinary student [I don't know whether we are stupid or crazy, but I know to run forward all the way]
JVM命令之 jstack:打印JVM中线程快照
Subghz, lorawan, Nb IOT, Internet of things
Ideas of high concurrency and high traffic seckill scheme
C note 13
一名普通学生的大一总结【不知我等是愚是狂,唯知一路向前奔驰】
@Detailed differences between pathvariable and @requestparam
SubGHz, LoRaWAN, NB-IoT, 物联网
随机推荐
Apple CMS V10 template /mxone Pro adaptive film and television website template
k8s运行oracle
cf:C. Column Swapping【排序 + 模擬】
EMMC print cqhci: timeout for tag 10 prompt analysis and solution
PTA 天梯赛练习题集 L2-004 搜索树判断
Jcmd of JVM command: multifunctional command line
Jstat pour la commande JVM: voir les statistiques JVM
Cf:c. column swapping [sort + simulate]
Career experience feedback to novice programmers
一名普通学生的大一总结【不知我等是愚是狂,唯知一路向前奔驰】
解决pod install报错:ffi is an incompatible architecture
Add salt and pepper noise or Gaussian noise to the picture
Ideas of high concurrency and high traffic seckill scheme
PTA 天梯赛练习题集 L2-002 链表去重
绕过open_basedir
【FPGA教程案例13】基于vivado核的CIC滤波器设计与实现
Crudini 配置文件编辑工具
POI excel export, one of my template methods
Rk3399 platform development series explanation (WiFi) 5.52. Introduction to WiFi framework composition
Ctfshow-- common posture