To the interface problems we have encountered

Our daily interface testing work is mainly to verify the functionality of the interface （ Enter the reference 、 The ginseng 、 Boundary value, etc ）, Some interface security problems encountered by Mumu during interface testing , It has been sorted into general test points , Not necessarily applicable to all products , Just for your reference .

One 、 Login interface verification

Verify whether the password in the login interface is encrypted

This test point sounds absurd , Everyone should know that the password should be encrypted , But in many cases , R & D personnel will ignore this point in order to catch up with the work , So I suggest you test the login function , must do F12 Check whether the password in the login interface is a ciphertext .

Verify whether the login interface can explode login

For some systems with high security , During the test, it is necessary to verify whether the login can be exploded , have access to Burpsuit Conduct a burst login test . Of course, many systems now use mobile phone numbers for dynamic login , If you still log in with your regular account and password , We must question the security , Does the password strength meet the requirements for equal protection ？ Do you want to add the verification code ？

Two 、 Interface rule verification

Verify whether the interface type is reasonable

In theory , In addition to the query interface GET, The rest of the interfaces should use POST, In this way, the security of the interface is higher . In the past interface testing, Mu Mu did encounter many business interfaces get, Parameters are spliced in url It is extremely unsafe . Besides , There is another special case , That is, systems that do not require user login , The query class interface is not recommended GET, Cross Site Request Forgery may occur in security scanning .

Verify whether the newly added and modified interfaces are independent interfaces

This test is a bit out of line , During the test, Mu Mu found that the newly added and modified interfaces share the same , There seems to be no problem , But later, I encountered some complex business logic , Adding and modifying interfaces are integrated , As a result, the production data has been tampered with . Therefore, the interface design should be more rigorous , The newly added and modified interfaces shall be independent interfaces as far as possible .

verification POST Whether parameters are spliced into URL

Mu Mu once met a general post The interface parameters are spliced to url On , If there is a large amount of data ,url If the character length is too large, the interface will report an error , It may not be common , But it was recorded once .

3、 ... and 、 Interface unauthorized verification

Interface ultra vires are divided into horizontal ultra vires and vertical ultra vires , We can go through Burpsuit、Appcan And other tools , The following problems were encountered during the test ：
Verification interface url Is the area code on the 、 ID number and other parameters ;

Verification interface url There is true or false when , To tamper with , function 、 Whether the data is ultra vires ;

Verification interface url There is type=1 or 2 when , To tamper with , function 、 Whether the data is ultra vires ;

There are... In the interface parameters pagesize perhaps size when , To tamper with , Whether to limit the maximum value ;

Interface body When the ID number exists in the parameter , Tampering with parameter values , Whether the interface returns the correct prompt .

The more we share,The more we have.

I hope you found this article useful …

Finally, thank everyone who reads my article carefully , The following online link is also a very comprehensive one that I spent a few days sorting out , I hope it can also help you in need ！

These materials , For those who want to change careers 【 software test 】 For our friends, it should be the most comprehensive and complete war preparation warehouse , This warehouse also accompanied me through the most difficult journey , I hope it can help you ！ Everything should be done as soon as possible , Especially in the technology industry , We must improve our technical skills . I hope that's helpful ……

If you don't want to grow up alone , Unable to find the information of the system , The problem is not helped , If you insist on giving up after a few days , You can click the small card below to join our group , We can discuss and exchange , There will be various software testing materials and technical exchanges .

Typing is not easy , If this article is helpful to you , Click a like, collect a hide and pay attention , Give the author an encouragement . It's also convenient for you to find it quickly next time .

Self study recommendation B Stop video ：

Zero basis transition software testing ：25 Days from zero basis to software testing post , I finished today , Employment tomorrow .【 Include features / Interface / automation /python automated testing / performance / Test Development 】

Advanced automation testing ：2022B The first station is super detailed python Practical course of automated software testing , Prepare for the golden, silver and four job hopping season , After advanced learning, it soared 20K