Published by Rob Lambert,
The security of an application/site doesn’t just concern the usual suspects of cross-site scripting, SQL injections and man in the middle attacks. Something as simple as hitting the back arrow on a browser and seeing the previous persons information is a low key but effective security check.
Say for example that you are in an Internet Cafe and you log in to your banking application. You log out, but leave the browser window open on the home page and you leave the cafe. It could be entirely possible that the next person to use the computer can see your details by simply clicking “back" on the browser.
Believe me this does happen. I've seen this with many high profile sites where it's entirely possible to see the last few web pages of the previous person. Scary stuff.
How to go back to the beginning again?
A very simple test would be to log in to a website and authenticate yourself. Once logged in then log out. Once logged out hit the back button on the browser and observe what happens. Can you access the "secure" area or do you get some sort of timeout page. What feels right?
Browsers offer the ability to skip back a number of pages in one go. Try this and see what information you can glean by skipping 3 or 4 pages back. Can you go back to a page that should require authentication? Can you go back to a page you shouldn't be allowed to see?
Here are some examples of how this bug could cause problems:
- You might be able to vote online for a candidate or topic and then hit back and vote again. And again. And again. And again. And again.
- You might be able to use a “one time only" coupon to discount a price over and over again by using the back button.
- You might be able to see someone else’s personal data by going back through their browsing session.
In most browsers holding down a left click on the back button gives you a list of previous pages visited.
If you’re interested in a career in Software Testing then check out my book Remaining Relevant And Employable (Tester’s Edition) - it’s packed full of ideas about writing good CVs, communicating your value to employers and doing well in an interview.