Back to the beginning again

The security of an application/site doesn’t just concern the usual suspects of cross-site scripting, SQL injections and man in the middle attacks. Something as simple as hitting the back arrow on a browser and seeing the previous persons information is a low key but effective security check.

Say for example that you are in an Internet Cafe and you log in to your banking application. You log out, but leave the browser window open on the home page and you leave the cafe. It could be entirely possible that the next person to use the computer can see your details by simply clicking “back" on the browser.

Believe me this does happen. I've seen this with many high profile sites where it's entirely possible to see the last few web pages of the previous person. Scary stuff.

How to go back to the beginning again?
A very simple test would be to log in to a website and authenticate yourself. Once logged in then log out. Once logged out hit the back button on the browser and observe what happens. Can you access the "secure" area or do you get some sort of timeout page. What feels right?

Browsers offer the ability to skip back a number of pages in one go. Try this and see what information you can glean by skipping 3 or 4 pages back. Can you go back to a page that should require authentication? Can you go back to a page you shouldn't be allowed to see?

Here are some examples of how this bug could cause problems:
  • You might be able to vote online for a candidate or topic and then hit back and vote again. And again. And again. And again. And again.
  • You might be able to use a “one time only" coupon to discount a price over and over again by using the back button.
  • You might be able to see someone else’s personal data by going back through their browsing session.
  • You might be using a site where client side JavaScript fires on the page load even if the authentication fails. So although you have logged out, when the page reloads (and doesn’t let you back in) it might still fire some logic to perform an action.

Useful Hint
In most browsers holding down a left click on the back button gives you a list of previous pages visited.

Useful Links
Stack Overflow question on disabling back capability

If you’re interested in a career in Software Testing then check out my book Remaining Relevant And Employable (Tester’s Edition) - it’s packed full of ideas about writing good CVs, communicating your value to employers and doing well in an interview.