Published by Rob Lambert,
Browsers are incredibly sophisticated now. They allow programmers all-sorts of clever ways of adding security, tracking users internet activities and providing context sensitive information such as relevant adverts. Programmers can do all of this cleverness by using cookies and sessions.
With all of this power though comes the ability to royally get it all wrong.
Many programming languages and their associated frameworks can provide guards against mistakes but it's a fertile ground for bugs for the keen eyed web tester.
Opening the application in more than one tab or window can often lead to interesting security bugs, data refresh issues or multiple cookie confusion.
There are so many ways to explore around sessions and cookies that I could probably write an entire book on testing them, but I'll include a few basic ideas here to get you started.
Some ideas for exploring around security flaws
Here’s a simple example to seek out security flaws.
Open Firefox and in one tab (Tab 1) log in to your secure application.
Then right click on a page within your application and open that new page in a new tab (Tab 2). Both tabs are now considered to be in the same session.
Now log out of the application in Tab 2 and try to perform any action within the application in Tab 1.
Has it logged you out or let you perform an action or popped up a message?
In most situations it should have logged you out because you logged out of the application in the other tab.
This is one of the very first tests I run when testing secure applications because it's sometimes very easy to find bugs this way.
In one case I was able to log out in one tab and then log in as another user. As I navigated through the application in either tab it would switch between the two users; essentially allowing me to see a different users information. This is problematic on shared computers like in internet cafes or other public areas.
It’s not just about authentication though.
What about adding things to a shopping basket in multiple tabs – do they persist in the basket?
Go to Amazon and do just that. You'll find that everything you add to the basket stays in the basket. The tab you are on may not show the right amount in the basket but visiting the basket has all of the goods in it. Now do the same with your own eCommerce site - does it follow this same pattern?
What about state changes in your application across several tabs?
If I change state in one tab is that reflected in the other tabs. An essential element of any real time state based website.
Can I login across several browsers in different sessions?
What happens if I log in to the site as the same user but in a different browser? Does it log me out of the other browser? Should it?
The best way to test in multiple browser tabs and sessions is to explore the application with multiple tabs open, checking what effect a change in one tab can have on the other.
As you explore around look for data, states and actions that might be confused by bad cookie management, session management and cross tab problems.
Always have some developer tools open so you can see what requests and responses are being communicated and what the content of these messages are.
Burpsuite and Fiddler are especially useful if you want to start "sniffing" the session traffic and manipulating the content. These tools allow you to "proxy" the internet connection so that you can see all of the traffic being sent between the server and the browser. You can then start to intercept messages, remove messages, change messages and do all sorts of nasty stuff to see what happens.
If you want to see the cookies being stored by your browser then use a developer tools plug in. On Firefox - Firecookie is a good choice. It will show you the cookies. You can then delete them and see what happens.
In several of the modern tabbed browsers it is possible to open up multiple tabs and then drag a tab out of the main browser “window" to create two ‘Windows" operating under one session. This makes it easier to switch and view the two tabs whilst testing using CTRL and Tab (or CMD and Tab on Mac).
Good site about cookies and sessions - http://www.allaboutcookies.org
Session Hijacking - http://en.wikipedia.org/wiki/Session_hijacking
Security implications of cookies - http://it.toolbox.com/blogs/securitymonkey/successful-hacking-with-xss-cookies-session-ids-11098
Burpsuite - http://portswigger.net/burp/
Fiddler - http://www.telerik.com/fiddler
If you’re interested in a career in Software Testing then check out my book Remaining Relevant And Employable (Tester’s Edition) - it’s packed full of ideas about writing good CVs, communicating your value to employers and doing well in an interview.