Page 129 - SOFTWARE TESTING & QUALITY ASSURANCE
P. 129
Software Testing and Quality Assurance
Case Study for White Box Testing
A
large merchant organization that was into online business was in the process of developing
an online e-commerce Web site. The organization was trying to facilitate its customers to
transfer funds to merchant accounts.
The organization had outsourced the payment processing to a third-party firm. The third-party firm
came out with payment software that was able to provide secured interfaces to facilitate funds
transfer between the customers and the merchant organization.
The Web site was analyzed under a high-level security risk analysis. When the organization
performed the risk analysis, it was identified that one of the risks was occurring during the processing
of the transaction, that is, between the payments interface and the Web site. The fake transaction
occurring was serious to both the customers and the merchant organization. Due to this, the
customers could undergo financial loss, that is, the account balances could get depleted. The fake
transaction could damage the credibility and the reputation of the merchant organization.
Using the payments interface, a systematic white box testing was performed on the modules. First, all
the module interfaces were determined as interface diagrams. Then, the module interactions were
represented with trust relationship boundaries. Finally, data flows among different modules were
drawn. Based on this information, some test cases were developed. One of the test cases was to check
whether an anonymous user could perform a transaction. The trust relationship mapping and data
flow revealed the fact that the system was allowing anonymous users to perform transactions. A path
where the system was not validating the user inputs was identified. Then, a test case was developed
to test whether an invalid account transfer could take place from an external account to the merchant
account. As a result of unauthorized transactions that were occurring through unauthenticated
channel, the account transfer was completed successfully.
Risk analysis also noticed a weak authentication channel in the payment customer service component
of the Web site. Hence case trust relationship boundaries and data-flow analysis similar to the above
situation were drawn for this authenticated channel. After analyzing and testing, it was realized that
an attacker could directly gain access to the merchant organization accounts. Using this access, the
attacker could make transactions from a merchant account to another non-merchant account.
Because of the bugs, an attacker was funneling the customers’ payments to a non-merchant account.
The above explained bugs impacted the merchant organization with significant security issues.
From this case study we can conclude that performing white box testing for important modules helps
to uncover design assumptions and implementation errors rapidly.
Questions
1. How was the merchant organization able to identify the first bug associated with their Web site?
2. Explain how an attacker was able to perform anonymous transactions.
Adapted from http://basicqafundamentals.blogspot.com/2011/01/case-study-for-white-box-testing.html
8.5 Summary
• Web sites are important for any business to represent itself to the world.
• Web site testing ensures proper functioning of a Web site.
• Home pages, links, and content are the fundamental components of a Web site.
• Links should be tested to ensure the correct functioning of a Web site.
• A Web site should allow concurrent users to simultaneously access the Web site.
122 LOVELY PROFESSIONAL UNIVERSITY
