Bloggo back to the blog
Oops… I just stole your password-->
Hmh… wrong password, so I submit it again. And my password is stolen. Why?
I’m calling myself evil tester. For many people it sounds negative term but I think it describes my testing style very well. Evil tester is not evil for people but for software.He also knows how criminals could take benefit from software problems.
For example I’ve found lack of validation at redirection URL. Such issue is quite often at login because it is good idea to redirect user to previous page after succesful login. But if the url is not validated, evil person can redirect the user to some other page. That doesn’t sound bad – right?
What if the destination page looks just like normal login page with text about unsuccesful login like above? How many noticed that URL had wrong domain? Would you have noticed it during normal login? Evil tester knows how to take benefit from the weakness. And tells that.