The software testing team is testing a web-based E-Commerce system. The back-end API receives an HTTP request, GET /customer/delete?country=all, with an empty HTTP message body. Which of the following is the most likely test undergoing?
A. Fuzz testing
B. Stress testing
C. Synthetic transaction
D. Misuse/Abuse testing
Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.
My suggested answer is D. Misuse/Abuse testing.
It’s an abuse case that the tester manipulated the query string of the URL in the HTTP request, e.g., GET /customer/delete?country=all. Even end-users can submit an HTTP GET request by adding or modifying the URL and query parameters in the browser address bar. Before the RESTful API gets popular, it’s not uncommon to implement CRUD (create, retrieve, update, and delete) data operations using the HTTP verb, GET, which is subject to Misuse/Abuse attacks.
An Abuse Case can be defined as:
A way to use a feature that was not expected by the implementer,
allowing an attacker to influence the feature or outcome of use of
the feature based on the attacker action (or input).
Synopsys define an Abuse Case like this:
– Misuse and abuse cases describe how users misuse or exploit the weaknesses
of controls in software features to attack an application.
– This can lead to tangible business impact when a direct attack against
business functionalities, which may bring in revenue or provide
positive user experience, are attacked.
– Abuse cases can also be an effective way to drive security requirements
that lead to proper protection of these critical business use cases.
Fuzz testing is used to test applications that accept structural inputs by feeding randomly generated test data. We didn’t see any random data used in the testing.
Stress test focuses on the performance and scalability; the workload of network, CPU, memory is increased gradually to observe the system performance at a certain level of workload and the upper limit of the system. There is no clue about performance and scalability in the test.
In a strict sense, Synthetic Transaction is a proactive website “monitoring” technique that is done by deploying behavioral scripts in a web browser to simulate the path a real customer (or end-user) takes through a website. However, Synthetic Transaction is crucial for high traffic sites, e.g., e-commerce, to be tested prior to launch. (monitis)
- HTTP (HyperText Transfer Protocol) Basics
- Code review
- Regression testing
- What Is Synthetic Transaction Monitoring (And Who Needs It?…)
- Abuse Case Cheat Sheet
A BLUEPRINT FOR YOUR SUCCESS IN CISSP
My new book, The Effective CISSP: Security and Risk Management, helps CISSP aspirants build a solid conceptual security model. It is not only a tutorial for information security but also a study guide for the CISSP exam and an informative reference for security professionals.
- It is available on Amazon.
- Readers from countries or regions not supported by Amazon can get your copy from the author’s web site.
軟體測試團隊正在測試Web的電子商務系統。 後端API收到帶有空HTTP訊息正文(body)的HTTP請求: GET /customer/delete?country=all。 以下哪項是最可能進行的測試？
A. 模糊測試 (Fuzzing test)
B. 壓力測試 (Stress testing)
C. 綜合交易 (Synthetic transaction)
D. 誤用/濫用測試 (Misuse/Abuse testing)