The term bug is no longer a new word, bugs may be unexpected error, failure or flaw which yield unexpected or incorrect result which might cause a great disaster to the software and also the time require for bug fixing depends on the complexity of the code, structure of the code , experience and the given time.
No doubt bug finding and fixing is a special job mean for security tester , but the main question is how to detect and fix bug in software .
STEP 1 TO DETECT BUG IN A SOFTWARE ( most especially web app )
Make sure the software can handle extremely large input
Some days ago I did a copy paste of 2048 character to google and bing search
Do you observe the both page response code are the same with different look ? Some engineers will definitely see this to be a good practice , while others may see it to be a bad practice. What does 404 response code mean ? Any response with 4xx: means the request contains bad syntax or cannot be fulﬁlled “therefore 404 response code means cannot ﬁnd the requested URI “. It’s no doubt that how the two applications handle extremely large input are different ,remember too long strings can overflow database models. The simple question is what and how does the error messages and page tells the user?
I did a similar thing ” Copy – paste such huge amount of text to a proposed card verification app
Do you observe the text field discard all others characters greater than the specified length and then return error message ? Exactly, this proposed app seems to handle extremely large input and there is possibility that too long strings can’t overflow database models
STEP 3 : Does your app grant least permissions for actions?
STEP 4 : Does your app have throttling and rate limiting mechanisms?
STEP 5 : Does your app have a way to quickly rotate secrets?
STEP 6 : Have you scanned your code to ensure no valuable information is being released?
STEP 7 : Do your code have unit, integration and functional tests?
Hope you enjoy this ? Look out for the part II of this post…