4.12.1 Test Business Logic Data Validation (OTG-BUSLOGIC-001)
The application must ensure that only logically valid data can be entered at the front end as well as directly to the server side of an application of system. Only verifying data on the front end may leave applications vulnerable to server injections through proxies. This is different from simply perfroming Boundary Value Analysis (BVA) in that it is more difficult and in most cases can not be simply verified at the entry point, but usually requires checking some other system.
For example: An application may ask for your Social Security Number. In BVA the application should check that the value entered is 9 numbers long, not negative and not all 0's, but there are logic considerstions also. SSNs are grouped and catagorized. Is this person on a death file? Are they from a certain part of the country?
The front end and the backend of the application should be verifying and validating that the data it has, is using and is passing along is valid.
• Perform front-end GUI Functional Valid testing to ensure that the only acceptable values are accepted.
• Using an intercepting proxy observe the HTTP POST/GET looking for the place that variables such as Social Security Number, cost and quality are passed.
• Once variables are found start interrogating the field with logically "invalid" data, such as social security numbers or unique identifiers that do not exist or that do not fit a particulat business process. This testing verifies that the server functions properly and does not accept logically invalid data them.
OWASP Zed Attack Proxy (ZAP) - https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project
ZAP is an easy to use integrated penetration testing tool for finding vulnerabilities in web applications. It is designed to be used by people with a wide range of security experience and as such is ideal for developers and functional testers who are new to penetration testing. ZAP provides automated scanners as well as a set of tools that allow you to find security vulnerabilities manually.
Related Test Cases
The application/system must ensure that only "logically valid" data can accepted at any input point.