As we understand, authentication is the process of verifying the identity of a user or information. When a user logs in to a system, they need to verify their identity with user verification logic.
So, every organization that provides services asks users to log in to their system, which lets users use the service.
If the authentication process is not working properly, then your system will have a major vulnerability, which will cost you in the form of a large number of. But, how is it vulnerable?
Let’s take an example from the world of e-commerce. Suppose that you are the owner of one e-commerce site. The following are the dashboards you have on your site.
1. Admin:
The admin is responsible for managing products, users, orders, the payment system, etc.
2. Seller:
The seller is responsible for managing their products, selling them, and collecting payments from customers.
3. Normal user:
The user puts the orders, manages their credit card information on your site, and puts the orders. They can manage their credit card information on your site.
There can be other roles and dashboards. But we are planning to have three roles in order to understand the issues or bugs in the authentication process.
Broken Authentication
Broken authentication is a type of vulnerability that allows attackers to bypass the proper credentials and get into a web application. Let’s say the attackers were able to bypass the user credentials. If the vulnerability is exploited, the whole web application or system will be vulnerable, and the attackers will be able to do anything, such as:
1. The attacker would get a user’s private information, like their address or credit card information.
2. If the attackers get a hold of the seller’s account, they can track the seller’s payment information, like their bank account. They could modify the bank-related information to receive payment themselves.
3. If an administrator is compromised, then it instantly jeopardizes the security of the entire e-commerce site. With the access power of a privileged user or admin, a malicious actor can gain widespread access to systems.
SQL Injection
SQL injection is a code injection technique that can destroy your database. SQL injection occurs when you ask a user for input, like their username or user ID, and they give you an SQL statement instead. You will then run the statement unknowingly on your database.
If your e-commerce site is not able to detect SQL injection, then an attacker could get access to the database and do things like change the admin password. And afterward, he is able to do anything we discussed in regard to the broken authentication.
Username Enumeration
Username enumeration is a common application vulnerability that occurs when an attacker can determine if usernames are valid or not. This is a common application vulnerability that occurs when an attacker can determine if usernames are valid or not. This issue happens on login form, where an error like “the username is invalid” is returned.
An attacker could exploit this behavior by using long lists of common usernames, known names, and dictionary words to see if the application responds in the same way to all. The attacker can use those results to infer which usernames are valid.
In order to ensure that your app’s login or authentication process is not vulnerable to any of the issues we’ve discussed so far, we will need to test the login process with different test cases.
In the beginning, we need to start by making sure that it looks like a login page. Let’s assume that everything is working fine and there are no visual issues. So for login, there can be the following test cases:
| ID | Name | Description | Detailed Steps | Expected Results | Actual Result |
| 1 | TC01 | As a User, can I log in with the correct username and correct password? | 1) open the login page, https://www.itlearn360.com 2) Enter the correct username and correct password and hit login |
1) Login page is opened. 2) User Should be able to log in to the page. |
|
| 2 | TC02 | As a User, can I log in with the wrong username and correct password? | 1) open the login page, https://www.itlearn360.com. 2) Enter the wrong username and correct password and hit login |
1) Login page is opened. 2) User should not be able to log in to the page. 3) User should get the message “The username or password is incorrect”. |
|
| 3 | TC03 | As a User, can I log in with the correct username and wrong password? | 1) open the login page, https://www.itlearn360.com. 2) Enter the correct username and Wrong password and hit log in. |
1) Login page is opened. 2) User Should not be able to log in to the page. 3) User should get the message “The username or password is incorrect”. |
|
| 4 | TC04 | As a User, can I log in with the wrong username and wrong password? | 1) open the login page, https://www.itlearn360.com. 2) Enter the wrong username and wrong password and hit log in. |
1) Login page is opened. 2) User Should not be able to log in to the page. 3) User should get the message “The username or password is incorrect”. |
|
| 5 | TC05 | As a User, can I log in with a blank username and blank password? | 1) open the login page, https://www.itlearn360.com. 2) Enter a blank username and blank password and hit log in. |
1) Login page is opened. 2) User Should not be able to log in to the page. 3) User should get the message “The username and password field are empty.”. |
|
| 6 | TC06 | As a User, can I log in with the correct username and empty password? | 1) open the login page, https://www.itlearn360.com. 2) Enter the correct username and empty password and hit log in. |
1) Login page is opened. 2) User Should not be able to log in to the page. 3) User should get the message “The password field is empty.”. |
|
| 7 | TC07 | As a User, can I log in with empty username and the correct password? | 1) open the login page, https://www.itlearn360.com 2) Enter the empty username and correct password and hit log in. |
1) Login page is opened. 2) User Should not be able to log in to the page. 3) User should get the message “The username field is empty.”. |
In addition to these test cases, some cases may require preconditions (actions to perform before executing a test case) and postconditions (actions that return the system to its initial state). Sometimes software testers also choose to include priority in their test cases. Thus, you may end up with another format for this test artifact.
- Preconditions.
- Summary.
- Priority.
- Steps.
- Expected result.
- Postconditions.
The majority of test cases for the login page have a high priority. Here’s an example of a test case with preconditions, postconditions, and priority.
| ID | Name | Preconditions | Priority | Description | Detailed Steps | Expected Results | Actual Result | Postconditions |
| 8 | TC08 | A user is logged into the system. | Medium | As a User, can I log in after logout by pressing the back button? | 1) Log out of the system. 2) Click the Back button. |
The user is not logged in. The login page is displayed. | To access the features for logged-in users, a user has to log in again. |
Final words
The login page is often the foundation for the core features of the application. Software products and services become useless if they don’t function properly. Ensure that you cover a range of possible situations that could occur during a user’s interaction with the system.
