Modern applications have a few layers of ‘defense’ that are supposed to protect against unauthorized access. The very first layer is at the front-end, merged with the UI. The UI part, client-side part, is at user’s computer and therefore users have the most capacities to manipulate it. Penetration testing is a purely exploratory testing activity. By using trial-and-error approach we can learn about particular weaknesses in the application, and then use that knowledge to gain some advantage. Of course, as testers, we use that knowledge to evaluate the risks and to help improving the application’s security. Although complete security testing requires specific knowledge and skills, there’s no reason why Black-Box testers can not expand their arsenal with some quick, simple, yet powerful penetration testing techniques.

Groundspeed is a free tool that allows to learn about application and to manipulate it in the ways users normally can not, thus helping to expand the testing scope.

Recently, I conducted Weekend Testing session #21 where we worked through a few exercises, and then discussed new testing techniques enabled by the Groundspeed.

1. Bypass front-end validation of values.

2. Input values that you are normally not able to input – via hidden fields.

3. Trigger function calls in the application that are normally disabled or not accessible.

An unexpected outcome was a shorthand mnemonic crafted by Michael Larsen: “Remember the BIT”.