Before we start with the test cases for the Banking website, let’s understand the functionality of Banking web app:
The banking web application will have a login functionality which will authenticate the user who’s trying to access their bank account. Please also note that banks keep security as one of their top priority so there will be mechanisms implemented to secure their authentication process like 2FA.
This application will include functionality to transfer money from one bank account to another or maybe deposit money monthly for their EMI or loans.
A user might need to fill up forms related to deposit or transfer of funds along with forms related to application for schemes and benefits. Furthermore, there will also be a contact us form.
A user might also need to upload documents such as Address Proof, government Identity proof like Social Security Number or Aadhar Card number, mortgage documents etc.
Now, let’s discuss functionality of Ecommerce website:
The ecommerce web application will have a login functionality which will authenticate the user who’s trying to access their account.
This application will include functionality to buy products and have a cart functionality. A user can take a look at their buy history.
A user might need to fill up forms related to returning the item or getting a refund. The web application will have a rating section which involves giving the rating, feedback and image upload functionality.
The web application will display lots of products with their price assigned, discounts, and description.
Now that we have discussed the basic functionalities a banking web application and an ecommerce web application will be having, let’s start making the test cases:
Authentication - We will have to check if authentication mechanisms are properly configured by checking if we can bypass them by manipulating the request and response. Also, we will check if we can bypass 2FA by either manipulating the response or brute forcing the OTP.
Injection attacks - In this case, a lot of input fields that a user enters are displayed back to the user or are stored in the database. Whenever we search for the data, the web application interacts with the database and provides us with the requested data. So now, we will see if we can perform Cross Site Scripting (XSS) to execute javascript code in the web application which might expose sensitive information and make the web application perform unauthorized actions. When the web application interacts with the database, we can go for SQL injection to inject malicious code to test if we can interact with the database apart from the intended functionality. SQL injection could disclose sensitive information about the user’s data.
Directory listing - We can check if the directories are listed by checking endpoints on the web application as this will disclose sensitive information such as user’s documents which are confidential between a user and the bank.
Parameter Tampering - There are lots of parameters to consider in case we are transferring money or doing a monthly deposit. We could check if we can alter the values of these parameters to perform unintended functionality which will after the user’s bank balance or the product price.
Access Control - Since there are multiple users in a bank and ecommerce web application will have certain unique parameters which provide a user with a unique identity number. If we can manipulate the unique number and the banking web application does not have authorization checks, we might be able to access other user’s profiles and bank accounts.
File Upload - In case of banks asking their users to upload documents in either image formats or pdf formats or ecommerce web application asking it’s users to submit feedback or complaint via uploading an image, we will check if we can upload malicious files on the web application server and see if we can execute them. Executing malicious files on the web server might affect other user’s documents and might give the attacker remote access to the web server.
CSRF - An attacker can send a malicious code to the victim, in case the victim opens up the page, it will perform the unintended action like changing personal details, enrolling for FD, transferring money etc. The pre condition for this attack is that the parameters should not be random and the victim must be authenticated.