1. Log In.(There can be about 60 to 70 test cases for Log In alone).
2. Tests like, enter URL of a page of the site directly without logging and try to access.
3. Access and Previliges.(Ability to provide read write,modify previliges to various user groups.
4. Ensure encryption where ever necessary.
5. Ensure & test SSL is provoked when critical data is being transfered.Test with sample Versign SSL certificates.
6. Database Security.Ensure that database cannot be accessed by unauthorized users.
7. Ensure Backup plan for the database is there.
8. Test with firewall etc.
I hope this will give u something to start with.
Purudasai - what you did is called "hijacking the thread". Your post has nothing to do with the original question posed in the thread. If you have a new question, kindly start a new topic.
Regarding your question - there are books written about that. There is no way that anyone here can answer that question in a single post, or even a series of posts. I would highly suggest that you go out and get one of the good testing books (Kaner and Bach are good authors) and spend some quality time with them. After that, everyone here will be happy to answer specific questions. However, before you ask those questions, we ask that you perform due diligence and search first - many of your questions will have been answered already.
I. Attacking Software Dependencies :: more>>
Attack 1: Block access to libraries
Attack 2: Manipulate the application’s registry values.
Attack 3: Force the application to use corrupt files
Attack 4: Manipulate and replace files that the application creates, reads from, writes to, or executes
Attack 5: Force the application to operate in low memory, disk-space and network-availability conditions
II. Breaking Security Through the User Interface :: more >>
Attack 6: Overflow input buffers
Attack 7: Examine all common switches and options
Attack 8: Explore escape characters, character sets, and commands
III. Attacking Design :: more>>
Attack 9: Try common default and test account names and passwords
Attack 10: Use Holodeck to expose unprotected test APIs
Attack 11: Connect to all ports
Attack 12: Fake the source of data
Attack 13: Create loop conditions in any application that interprets script, code, or other user-supplied logic
Attack 14: Use alternate routes to accomplish the same task
Attack 15: Force the system to reset values
IV. Attacking Implementation :: more>>
Attack 16: Get between time of check and time of use
Attack 17: Create files with the same name as files protected with a higher classification
Attack 18: Force all error messages
Attack 19: Use Holodeck to look for temporary files and screen their contents for sensitive information