I'm going to test a internet web application that create and revoke PKI security certificates stored on a Windows Server.
Could somebody give me ideas on what would be most important to test both in terms of functionallity and more importantly security?
I guess I'm looking for test that can show for the project/test manager how tampering with the web interface gives access to certificates stored on the server but how is those test performed in practice?
Thanks a million,
ISEB Foundation in Software Testing Certified
You can look for opportunities to gain access by either inserting script info into available fields that will execute when processed or clicked upon or for buffer overruns which may allow people to execute code.
Start by trying for buffer overruns in any available areas
If you are doing a form submit, spoof the form to see if you can inject characters which are normally encoded by windows browsers - like < | / and similar. If you can send these, unencoded and unfiltered, to your server, you have a good chance at hacking in.
Not very structured but maybe it will give you some ideas....