Lead by our goal to put software testers on Croatian software development map, Zeljko and I held a presentation named Test like dr. House, at the Webstrategija 14. Zeljko presented Watir and SauceLabs in action, and my goal was to present rapid software testing in 5 minute demonstration.
Dr. House gave me task to find one problem with page webstrategija.com. As on following day was workshop on web application security, my decision was to find one security problem in five minutes. In order to gave a presentation, all presenters had to register using registration form. Zeljko warned me that on the presentation day, link to that form from page webstartegija was removed. So using browser history we found original link. Link was to other company that provides registration services. The problem was that collected form data was not sent to the server in encrypted form. I confirmed that by looking at the protocol information (globe icon instead of lock icon in browser address bar) of the data form service provider, and by using Chrome web development tool inspect element on the button that sends form data to the server. Protocol in html form element was http.
Sending user data through the Internet in not encrypted form is not good. I informed the audience that their data (because every one in the audience used that registration form) could be easily tempered.
Zeljko and me got the lowest evaluation feedback for our presentation. But I think that this is good. When software tester asks questions that make somebody angry (the audience in this case), that means that this question reveals some product bug or issue (this is not my statement but from one great tester that said that at the Lets Test 2012 conference).
I think that not using https for user data collection is a product bug.
What do you think?
Labels: learn testing