You are on page 1of 10

[21:31:55] Dwarika Dhish Mishra (Tester): hi [21:32:05] srinivas kadiyala: Hi..

[21:32:18] ritika-gulati: hey [21:32:35] Dwarika Dhish Mishra (Tester): ok so we are taking few sites [21:32:39] Dwarika Dhish Mishra (Tester): like [21:32:41] Dwarika Dhish Mishra (Tester): facebook.com [21:32:45] ritika-gulati: shall we start [21:32:49] Dwarika Dhish Mishra (Tester): http://www.softwaretestpro.com/Login [21:32:53] srinivas kadiyala: What is the topic on [21:32:59] Dwarika Dhish Mishra (Tester): http://netherlandstestingday.com/login.html [21:33:37] Dwarika Dhish Mishra (Tester): here we will see the pattern of forget password and what is the pattern of it whole workflow [21:33:56] ritika-gulati: howw [21:34:07] ritika-gulati: should i have to try all hits [21:34:59] Dwarika Dhish Mishra (Tester): or if u are not registered with these sites then u can opt any 3-4 site where u r registered with ur mail id [21:35:16] Dwarika Dhish Mishra (Tester): @Srinivas [21:35:19] Dwarika Dhish Mishra (Tester): u there [21:35:30] srinivas kadiyala: yes [21:35:58] Dwarika Dhish Mishra (Tester): so suggest how we should proceed [21:36:01] Dwarika Dhish Mishra (Tester): with this [21:36:07] ritika-gulati: ok [21:36:34] srinivas kadiyala: Before we start: [21:36:42] srinivas kadiyala: Lets have a small discussion.. [21:36:45] Dwarika Dhish Mishra (Tester): ok [21:37:06] ritika-gulati: username and password [21:37:16] Dwarika Dhish Mishra (Tester): so first of all i would like to explain the common understanding of Forget password linkk [21:37:33] ritika-gulati: okk

[21:38:15] Dwarika Dhish Mishra (Tester): When ever we are registered with some email id on some network site and some time if we are not able to access the site then to reset the password ..we hit the Forget password link [21:39:03] ritika-gulati: tell me if we don know email [21:39:22] Dwarika Dhish Mishra (Tester): in return we get a mail 1- This mail might contain a url to reset the password 2- It might send username and a temperary password 3- some time it send username and password [21:39:50] Dwarika Dhish Mishra (Tester): through this we reset or directly login with sent password [21:40:03] Dwarika Dhish Mishra (Tester): ok so what u say Srinivas [21:40:21] Dwarika Dhish Mishra (Tester): if i m missing anything then please let me correct [21:40:53] srinivas kadiyala: Yes, you are correct.. One thing to know: Recently, the www.healthcare.gov when we do the same while entering the email address and press submit button [21:41:10] Dwarika Dhish Mishra (Tester): ok what u have observed there [21:41:24] srinivas kadiyala: we have to check whether its also sending the password to browser as well as email. [21:41:40] Dwarika Dhish Mishra (Tester): ok so let me enroll first then try the forget link there [21:42:38] Dwarika Dhish Mishra (Tester): @Ritika go to this link https://www.healthcare.gov/marketplace/global/en_US/login [21:42:43] srinivas kadiyala: wait.. [21:47:35] srinivas kadiyala: Ok, let me simplify this [21:47:42] srinivas kadiyala: instead of login page. [21:47:51] srinivas kadiyala: Lets go direct to foget password page [21:48:10] Dwarika Dhish Mishra (Tester): ok [21:48:40] srinivas kadiyala: https://www.healthcare.gov/marketplace/global/en_US/login#forgotPassword [21:48:44] srinivas kadiyala: Click on this link [21:48:49] srinivas kadiyala: Type any username

[21:49:13] srinivas kadiyala: and press send Email [21:49:41] Dwarika Dhish Mishra (Tester): oh blunder with tis forget link [21:49:48] ritika-gulati: i have entered an username [21:50:15] ritika-gulati: and next option is return to login page [21:50:46] Dwarika Dhish Mishra (Tester): with this url anyone can set their reset password [21:50:57] Dwarika Dhish Mishra (Tester): but this link should be specific to username [21:51:06] srinivas kadiyala: One thing:- is your websites function like this? [21:51:23] Dwarika Dhish Mishra (Tester): no [21:51:33] srinivas kadiyala: or it validates there itself with username / email address available or not. [21:51:41] Dwarika Dhish Mishra (Tester): ye [21:51:42] Dwarika Dhish Mishra (Tester): s [21:51:52] srinivas kadiyala: Do you think this as a flaw ? [21:52:34] Dwarika Dhish Mishra (Tester): ya because when we are entering any username then it is taking almost 30 second and more than that to decide where this user exist or not [21:52:59] srinivas kadiyala: Ritika: Your opinion ? [21:53:09] Dwarika Dhish Mishra (Tester): nd finally it write something like we have sent email [21:53:23] Dwarika Dhish Mishra (Tester): bt if user is not valid then how email could be sent [21:53:44] ritika-gulati: i have entered a username [21:53:57] ritika-gulati: and then next option was login window [21:54:16] srinivas kadiyala: which url you are seeing? [21:54:21] ritika-gulati: and then i tried my username and i click on username [21:54:37] Dwarika Dhish Mishra (Tester): https://www.healthcare.gov/marketplace/global/en_US/login#forgotPasswordResults:passwordEma il [21:54:37] srinivas kadiyala: https://www.healthcare.gov/marketplace/global/en_US/login#forgotPassword [21:54:52] Dwarika Dhish Mishra (Tester): that is being used to send the email [21:54:52] srinivas kadiyala: You have to see the above link

[21:55:02] ritika-gulati: yes i am checkin [21:55:44] ritika-gulati: frst i have entered a username [21:55:49] srinivas kadiyala: I will give you message from testing professional after your opinion: [21:55:51] ritika-gulati: it should not correct [21:56:00] Dwarika Dhish Mishra (Tester): @Sri it is showing like system is down [21:56:13] srinivas kadiyala: dont go deep in website [21:56:22] srinivas kadiyala: they closed some things.. [21:56:45] Dwarika Dhish Mishra (Tester): ohk [21:56:48] Dwarika Dhish Mishra (Tester): ohk [21:57:14] srinivas kadiyala: Reply from Professional: Not revealing that the username or email exists is the appropriate behavior. In this case, healthcare.gov does the right thing in the user interface: it provides the same feedback regardless of whether or not a user exists in the system. However, what is displayed in the UI differs from what's returned by the REST service with which the browser interacts. The REST service returns details as to whether or not the user account exists. That is a problem. [21:58:00] srinivas kadiyala: -----So from the reply,what do you feel ? [21:58:55] Dwarika Dhish Mishra (Tester): Rest service i think is a kind of API [21:59:06] ritika-gulati: if we are entering a username then we should have a username [21:59:55] srinivas kadiyala: yes,every one feels the same. - when we dont have username - it should give response - no email/username exists. [22:00:39] Dwarika Dhish Mishra (Tester): @Sri --this reply has really changed my perception of common practices and the gov protocol to prevent the site from guessing username or email id [22:01:22] srinivas kadiyala: Yes, i contacted by mail - two days back on this. [22:01:31] Dwarika Dhish Mishra (Tester): so this is a gov protocol and has been taken as standard might be in Healthcare domain for [22:01:38] Dwarika Dhish Mishra (Tester): sercurity reason [22:01:58] Dwarika Dhish Mishra (Tester): so what they have written to u [22:02:00] ritika-gulati: so what should we do

[22:02:44] srinivas kadiyala: Reason: Whether or not revealing the existence of a username or email address is a problem depends on context. In many cases, this information has to be public or semi-public for the site to fulfill its purpose. In other cases, the impact of compromising data in the system demands this information be protected. [22:02:47] Dwarika Dhish Mishra (Tester): @ Sri and @riti i have also noticed that we could receive the forget password reset mail even if we are not verified user but a registered user [22:03:15] Dwarika Dhish Mishra (Tester): actually in Healthdomain they follow a HIPPA protocol [22:03:53] Dwarika Dhish Mishra (Tester): in which they even quote a pateint in term of a combination of machine generated number and some time encrypted username [22:04:18] Dwarika Dhish Mishra (Tester): so might be this could have been implemented to hide the identity [22:04:40] srinivas kadiyala: yes.. [22:04:44] srinivas kadiyala: One more: [22:04:52] Dwarika Dhish Mishra (Tester): tell me [22:04:53] srinivas kadiyala: http://blog.isthereaproblemhere.com/2013/10/but-wait-passwordreset-is-still.html [22:05:02] srinivas kadiyala: read this post.. [22:05:09] ritika-gulati: one thing i want to say [22:05:21] srinivas kadiyala: go ahead: ritika [22:05:51] ritika-gulati: only that options are for that we are adding username [22:06:04] ritika-gulati: and we are getting new optins [22:06:44] ritika-gulati: but conclusion is we cant open thyat website [22:06:56] ritika-gulati: that website exactly [22:07:43] srinivas kadiyala: which link: you are trying to do this. [22:08:17] ritika-gulati: https://www.healthcare.gov/marketplace/global/en_US/login#forgotPassword [22:08:35] ritika-gulati: i have entered first any username [22:08:43] ritika-gulati: afterthat i got that link [22:08:55] Dwarika Dhish Mishra (Tester): @ Sri this is the STP forget password link and in this no one can guess what is the username and so some time it may be a kind of secure thing to breach in

to account http://www.softwaretestpro.com/ForgotPassword/?token=%2bsvaTuAoEVU%2fXNR1QnQ7YVa29M QL9jCSLtpR5W0hYy1JEco [22:09:35] Dwarika Dhish Mishra (Tester): but in case of healthcare forget password link reveals the username [22:10:09] srinivas kadiyala: You have done using "networks" ? [22:10:37] srinivas kadiyala: http://www.softwaretestpro.com/forgotpassword [22:10:53] Dwarika Dhish Mishra (Tester): ya i have find out the reset link of some site [22:10:56] ritika-gulati: i have entered my gmail id but i have not got any link [22:11:01] ritika-gulati: on my gmail id [22:11:01] Dwarika Dhish Mishra (Tester): http://www.softwaretestpro.com/forgotpassword https://www.facebook.com/recover/initiate http://netherlandstestingday.com/login.html [22:11:20] srinivas kadiyala: Lets try this method: http://blog.isthereaproblemhere.com/2013/10/one-down.html for forgot password in stp. [22:14:37] srinivas kadiyala: There you can see in networks: Response headers - no email/username will be shown. right? [22:14:38] Dwarika Dhish Mishra (Tester): oh its a kind of Data that is being sent to next level [22:14:58] ritika-gulati: can anyone tell me [22:15:11] srinivas kadiyala: yes ? [22:15:50] ritika-gulati: what is that blogspot [22:16:28] ritika-gulati: if we are entering our gmail id then it can store its database [22:17:31] ritika-gulati: and only registered user of that healthprobolm only can login [22:17:47] srinivas kadiyala: remember two things: 1. it will store in database 2. But it should store the passwords also in encrypted (hash) format.

[22:17] ritika-gulati: <<< and only registered user of that healthprobolm only can login [22:18:38] srinivas kadiyala: Yes, thats why i asked: in healthcare website is for usa citizens by obama. [22:18:56] srinivas kadiyala: and it has lots of security, coding and performance problems. [22:19:07] ritika-gulati: yes [22:19:08] Dwarika Dhish Mishra (Tester): ya [22:19:11] srinivas kadiyala: Now, [22:19:21] Dwarika Dhish Mishra (Tester): really but this data we can also see using Data temper [22:19:36] Dwarika Dhish Mishra (Tester): but till the time i didn't get my username that i have entered [22:20:18] ritika-gulati: ?? [22:20:40] srinivas kadiyala: i dint get you - @dwarika [22:21:19] Dwarika Dhish Mishra (Tester): actually in header i m not getting the reponse that has been shown on blogspot post [22:21:49] srinivas kadiyala: please tell us step by step: you are performing. [22:22:21] Dwarika Dhish Mishra (Tester): ya i got it [22:22:31] Dwarika Dhish Mishra (Tester): its encryted string [22:22:32] Dwarika Dhish Mishra (Tester): e0db2b4d-0ce5-4b11-8d2c-96f5ffbc7616 [22:22:42] Dwarika Dhish Mishra (Tester): correlationid [22:22:52] ritika-gulati: what is this string [22:23:01] srinivas kadiyala: [22:21] srinivas kadiyala: <<< please tell us step by step: you are performing. [22:23:26] Dwarika Dhish Mishra (Tester): 1- opened the forget password link [22:23:37] Dwarika Dhish Mishra (Tester): 2- I entered the username heatlhcare [22:23:47] Dwarika Dhish Mishra (Tester): 3- at the same time i hit F12 [22:24:04] Dwarika Dhish Mishra (Tester): 4- went to network [22:24:12] srinivas kadiyala: same healthcare website [22:24:14] srinivas kadiyala: ?

[22:24:17] Dwarika Dhish Mishra (Tester): ya [22:26:14] Dwarika Dhish Mishra (Tester): that normally payload the information to next lebel [22:26:20] ritika-gulati: why we are using [22:26:23] srinivas kadiyala: correlationid:4c9a0252-a00c-4b18-a82f-46b11ab49a84 [22:26:36] srinivas kadiyala: @dwarika: you are seeing the same kind right/ [22:26:37] srinivas kadiyala: ? [22:26:41] srinivas kadiyala: in response header [22:26:45] Dwarika Dhish Mishra (Tester): ya [22:27:06] ritika-gulati: can anyone tell me why we are entering f12 [22:27:23] Dwarika Dhish Mishra (Tester): @ RITI to open the developer tool in browser [22:27:45] srinivas kadiyala: Developer options tool - this is useful to debug the code [22:27:54] srinivas kadiyala: am i right @dwarika? [22:28:45] srinivas kadiyala: That correlation id - is encrypted form that will be send as a mail.. [22:29:42] Dwarika Dhish Mishra (Tester): ya [22:29:49] srinivas kadiyala: one more thing: [22:29:51] Dwarika Dhish Mishra (Tester): tell me [22:30:08] srinivas kadiyala: When ever email is sent to us, [22:30:14] srinivas kadiyala: for reset password. [22:30:34] srinivas kadiyala: http://blog.isthereaproblemhere.com/search?updated-max=2013-1027T12:14:00-06:00&max-results=2 [22:31:09] srinivas kadiyala: The problem is that the system sends both the username and the reset code over email -- which is generally an insecure means of communication. [22:31:38] Dwarika Dhish Mishra (Tester): ya bt they are presuming that email is safe [22:31:42] Dwarika Dhish Mishra (Tester): https://www.healthcare.gov/marketplace/global/en_US/registration#forgotPasswordQuestions?use r=Dwarika1987&uuid=b28823ed-4920-433c-89e0-c59632dd3437 [22:31:54] Dwarika Dhish Mishra (Tester): here username is revealed [22:32:03] Dwarika Dhish Mishra (Tester): UUID is the password temp

[22:32:05] Dwarika Dhish Mishra (Tester): i think [22:33:49] srinivas kadiyala: As per the notes: Sending both makes the system less secure. [22:34:30] Dwarika Dhish Mishra (Tester): ya [22:34:49] Dwarika Dhish Mishra (Tester): but at the same time they use to verifyy the identity first [22:35:03] srinivas kadiyala: yes, thats a security flaw. [22:35:17] srinivas kadiyala: as per ben simo. [22:35:52] Dwarika Dhish Mishra (Tester): because in us and europian country every detail is writen in to insurnace [22:36:26] Dwarika Dhish Mishra (Tester): policy and return is definede on the basis of health history of person [22:37:56] srinivas kadiyala: Ok, any of you have written checklist of forget password scenarios? [22:38:01] srinivas kadiyala: or follow any rules? [22:38:17] Dwarika Dhish Mishra (Tester): ya i have written some observations liek [22:38:38] Dwarika Dhish Mishra (Tester): 1- URL should not mention any username or email id or any detail of temp password [22:39:00] Dwarika Dhish Mishra (Tester): 2- forget password should not be sent to unverified user [22:39:19] srinivas kadiyala: @dwarika: can u share it in a doc here [22:39:38] Dwarika Dhish Mishra (Tester): 3- end user should not be able to change /reset password more than once through a single link means after single click it should get expired [22:40:22] Dwarika Dhish Mishra (Tester): 4- each link should have time duration of its expiry like if user is hitting the same link agter 10 days then that link should not work [22:40:39] Dwarika Dhish Mishra (Tester): these are few points that i have observed [22:40:58] srinivas kadiyala: Here is the checklist, i follow : http://tuppad.com/blog/wp-content/uploads/2012/03/WebApp_Sec_Testing_Checklist.pdf Thanks to santhosh tuppad. [22:41:22] srinivas kadiyala: Check the forget password section. [22:43:30] Dwarika Dhish Mishra (Tester): it was really nice sesion with u [22:43:30] srinivas kadiyala: add those Ben Simo points seeing the network. whether its sending the password [22:43:40] srinivas kadiyala: Cool - Just a start.

[22:43:49] srinivas kadiyala: We need to learn more... [22:43:53] Dwarika Dhish Mishra (Tester): ya [22:43:59] srinivas kadiyala: Yes, can we have twrw. ? [22:44:04] Dwarika Dhish Mishra (Tester): ya sure [22:44:07] Dwarika Dhish Mishra (Tester): the same time