Skip to content

Latest commit

 

History

History
91 lines (75 loc) · 3.72 KB

TestSession.03.md

File metadata and controls

91 lines (75 loc) · 3.72 KB

Test Session 03 - Counter App Exploratory Testing

Target: http://127.0.0.1:8080
Date: 2025-09-09
Tester: Cascade AI
Mission: Break the behavioral tracking counter app, find vulnerabilities and edge cases

Application Overview

  • Behavioral tracking app with 8 counter buttons (TA, BD, RF, LP, UP, QU, CM, NTA)
  • Central Start/Timer button with 0:10 display
  • Settings modal with Return, Cancel, Finish, Skip Coding options
  • Version 0.0.61

Initial Reconnaissance Findings

  • Clean grid layout with colored counter buttons
  • All counters start at 0
  • Timer shows 0:10 in start state
  • Settings button at bottom
  • Modal appears hidden initially

Attack Plan

  1. Happy Path Disruption - Interrupt normal counter workflows
  2. Boundary Testing - Push counters to extreme values
  3. Timer Manipulation - Break timing mechanisms
  4. Modal Exploitation - Find modal state vulnerabilities
  5. UI Breaking - Test responsive design limits
  6. Data Persistence - Test state management

Test Execution Log

Test 1: Basic Counter Functionality

FINDING: Counters only work when session is active (after Start button pressed)

  • TA counter incremented from 0 to 1 during active session
  • Timer counts down from 0:10 to 0:00

Test 2: Timer Expiration Behavior

CRITICAL FINDING: Timer auto-navigates to results page with exposed data in URL

  • URL: finish_evaluation.html?c1=1&c2=0&c3=0&c4=0&c6=0&c7=0&c8=0&c9=0&skip=false
  • SECURITY RISK: Session data exposed in URL parameters
  • Results page shows complete session summary
  • Missing c5 parameter (potential indexing bug)

Test 3: URL Parameter Manipulation Attack

CRITICAL VULNERABILITY: Complete URL parameter injection successful

  • Injected: c1=999&c2=999&c3=999&c4=999&c6=999&c7=999&c8=999&c9=999
  • Result: All counters displayed manipulated values (999 instead of legitimate data)
  • IMPACT: Data integrity completely compromised

Test 4: Malicious Payload Injection

ATTEMPTED ATTACKS:

  • XSS: c2=<script>alert('XSS')</script>
  • SQL Injection: c7=DROP TABLE users;
  • Path Traversal: c8=../../../etc/passwd
  • Boundary: c1=-999&c3=999999999999
  • Type Confusion: c4=null&c6=undefined

Test 5: Settings Modal Bypass

FINDING: "Finish Evaluation" button bypasses timer completely

  • Navigates directly to results with all counters at 0
  • No validation of session state
  • BUSINESS LOGIC FLAW: Can finish evaluation without conducting session

Test 6: Skip Parameter Discovery

FINDING: skip=true parameter changes application flow

  • Triggers "Did you do a teaching session?" modal instead of results
  • Hidden parameter not exposed in UI
  • SECURITY THROUGH OBSCURITY FAILURE

Critical Vulnerabilities Summary

🔴 HIGH SEVERITY

  1. Data Integrity Violation - URL parameters can be manipulated to show false results
  2. Business Logic Bypass - Can finish evaluation without timer/session
  3. Missing Input Validation - No server-side validation of counter values

🟡 MEDIUM SEVERITY

  1. Information Disclosure - Session data exposed in URL parameters
  2. Hidden Parameter Discovery - Undocumented skip parameter
  3. Missing Parameter Bug - c5 parameter absent (indexing issue)

🟢 LOW SEVERITY

  1. No XSS Protection Testing - Need to verify if XSS payloads execute
  2. State Management Issues - Counters only work during active sessions

Recommendations

  1. IMMEDIATE: Implement server-side validation for all parameters
  2. IMMEDIATE: Use POST requests instead of GET for sensitive data
  3. HIGH: Add session token validation
  4. HIGH: Implement proper authentication/authorization
  5. MEDIUM: Remove or secure hidden parameters
  6. MEDIUM: Fix missing c5 parameter indexing