viasocket small logo
FAQ
Security and Compliance
Questions
QA checklist

QA checklist

1. Input Validation (Basic XSS/SQL Injection)

  • In any input field (e.g., form, search), enter:

    • "><script>alert(1)</script> β†’ Should not execute any script.

    • ' OR 1=1-- β†’ Should not affect login or queries.

  • Observe page behavior and console for script execution or server errors.

2. Session Management

  • Login β†’ Close tab β†’ Reopen and access the app β†’ Should still be logged in if session valid.

  • Login β†’ Wait 30+ minutes idle β†’ Try again β†’ App should timeout session.

  • After logout, try using browser back β†’ Should not allow access to pages.

3. Access Control / IDOR (Insecure Direct Object Reference)

  • Login as User A β†’ Copy a URL containing an object ID (/flow/123)

  • Login as User B β†’ Try accessing that same URL β†’ Should receive Access Denied or 404

4. Error Handling / Information Leakage

  • Force an error (e.g., disconnect network or corrupt URL) β†’ App should show a friendly error page, not a stack trace, database name, or internal path.

  • Look at responses in dev tools β†’ Ensure no sensitive info (tokens, env values, etc.) is leaked.

5. Role-based Access Control (RBAC)

  • Log in with different roles (Admin/User/Viewer, etc.)

  • Try accessing features or APIs not allowed for that role via direct link β†’ App should block or hide.

6. File Upload Validation (if applicable)

  • Try uploading:

    • .exe or .php files β†’ Should be blocked

    • Large files (e.g., >20MB) β†’ Should show limit exceeded

    • Rename a .js file to .jpg β†’ Should still be blocked

  • Ensure uploaded files can’t be directly accessed unless needed

7. Security Headers (Non-CF Controlled)

Use browser dev tools β†’ Network β†’ Any request β†’ Response headers
Check for:

  • X-Frame-Options: DENY

  • X-Content-Type-Options: nosniff

  • Referrer-Policy: no-referrer or strict-origin-when-cross-origin

(CF may not always cover these fully; backend should ensure)

8. Token & API Security

  • Open browser dev tools β†’ Look for JWT or auth tokens β†’ Ensure they are:

    • Stored in secure, HTTP-only cookies (preferred)

    • Not exposed in localStorage/sessionStorage (avoid this if possible)

  • Try calling a few API endpoints manually with an expired/invalid token β†’ Should return 401/403, not data.

Β© 2024 viaSocket All rights reserved. A product of walkover