29 июня 2010 г.

Utest: 300$ за баг

Наверняка многие активные тестировщики уже вкурсе результатов последнего BugBattle. (флаг россии среди номинантов тоже есть ;) )

Вчера в переписке с Santosh'ом мне удалось получить описание его бага, за который он выиграл номинацию BestBug.  

Итак:

Sign up – Captcha feature removed – Bots can party now
Heuristics: Security | Oracle: Feature removal

NOTE: Mother Bug of 51460 – By Madhukar Jain. I thank him which gave me a hint to uncover Mother Bug.

Overview
This is the first time that I have removed a important feature from the product and that is CAPTCHA. I see that Madhukar Jain ( One of the uTester reporting a bug that captcha question is being repeated and it is vulnerable to spam bots ). Then, I thought of going in more deep to discover MOTHER BUG of that and I succeeded in finding it. I have removed the captcha feature itself from the product by altering the source code and I have saved the sign up file on my Desktop. I can now, register without going through the Captcha field which is mandatory field but when it is removed it is no more mandatory as there is no validation that is being done for CAPTCHA in the backend when clicked on “Sign up”.

Impact on customer as well as client
- Lots of spam bots and advertizing bots registration within few minutes. Probably, in 100(s) in few minutes.
- Spamming porn links, adware links, virus / Trojan / malware links there by infecting the victim’s machine
- Prone to database crash or server crash
- Bandwidth consumed by bots and restricting or slow load time for genuine users and Brightkite loses its human users


Steps to reproduce
Steps won’t help written in text to understand the bug, kindly download the zip file of video report and view it. It will take your breath away and even for stakeholders.

Code Analysis
I had encountered the issue 51460 but when I saw that Madhukar Jain had reported it which provoked me to find the MOTHER BUG which was hiding under bug 51460.


В двух словах парень капчу убрал с сайта =)

PS

Хочу заметить опыта тестирования у Santosh Tuppad меньше года

2 комментария:

  1. Сантоша тренирует Прадип Саундараранян :)

    ОтветитьУдалить
  2. На прошлых BugBattle Santosh взял два приза - лучший тестировщик и лучший баг, как я помню. Видно действительно хорошо натренировали.

    ОтветитьУдалить