Q. There are three levels of bypass testings. What are they? Can each of
them be used individually?

A. The three levels of bypass testing for web application security are:
value level, parameter level, and control flow level. They can be used
separately, or in combination. Value level bypass testing tries to verify
whether a web application adequately evalutes input values at the server;
e.g. checking whether inputs obey length restrictions, or value
restrictions such as those imposed by pick lists on the web form.
Parameter level bypass testing tries to address issues related to
parameter selection, data access, and inter-value constraints. This
includes required pair constraints, where 2 values must always be supplied
together, as with a credit card number and expiration date, and invalid
pair constraints, as with credit card numbers and checking account routing
numbers. It also includes validating data in hidden fields and cookies.
Control flow bypass testing tries to verify web applications by executing
test cases that break the normal execution sequence by either reversing
the order of execution between 2 successive pages, or by accessing pages
in the application in an arbitrary order.


Q. What is Control Flow Level Bypass Testing? Why is it important for
testing web application security?

A. Control flow bypass testing tries to verify web applications by
executing test cases that break the normal web page execution sequence by
either reversing the order of execution between 2 successive pages, or by
accessing pages in the application in an arbitrary order. This level of
testing is important because ordinary users may use the forward and back
buttons in their web browsers, changing the expected page execution
sequence. Malicious users may also attempt to use an unexpected execution
sequence, for example by navigating directly to a page that would normally
require visiting an authentication page first.

Q. The authors claim that, of their 158 tests, only 55 could have been
executed without using their bypassing technique. What would have
prevented the other tests from being run?

A. Client side validation would have prevented the other tests from being
run. By bypassing client side validation, it is possible to execute test
cases that would not occur when client side validation is in effect,
because the errors would be prevented by the client side validation.
Bypassing client side validation is an effective test because it is
commonly used by both normal and malicious users. For example, normal
users may modify a query string in the address bar if they receive a page
that is similar to what they are seeking, and it seems like modifying the
query string may produce a better result. Malicious users may try to break
web applications by manually or automatically submitting web forms altered
to detect application vulnerabilities.