Q. There are three levels of bypass testings. What are they? Can each of them be used individually? A. The three levels of bypass testing for web application security are: value level, parameter level, and control flow level. They can be used separately, or in combination. Value level bypass testing tries to verify whether a web application adequately evalutes input values at the server; e.g. checking whether inputs obey length restrictions, or value restrictions such as those imposed by pick lists on the web form. Parameter level bypass testing tries to address issues related to parameter selection, data access, and inter-value constraints. This includes required pair constraints, where 2 values must always be supplied together, as with a credit card number and expiration date, and invalid pair constraints, as with credit card numbers and checking account routing numbers. It also includes validating data in hidden fields and cookies. Control flow bypass testing tries to verify web applications by executing test cases that break the normal execution sequence by either reversing the order of execution between 2 successive pages, or by accessing pages in the application in an arbitrary order. Q. What is Control Flow Level Bypass Testing? Why is it important for testing web application security? A. Control flow bypass testing tries to verify web applications by executing test cases that break the normal web page execution sequence by either reversing the order of execution between 2 successive pages, or by accessing pages in the application in an arbitrary order. This level of testing is important because ordinary users may use the forward and back buttons in their web browsers, changing the expected page execution sequence. Malicious users may also attempt to use an unexpected execution sequence, for example by navigating directly to a page that would normally require visiting an authentication page first. Q. The authors claim that, of their 158 tests, only 55 could have been executed without using their bypassing technique. What would have prevented the other tests from being run? A. Client side validation would have prevented the other tests from being run. By bypassing client side validation, it is possible to execute test cases that would not occur when client side validation is in effect, because the errors would be prevented by the client side validation. Bypassing client side validation is an effective test because it is commonly used by both normal and malicious users. For example, normal users may modify a query string in the address bar if they receive a page that is similar to what they are seeking, and it seems like modifying the query string may produce a better result. Malicious users may try to break web applications by manually or automatically submitting web forms altered to detect application vulnerabilities.