Forgot Password Testing

Forgot Password Testing

This is a mix of a mindmap and a flow chart. We can still call the flowchart as mindmap because a brain was used in order to design it and the design was questioned. See if you can find bugs in the design, if you find one or many; make sure you download the same and fix the bugs through the flowchart and also add test ideas to the specific nodes like AUTH link, password etc.
3 years ago 113 downloads 5 Comment 3490 views
Test Maniac

About the Contributor : Test Maniac

This account is managed by Founders of Test Maniac (Ajay Balamurugadas and Santhosh Tuppad).

Follow Me :

Comments ( 5 )

  1. srinivasskc    3 years ago

    Thanks for Mindmap, its useful. Lesson learned: Try password with only spaces. Need more info: Token in HTTP Header before submitting forgot password, Tampering the token.

  2. SanthoshTuppad    3 years ago

    Thanks Srinivas! Tampering the token: This speaks about authenticity of token. If I just modify the long string that you see in forgot password URL which get it in your mailbox, that should not be allowed to change by editing it. Just in case if someone tries to edit it or modify it, the application should not process it and say "Bad Token". And about HTTP Header request: When I enter my e-mail address in Forgot Password form and click on "Submit", I need to use Fiddler and check if the password is not being visible in the headers. It may be possible that password that is going to be reset or the AUTH link that is being sent to mailbox can be visible here. That's the test we need to do in order to not allow users with malicious intent getting unauthorized access. We should not get AUTH token which looks like KLLJDLJSLjlk3123ikujklJaALz-jLJDL in the headers while submitting the e-mail in forgot password form. Or else there is no need for hacker to really have access to mailbox in order to set password for any other user.

  3. tester23    3 years ago

    Great List! thanks for sharing....Also we can verify that same Email entered for Login ..is not being displayed by default in the "send email" field.

  4. SanthoshTuppad    3 years ago

    How one can display the e-mail address by default? I don't understand your test here. Are you mentioning that if user uses the same computer and the e-mail address being accessed from the cache or something like that?

  5. macjogi    2 years ago

    Hi, very helpful! I would add a question for the case that the user does not exists on the system: - What information do you provide on tbe UI (think about information hiding)? Yours, Jogi

Leave a message