iahmad9 / hotelbooking-tests Goto Github PK

Descripton: It is possible for the user to select checkout date less than check in date when making a booking.

Steps to Reproduce:

1. Open a browser and navigate to http://hotel-test.equalexperts.io/
2. Enter the valid data for all fields except for checkout
3. For checkout, choose a date which is less than the selected check in date e.g.
   If checkin date is 2018-07-11, choose checkout date 2018-07-09
4. Click the save button and wait for booking to appear in the list.

Observe that booking is successfully made with invalid checkout date, please see the attached screenshot.

Expected Results: Checkout date cannot be less than checkin date

Actual Results: Checkout date must be after or equal of checkin date.

Environment:
Application under Test version: xxxx
Chrome Browser: Version 66.0.3359.181 (Official Build) (64-bit)
Firefox Browser: version 60.0.1 (64-bit)
Host Machine: OSX High Seirra

Screenshot:

Description: It is possible to create a booking with invalid characters in First Name e.g. special characters or spaces only.

Steps to Reproduce:

1. Launch the browser and navigate to http://hotel-test.equalexperts.io
2. Enter First name "Bob!~^%" without qoutes and valid input for rest of the fields.
3. Click the save button
4. Repeat the Steps 1 to 3 with First Name containing only Spaces " "

Observe that Booking is successfully created with special characters

Expected Results: An error message is displayed indicating invalid characters are present in First Name field and booking should not be created

Actual Results: Booking is successfully created.

Environment:
Application under Test version: xxxx
Chrome Browser: Version 66.0.3359.181 (Official Build) (64-bit)
Firefox Browser: version 60.0.1 (64-bit)
Host Machine: OSX High Seirra

Screenshot:

Description: It is possible to enter negative value for price field.

Steps to Reproduce:

1. Launch browser and navigate to http://hotel-test.equalexperts.io
2. Enter following data for input fields
   First Name => fntest
   Surname => lntest
   Price => -1
   Deposit => true
   Checkin => select valid checkin date
   Checkout => Select valid checkout date
3. Click the Save button and wait for the booking entry appear in list

Observe that booking would be done successfully showing negative price. Please see attached screenshot.

Expected Results: Negative price is not allowed to be accepted by the system.

Actual Results: It is possible to make booking by entering negative price value.

Environment:
Application under Test version: xxxx
Browser: Google Chrome Version 66.0.3359.181 (Official Build) (64-bit),
Host Machine: OSX High Seirra

Screenshot:

Description: Common security headers e.g. x-xss-protection, content-security-policy, x-frame-options are missing

Steps to Reproduce:
Launch chrome browser and Install Recx Security Analyser extension for Chrome browser
Navigate to hotel-test.equalexperts.io
Click on analyser a pop sheet will appear

Observe that It reports all security headers are missing. Please see screenshot

Expected Results: Security headers should be implemented as first line of defence against various security attacks.

Actual Results: None of security header is implemented.

Recommendations: https://www.owasp.org/index.php/OWASP_Secure_Headers_Project#tab=Headers

Environment:
Application under Test version: xxxx
Recx Security Analyser v1.3.0.4
Chrome Browser: Version 66.0.3359.181 (Official Build) (64-bit)
Host Machine: OSX High Seirra

Screenshot:

Description: It is possible to successfully launch xss attack against the application under test.

Steps to Reproduce:
Open firefox browser and go to http://hotel-test.equalexperts.io/
Enter <script>alert(1)</script> in First Name field
Fill the remaining fields as per normal
Click save button

Observe that when web application tries to load last created booking, browser pops an alert box with ‘1’ proving successful xss attack. Please see the screenshot

Expected Results: Site should be safe against xss attack in particular and against top 10 OWASP security vulnerabilities in general

Actual Results: XSS attack is successful

Repeat the same steps for Surname, xss is successful for both First Name and Surname fields.

Recommendations: https://www.owasp.org/index.php/Cross-site_Scripting_(XSS)

Environment:
Application under Test version: xxxx
Chrome Browser: Version 66.0.3359.181 (Official Build) (64-bit)
Firefox Browser: version 60.0.1 (64-bit)
Host Machine: OSX High Seirra

Screenshot:

Description: Captcha is not implemented leading to flooding attack

Steps to Reproduce:
Launch chrome browser and Navigate to hotel-test.equalexperts.io
Add a new booking

Observe that there is no CAPTCHA implementation and it is possible for robots and machines to launch flooding attack against the application.

Expected Results: Application should have CAPTCHA implementation

Actual Results: No CAPTCHA implementation is present

Recommendations: https://www.owasp.org/index.php/Testing_for_Captcha_(OWASP-AT-008)

Environment:
Application under Test version: xxxx
Recx Security Analyser v1.3.0.4
Chrome Browser: Version 66.0.3359.181 (Official Build) (64-bit)
Host Machine: OSX High Seirra