ATM_ID: 50DD6BDA-073A-11E9-828D-3D812412F61E

MFF:

PLANNEDTIMESTAFF:

ID: DPQA_NewFeature/CS2.0/FT-24707_Session_Hijack_prevention/122029

TESTCASE_HEADLINE: To Validate that the logged-in user (who is not authorized to access the admin webpage) try to login  by  injecting the default system Admin user "PHPSESSID" session ID cookie then the device rejects the default admin session ID cookie.

GROUP:

FEATURE:

SUB_FEATURE:

INPUT: <p>1.Make sure that two device is available for this test.<br />
2.Make sure that the device/local user (Ex: Test) without admin rights is created in the device via properties--Login/Permission/Accounting--Device user Database.</p>

PROCEDURE: <p>Scenario 1:<br />
1.Open CWIS in any browser --login with System Admin.<br />
2.Go to browser settings--content settings--select cookies--select See all cookies and site data--select the corresponding device ip--Expand the "PHPSESSID" and copy the unique ID under content (ex:46d4f508920cdefc85a2e869b4378915).<br />
3.Now open the same CWIS in new tab in the same browser or different browser--login with created device user (Test)--select Address book/scan tab to see the message "Only users with admin privileges can modify settings".<br />
4.Right click in the CWIS page--Select Inspect--go to console and manually inject the admin user unique identifier like as document. Cookie="session ID cookie =unique Identifier for the admin user" (For Ex:  document. Cookie="PHPSESSID=46d4f508920cdefc85a2e869b4378915") and Press Enter.<br />
5.Refresh the Webpage or select any other tab (like Scan   properties etc.  ) and check the result.<br />
Scenario 2:(Different device CWIS)<br />
6.Repeat step 1 and 2 to take the device 1 system admin session Cookie ID.<br />
7.Now open the Device 2 CWIS in new tab in the same browser or different browser---login with created device user (Test)--select Address book/scan tab to see the message "Only users with admin privileges can modify settings".<br />
8.Repeat the step 4 and 5 to check the result.<br />
Scenario 3: (Different PC)<br />\
PC1:<br />
9.Repeat step 1 and 2 to take the device 1 system admin session Cookie ID.<br />\
PC2:<br />
10.In PC2   Open the device 2 CWIS in any browser---login with created device user (Test)--select Address book/scan tab to see the message "Only users with admin privileges can modify settings".<br />
11.Repeat step 4 and 5 to check the result. </p>

OUTPUT: <p>The device should throw the error in the console window by injecting the cookie manually and should not be logged-in as admin user. The admin user session should be logged out from the CWIS and device should not allow the admin/device user to login in CWIS again until deleting the created session cookies.</p>

PROCESS:

PRIORITY:

TEST_TYPE:

LOE:

RESOURCE_HW:

RESOURCE_CONSUMEABLES:

RESOURCE_MEDIA:

SKILL_SET:

TEST_CASE_TYPE:

TESTCASE_SOURCE:

SPEC: FS 50.110 WebUI Security

SPEC_VERSION:

SPEC_TAG: [50.110.004] (FT-24707) [D4.0M-*] After an HTTP session has been established between a client and the device, the device shall verify that each packet received in that session shall originate from the same agent that established the session.\
Note: The IP address of the client and user agent identifier, could as example, be used for verification.

ATM_OWNER:

APPROVE_QE:

APPROVED_QE:

APPROVE_SE:

APPROVED_SE:

APPROVE_SPAR:

APPROVED_SPAR:

ASSOCIATED_TESTCASES:

TRAINING:

TESTCASE_VERSION:

TESTCASE_STATE:

TESTCASE_PLATFORM:

TESTCASE_PRODUCT:

TESTCASE_APPROVALS:

CDATE: 1545628265

MDATE: 1545628265

MUSER: q4BVX0J1

AUTHOR: q4BVX0J1

ATM_MCOMMENTS: Imported from spreadsheet

HISTORY:

ATM_LOCKED:

ATM_REQLINK: 8EFC6B56-F7B7-11E8-9DF0-573A2612F61E

ATM_REQCOUNT: 1

QA_TEAM:

TC_WEIGHTAGE:

FILENAME:

FILEDESC:

FILES: