What’s going on in our security test lab? That’s a long story I cannot tell in a single post. Security testing is a mixture of structured analysis and playful exploration. The latter one boils down to a single rule: try the most irregular, stupid, nonsensical, unexpected action that comes to your mind. Chances are that the developers of a system did not think of it because it’s so irregular, stupid, nonsensical or unexpected. And always question the vendor’s claims – as well as your own assumptions.
The Sesame Street Computer Monster in this video does just that: