Thursday, July 27, 2006

Html injection

Hi,

If your testing system asks for the Input to be entered then try out this type entries.

1. Html Tags

2. <Plaintext>

3. Script tags (Which is known as Cross site scripting.)

Verify that system misbehaves Ut times application crashes.

Open source tools

Open Source Testing
Open source tool
Open Test Manager(test case management tool)
Software testing framework
Software Testing Automation Framework (STAF)
Collaborative Software Testing
Customize Links
List of software testing courses
MCSE Training Testking A+ CCNA CCNP CCIE Security+ Oracle 10g Certification TestKing Presentations
Software Testing Analysis & Review (STAREAST 2006) Conference Home
Software Testing and Quality Assurance Glossary techInterview Discussion
The Braidy Tester Testing
Windows Marketplace
Windows
Load testing
JMeter - User's Manual Elements of a Test Plan LoadRunner.Info
mercury webseminar ATS Download Page Mercury Webinar Archive

Blogs

Cem kaner

Cem Kaner's blog

web site security Testing

Things are supposed to take care for the security of any Web based application:

  1. Make ensure the security of the project; you should delete any users who are no longer working on the project/application.
  2. We should Edits IP Address restrictions for web security, so that a particular computer or group of computers
  3. Have certain access rights on the FrontPage web. IP Address masks can include asterisk wild cards, for example "128.109.*.*". We can do this by typing this command from Run, this htm is existing in each & every windows machine: C:\Program Files\Common Files\Microsoft Shared\web server extensions\40\admisapi\ipaddr.htm

C:\Program Files\Common Files\Microsoft Shared\web server extensions\40\admcgi\ipaddr.htm

  1. Cookies: Cookies are often used to store information about the user and his actions on a particular site. When a user accesses a site that uses cookies, the web server sends information about the user and stores it on the client computer in form of a cookie. These can be used to create more dynamic and custom-made pages or by storing, for example, login info. If you have designed your site to use cookies, they need to be checked. Verify that the information that is to be retrieved is there. If login information is stored in cookies check for correct encryption of these. If your applications require cookies, how does it respond to users that disabled the use of such? Does it still function or will the user get notified of the current situation. How will temporary cookies be handled? What will happen when cookies expire? Depending on what cookies are used for, one should examine the possibilities for
  1. other solutions:

Summary:

Encryption of e.g. login info

Users denying or accepting

Temporary and expired cookies

Log-files: are a very important in order to maintain security at the site. Verify that relevant information is written to the log-files and that the information is traceable. When secure socket layers are used, verify that the encryption is done correctly and check the integrity of the information, No access to edit scripts on the server without authorization.

Hackers often stress systems by providing loads of wrong in-data until it crash and then gain access to it during start-up. So make sure that login page is capable to handle a heavy load.

Web-Site Security Template

SECURITY RISK Pass/Fail

Remove Welcome Banner from web server which could tempt hackers from being ‘invited’ into your site.

Hard coded passwords should never be in asp/asa files or scripts.

Install latest patches and be proactive!

Disable IP addresses in the HEADER file of your web pages. The content-location header exposes IP addresses.

Control cookies and applets that show user preferences. Disable by replacing cookie file or directory with a zero-length file having no read or write permissions. Or in Unix- delete the cookies file and replace to a link to /dev/null.

Clear NT Event Log or /var/adm/messages in UNIX

Restrict virtual paths (the .. dot bug) or hex representation (ox2e).

Set appropriate ACL’s on virtual directories

Set ASP -> everyone (x), admin (full control), system (full control)

Use disk quotas to limit the amount of data that can be written to directories

Be aware of browser differences (: :$DATA in Netscape saves location to file).

Remove CIF files (PC Anywhere) and setup.log or install.log files with path/user info.

Limit malformed requests by appending files that could cause a buffer overflow

Check if a hacker can provide a password change request with an intentional missing delimiter

If using a PKI, know all your Trusted Root Certificate Authorities (CA’s)

Remove sample apps like IIS samples, IIS doc, and Data Access (\MSADC) on production

Limit IDC (internet database connector) and FTP (port 21 control 20 data): areas to break in remotely

Be cautious with server side scripting (stm, shtm, shtml)

Be aware of internet printing (.printer)

Remember that IIS ADMPWD is not removed when you upgrade IIS4 to IIS5

No interpreters, shells, scripting engineers, or extensible programs should be in cgi-bin

Remove unnecessary compilers (VB) and interpreters (PERL) if NOT using CGI scripts

Review Security Best Practices and update internal security policy

Web Server Permissions: content files/directories should be read, not write. However, the web server should be able to write but not read the log files. Config files should not be served as web content. No config files should be in root > redirect using chroot ()

Turn off IP Routing on the application proxy with a single default route to the screening router.

Remove .htr (ISAPI extension) mappings or the service and remove unneeded script mappings.

For Further information Visit this links:

1. http://www.webappsec.org/lists/websecurity/archive/2006-02/msg00040.html

2. http://blog.jim.com/?postid=70

3. http://www.whitehatsec.com/presentations/phishing_superbait.pdf

4. http://blog.washingtonpost.com/securityfix/2006/06/flaws_in_financial_sites_aid_s.html

5. http://www.cert.org/advisories/CA-2000-02.html

6. http://www.microsoft.com/technet/security/bulletin/MS06-034.mspx

7. http://www.cgisecurity.com/articles/xss-faq.shtml#whatis

8. http://ha.ckers.org/xss.html

9. http://ha.ckers.org/blog/1970/01

Have a nice day

Friday, July 14, 2006

What are unit, component and integration testing?

The definitions of integration tests are after Leung and White. Note that the definitions of unit, component, integration, and integration testing are recursive:

Unit. The smallest compilable component. A unit typically is the work of one programmer (At least in principle). As defined, it does not include any called sub-components (for procedural languages) or communicating components in general.

Unit Testing: in unit testing called components (or communicating components) are replaced with stubs, simulators, or trusted components. Calling components are replaced with drivers or trusted super-components. The unit is tested in isolation. component: a unit is a component. The integration of one or more components is a component.

Note: The reason for "one or more" as contrasted to "Two or more" is to allow for components that call themselves recursively. component testing: the same as unit testing except that all stubs and simulators are replaced with the real thing.

Two components (actually one or more) are said to be integrated when:
a. They have been compiled, linked, and loaded together.
b. They have successfully passed the integration tests at the interface between them.

Thus, components A and B are integrated to create a new, larger, component (A,B). Note that this does not conflict with the idea of incremental integration -- it just means that A is a big component and B, the component added, is a small one.

Integration testing: carrying out integration tests. Integration tests (After Leung and White) for procedural languages. This is easily generalized for OO languages by using the equivalent constructs for message passing. In the following, the word "call" is to be understood in the most general sense of a data flow and is not restricted to just formal subroutine calls and returns --
for example, passage of data through global data structures and/or the use of pointers. Let A and B be two components in which A calls B. Let Ta be the component level tests of A
Let Tb be the component level tests of B Tab The tests in A's suite that cause A to call B. Tbsa The tests in B's suite for which it is possible to sensitize A -- the inputs are to A, not B. Tbsa + Tab == the integration test suite (+ = union).
Note: Sensitize is a technical term. It means inputs that will cause a routine to go down a specified path. The inputs are to
A. Not every input to A will cause A to traverse a path in which B is called. Tbsa is the set of tests which do cause A to follow a path in which B is called. The outcome of the test of B may or may not be affected. There have been variations on these definitions, but the key point is that it is pretty darn formal and there's a goodly hunk of testing theory, especially as concerns integration testing, OO testing, and regression testing, based on them. As to the difference between integration testing and system testing. System testing specifically goes after behaviors and bugs that are properties of the entire system as distinct from properties attributable to components (unless, of course, the component in question is the entire system).

Examples of system testing issues: resource loss bugs, throughput bugs, performance, security, recovery, transaction synchronization bugs (often misnamed "timing bugs").

Thursday, July 13, 2006

Testing Object oriented programs

How do I find information about testing object-orientedprograms?Based on information originally provided by Brian Marick:Books that include some discussion of testing OO programs:
Binder, _Testing Object-Oriented Systems_
Jacobson, _Object-Oriented Software Engineering_
Marick, _The Craft of Software Testing_
McGregor, _Object-Oriented Software Development_
Siegel, _Object Oriented Software Testing_

There are a vast number of articles about testing OO programs. Isuggest starting with the September 1994 Communications of the ACM,which is devoted to this topic. Chase references. The February 1996issue of Object has a piece on system testing with use cases.Conferences like STAR and Quality Week and Pacific Northwest SoftwareQuality Conference seem to always have papers on this topic. Isuggest going to a conference and buttonholing people.Web sites with discussion:
<http://www.cs.washington.edu/homes/gmurphy/testSTApp.html> <http://www.testing.com/> <http://www.toa.com>Courses on testing object-oriented code (one by Robert Binder,one by Ed Berard) are described in the Testing Courses FAQ. Also,a new addition is an offering from Software Quality Engineering.

World wide Web resources

Beta Testing
Bug Tracking
Cleanroom Technology
Cost Estimation
Courses and Seminars on Quality Topics
Coverage Analysis
Defect Tracking
Deming Related
Ergonomics
Function Point Analysis
General White Papers
GUI Testing
Java
Load Generation and Performance Analysis
Maintenance Issues
Man-Rated Systems Testing
Metrics
Miscellaneous Topics
Product Evaluations
Real-Time/Embedded Testing
Related Quality Methodologies
Risk Management
Salaries and Compensation for Testers
Shlaer-Mellor Method
Slice Technology
Software Inspections
Software Reliability
Software Safety
Software Testing (General)
Special Problems of C++ Testing
Taguchi Method
Testability
Testing 4GL Applications
Testing OO Applications
Testing Visual Basic Applications
Test Plan Automation
The Year 2000 (Y2K) Problem
Thread-Safe Applications Testing
TQM Related
Training Concerns
WWW Related
Website Quality
Testing Visual Basic Applications

Resources for Professional Software Testers :
http://www.io.com/~wazmo/qa/

Betasoft QA Links page :
http://www.QALinks.com

Many more.....

http://www.soft.com/Institute/HotList/
http://www.testingstuff.com/
http://www.softwaretesting.de

Testing Research community

Welcome to what could be called the Software Testing Research Community Directory


http://www.mtsu.edu/cgi-bin/users/storm/researchers.pl

software testers and consultants is assembled from requests made to STORM:

http://www.mtsu.edu/cgi-bin/users/storm/directory.pl


Software Testing Discussion and News:
http://www.mtsu.edu/~storm/news.html

and many more...
http://www.mtsu.edu/~storm/

What is Smoke test?

A common practice at Microsoft and some other shrink-wrap software companies is the "daily build and smoke test" process. Every file is compiled, linked, and combined into an executable program every day, and the program is then put through a "smoke test," a relatively simple check to see whether the product "smokes" when it runs.

compile all files, libraries, and other components successfully;
link all files, libraries, and other components successfully;
not contain any showstopper bugs that prevent the program from being launched or that make it hazardous to operate; and
pass the smoke test.

For more information: http://www.stevemcconnell.com/bp04.htm

Testing Questions and tools

http://www.TestingFAQs.org/
http://www.logigear.com/resources/default.asp
http://www.xprogramming.com/software.htm


Testing tools:

ftp://rtfm.mit.edu/pub/usenet/comp.software-eng/


Network Security:
http://www.ideahamster.org/

Mumbai navigator

dMumbai navigator:

http://www.cse.iitb.ac.in/navigator/index.html

Linux Testing

Linuxtesting:

www.bugzilla.redhat.com/hwcert
www.linuxquestions.org/hcl/index.php
www.hardwaredb.suse.de/index.php?LANG=en_UK
www.linux.org/hardware
www.linspire.com/hcl
www.ibiblio.org/pub/Linux/docs/HOWTO/other-formats/html_single/Hardware-HOWTO.html

Security Testing

Security testing:

www.sans.org/rr/catindex.php?cat_id=50- http://www.ietf.org/rfc/rfc2196.txt?Number=2196 -http://www.securityfocus.com/data/library/Why_Security_Policies_Fail.pdf -

Some general websites with information security policies:
http://www.security.kirion.net/securitypolicy/
http://www.network-and-it-security-policies.com/
http://iatservices.missouri.edu/security/
http://www.utoronto.ca/security/policies.html
http://irm.cit.nih.gov/security/sec_policy.html
http://w3.arizona.edu/~security/pandp.htm
http://secinf.net/ipolicye.html
http://cio.berkeley.edu/policies.html
http://www.ruskwig.com/security_policies.htm
http://www.bindview.com/Support/RAZOR/Resources/InfoCarePart2.ppt

Technical links

http://geekswithblogs.net/srkprasad/
http://www.realityinteractive.com/rgrzywinski/archives/000044.html
http://www.softwareprojects.org/software-test-strategy.htm
http://www.testingeducation.org/BBST/Domain.html
http://www.qaforums.com
http://www.satisfice.com.
http://www.effectivesoftwaretesting.com
http://www.amibug.com/getinfo.shtm?present=webstress
http://www.stickyminds.com/sitewide.asp?Function=edetail&ObjectType=ART&ObjectId=5030#figure1go
http://www.ssw.com.au/ssw/Standards/Rules/RulesToBetterWebsitesLayout.aspx
http://www.deccanetworld.com/sublinks/whitepapers/unit_testing.htm
http://www.softwaredevelopment.ca/bugs.shtml
http://www.math-cs.gordon.edu/local/courses/cs211/ATMExample/Interactions.html
http://www.advancedwebsearch.com/result.aspx?keyword=software+testing&orig=1
http://sixsigmatutorial.com
http://www.io.com/~wazmo/qa/#testing_and_qa

Accessiblity Tips

Accessibility
abilitynet - Links
Accessibility On a shoe-string And all that Malarkey
Benefits of an accessible website - part 1 Increase in reach
Checklist for Web Content Accessibility Guidelines 2.0
Checklist of Checkpoints for Web Content Accessibility Guidelines 1.0
Complete List of Web Accessibility Evaluation Tools
DIR - SRRPUB11 - World Wide Web Design Standards and Coding Guidelines - Web Accessibility & Usability Section
Direct Ability
Downloads - Web Access Centre
Get Tooled Up'Accessibility Testing and Reporting with TAW3', Ariadne Issue 46
QA - ESW Wiki
ScreenReader Download
SiteMorse - compliance, function, performance and accessibility (WAI) testing
Techniques for Web Content Accessibility Guidelines 1.0
Technorati Blog Finder Accessibility
W3C-508 Web Accessibility Regulations
WaSP Forms Accessibility Task Force - The Web Standards Project
Web Accessibility Initiative (WAI) - home page
Web Content Accessibility Guidelines 1.0
Web handbook - Building in universal accessibility + checklist
Web Site Accessibility Blog » Web Standards
cem kaner
Cem Kaner's blog
general
CVE-2006-2492 (under review)
Secunia - Advisories - Firefox File Upload Form Keystroke Event Cancel Vulnerability
Sorting It All Out Behind 'How to break Windows Notepad'
google vidoes
The online resource for Performance, Load and Stress Testing
vidoes
Links
association for swtesting
Association for Software Testing
Open source tool
Open Source Testing
Open source tool
Open Test Manager(test case management tool)
Software testing framework
Software Testing Automation Framework (STAF)
Collaborative Software Testing
Customize Links
List of software testing courses
MCSE Training Testking A+ CCNA CCNP CCIE Security+ Oracle 10g Certification TestKing
Presentations
Software Testing Analysis & Review (STAREAST 2006) Conference Home
Software Testing and Quality Assurance Glossary
techInterview Discussion
The Braidy Tester Testing
Windows Marketplace
Windows
Load testing
JMeter - User's Manual Elements of a Test Plan
LoadRunner.Info
mercury webseminar
ATS Download Page
Mercury Webinar Archive
security
cross scripting
SQL injection - How to find & fix it
[WEB SECURITY] Whitepaper by Amit Klein HTTP Response Smuggling
Unit testing
Open Source Testing
winrunner
Automated Testing Frameworks
Downloading File -safsdev-Hierarchal_Keyword_Test_Automation.doc
Archived Programs
Computerworld 20th Annual IT Professionals Salary Survey
ContentWebService
Google suggest