Malicious code injection : Not through Sql

All code injection attacks work on the same principle: a hacker piggybacks malicious code onto good code through an input field in the application. Therefore, the protection instead has to come from the code within the application itself.The root of all code injection problems is that developers put too much trust into the users of applications. A developer should never trust the user to operate the application in a safe manner. There will always be someone who is looking to use malicious code in an exploitative manner.

Aside from SQL injections, there are several other types of malicious code injection attacks with which developers must become familiar. Three of these types of dangerous malicious code injections are
1.XPath injection
2.LDAP injection,
3.command execution injection.

XPath Injection:

The attacker inputs a string of malicious code meant to trick the application into providing access to protected information. If your website uses an XML (Extensible Markup Language) document to store data and user input is included in an XPath query against that document, you may be vulnerable to an XPath injection.

For example, consider the following XML document used by an e-commerce website to store customers’ order history:


< orders >
< customer id = " 1" >
< name > Bob Smith
bob.smith@bobsmithinc.com
1234567812345678


1
10.00
Sprocket


2
9.00
Cog



…


The website allows its users to search for items in their order history based on price. The XPath query that the application performs looks like this:

string query = "/orders/customer[@id='" +
customerId + "']/order/item[price >= '" +
priceFilter + "']";

If both the customerId and priceFilter values have not been properly validated, an attacker will be able to exploit the XPath injection vulnerability. Entering the following value for either value will select the entire XML document and return it to the attacker:

'] | /* | /foo[bar='

Find more

Localization Testing

What is localization (L10N)

Adapting a (software) product to a local or regional market.
Goal: Appropriate linguistic and cultural aspects
Performed by translators, localizers, language engineers

Localization

The aspect of development and testing relating to the translation of the software and ite prsentation to the end user. This includes translating the program, choosing appropriate icons and graphics, and other cultural considerations. It also may include translating the program's help files and the documentation. You could think of localization as pertaining to the presentation of your program; the things the user sees.


Internationalization (I18N)

Developing a (software) product in such a way that it will be easy to adapt it to other markets (languages and cultures)
Goal: eliminate the need to reprogram or recompile the original program
Carried out by SW-Development in conjunction with Localization
Handing foreign text and data within a program
Sorting, importing and exporting text and data, correct handing of currency and data and time formats, string parsing, upper and lower case handling.
Separating strings from the source code, and making sure that the foreign language string have enough space in your user interface to be displayed correctly

Internationalization

The aspect of development and testing relating to handling foreign text and data within a program. This would include sorting, importing and exporting text and data, correct handling of currency and date and time formats, string parsing, upper and lower case handling, and so forth. It also includes the task of separating strings (or user interface text) from the source code, and making sure that the foreign language strings have enough space in your user interface to be displayed correctly. You could think of internationalization as pertaining ot the underlying functionality and workings of your program.


What is I18N/L10N stand for ?

These two abbreviations mean internationalization and localization respectively. Using the word "internationalization" as an example; here is how these abbreviations are derived. First, you take the first letter of the word you want to abbreviate; in this case the letter "I". Next, you take the last letter in the word; in this case the letter "N". These become the first and last letters in the abbreviation. Finally, you count the remaining letters in the word between the first and last letter. In this case. "nternationalizatio" has 18 characters in it. se we will plug the number 18 between the "I" and "N"; thus I18N.


I18N and L10N

I18N and L10N comprise the whole of the offort involved in enabling a product.
I18N is "Stuff" you have to do once.
L10N is "stuff you have to do over and over again.
The more stuff you push into I18N out of L10N, the less complicated and expensive the process becomes.

Finding the Text box maximum length by one click

If the Webpage you are testing contains a form fields with text boxes then, if you need to perform the boundary value analysis testing for the text box and validations for the text box use the following javascript




javascript:var x=document.getElementsByTagName('input');myVals='';for (var i=0;i