Skip to content

How to test better with add-on(s)?

Wednesday, October 26, 2011

You must have known the add-on(s) mindmap which we (Moolyavans) created (URL: http://moolya.com/blog/2011/03/04/addon-mindmap-for-testers-from-moolya/). Now, here I am going to put some light on how we can use them. I have chosen some add-on(s) where I have mentioned about how we can utilize them in our testing activity. Here I go,

 

Web Developer Add-on

There are different categories under Web Developer add-on and below are some and explanation on how we use them in our testing activity;

1. Validation

I would use this add-on to quickly validate CSS, HTML, find broken links or 404 pages. We would be using tools from W3C which is a standard and that would help me to give a quick report.

2. Forms

Under this I would get to know the risks like; server side validation is being done or not, maxlengths could be by-passed and get some system error message or any unexpected behaviour, can the methods of forms be converted from GET to POST and vice-versa

3. Images

This helps in performing section 508 standard tests (Web Accessibility) in very quick approach. We use navigate to a page and click on “Display ALT / Title attributes” and in the page itself all the list is displayed including existing ones and non-existing ones (No need of hovering over every image and seeing whether ALT or tooltip is visible).

 

Resolution Test

I use this to get coverage on how a web page looks on different screen resolutions. Some might have different resolutions set and this add-on would help us quickly to know if there are any risks associated with resolution of a webpage.

 

Also try ScreenFly (http://quirktools.com/screenfly/) which can provide resolution for Tablets like iPad / Motorola, Mobile Phones, Desktop and TV.

 

iMacros

Let’s say we want to test My Profile page for new registered user. Now, this is a repetitive process if the test is about creating new users. So, we automate it very quickly. Let’s say within 30 seconds we could automate the register form (Without captcha or else we need to enter captcha and then submit the form). iMacros is supportable on Internet Explorer, Mozilla Firefox and Google Chrome; now even these iMacros which are recorded would help for running them on different web browsers except Apple Safari. This is just an example; we know many other contexts where we could use iMacros.

 

Form Fuzzer

I use this to populate the text fields with different characters from different character set. Example: !@#$%^&*()-+ etc. – I have test data and with just one click we populate every text field with the test data and then submit the form which helps in validation of input.

 

Check All / CheckFox

Let’s say there are 100 checkboxes and one of the tests for it is to check all 100 and submit the form. Now, doing it one by one takes a lot of time but, with CheckAll or CheckFox add-on I could do it within few seconds with dragging for the area that we want to check the required checkboxes or else with just one click. Even I can do inverse and uncheck.

 

Tamper Data / IE Tamper

I use this add-on for tampering the input values and submitting it to the server. This is man in the middle attack.

 

Example: Let’s say the item that I have purchased is of $100 but, there is a client side validation which is not allowing me to edit it. Now; I would use TamperData add-on and once you click on “Submit” Tamper Data shows the input in it’s own window and there I can edit it to only $10 and submit it. This helps us to find the risk if tampering of data could be done or not.

 

RegEx Tester

I use this add-on to test for regular expressions. Let’s say there is javascript code which exists for validation but; still the form is not fully built of functional. In this case, I need not stop my testing activity for validation. We could take those (A-Z, a-z, 0-9 etc.) regular expressions and perform the tests. So, even if the functionality is not implemented our testing is not blocked for input validation.

 

Edit This Cookie

I use this to reveal the risks (if any) like; modifying the cookie value and getting into different account which does not belong to us. Know the information that is being stored in cookie value; we look for what data should not be there in cookie information.

 

Lipsum

If I want to add some text (Alphabets) for 100 lines in text area we use Lipsum which is Lorem Ipsum text generator. So, I have the test data ready in few seconds.

 

Pendule

Helps in getting the coverage on Javascript and CSS; we use this on specific page and all the code is extracted in separate window for CSS and Javascript. So, we have all this on one page and we can go through this on a single page. Even indentation feature is available which is under “Beautify CSS”. There are other cool features too which would add value.

Filed in Bugs, General, Investigation, Test Ideas | | Comments (1)

Auto-complete can put your customers under threat

Monday, September 26, 2011

You must know the auto-complete feature in your web browser and also web applications like Google search engine. I am going to speak where to use them and where not to use them. You might like below 2 points;

 

  1. Auto-complete will help in improved UX
  2. Auto-complete can put your customers under threat if no good care is taken in avoiding it in some places

 

I will concentrate on the 2nd point which you are interested in; let us consider a web application which doesn’t have auto-complete feature but, the web browser saves history and there is auto-complete feature with it. Now, most of them use auto complete with on in web browsers. Below is a mind-blowing example on how not disabling auto complete in the code of web application would lead to unauthorized access by a non-owner of some account,

 

There is a Secret Answer text field and it is in plain text (First of all this itself is a bad one because secret answer acts like a authentication too and it got to be masked; you are masking password because others should not see however; keeping secret answer in plain text – Does it make sense?) and there are users who would use shared computer. Let us say 10 customers sign up and they have chosen different secret answers – These are non-computer savvy’s. Now, someone like me (An example) who is evil hacker starts using the website where the 10 customers registered. I go to sign up page and double click on “Secret Answer” text field and guess what – I have 10 secret answers of one or the other end-user and now I should know what e-mail address they were using. That’s simple; double click on “e-mail address” text field and I get 10 e-mail addresses” – Wow! Let me have a mug of beer now and dance.

 

Above, you saw how not disabling auto-complete in the code of web application could impact on your customers and you too.

 

Where auto-complete should be handled as off?

  1. E-mail address (Use Remember Me to help your users of not making them enter e-mail address always)
  2. Secret Answer (Consider masking it too or else the one who is shoulder surfing might exploit)
  3. Credit Card Numbers
  4. Bank Account Numbers

 

Any confidential information should not be visible under auto-complete and should not be allowed to save in history of a web-browser. Question yourself; what is the impact of not having “auto-complete” and also what is the impact of having “auto complete” – This helps in adding usability as well as security to your web application.

 

You could maintain a checklist of what should not go as auto-complete in your web application. You might want to communicate about this even with the test team working in different projects in your organization to benefit your customers and your organization too. I hope you had a good reading.

Filed in Bugs, General | | Comments (6)

Attacks via e-mail feature

Monday, September 5, 2011

I often see that; the websites with features which include e-mail service open to security vulnerabilities. These vulnerabilities would be exploited any time. Now, I am going to list some of the features that will use e-mail service (SMTP server).

  1. Forgot Username / Password
  2. Registration – confirmation e-mail
  3. Subscription / receive updates

 

There could be many other features which depend on the product that is developed or being developed. Above mentioned are the ones that you are familiar with.

 

How can I use the above features to attack e-mail service or SMTP server?

Spamming and more bandwidth usage – I could get the victims username or e-mail address and use it in Forgot Password text field and keep sending e-mails to the target e-mail address thereby; spamming. I am not only spamming here but, also I am consuming the bandwidth of the e-mail server. I could easily automate this; so let us talk about numbers now. In 5 seconds I will send one e-mail.

5 seconds = 1 e-mail

1 minute = 12 e-mails

1 hour = 720 e-mails

It goes on.

 

dDoS attack if you are doing it at the same time from different computers. 100 bad guys connected on IRC say “Boom” and everyone invokes it. The number 100 is just for example purpose; there are guys who are connected on IRC as a team more than 1000+.

 

Countermeasures

There should be a restriction on sending of e-mails in a day or per hour or anything that would not harm the e-mail service and even the end-user.

 

A captcha should be shown if repeated usage of form is being detected. Example: Gmail displays captcha in login form if wrong attempts are made. This could help in stopping the attack which is done by automating the process.

 

Blacklisting IP address if the attack is continued; recording server logs.

 

I wrote this blog post quickly and published it. I would write in deeper way sometime later.

Filed in General | | Comments (5)

Login – Test Ideas

Thursday, September 1, 2011

Different combinations of username and password

Valid Username Valid Password
Valid Username Invalid Password
Valid Username No Password
Invalid Username Valid Password
Invalid Username Invalid Password
Invalid Username No Password
No Username No Password
Valid Username Valid Password and Incorrect Domain
Valid Username Invalid Password Correct Domain
Valid Username Valid Password and Correct Domain
Valid Username Invalid Password Incorrect Domain
Invalid Username Valid Password and Incorrect domain
Invalid Username Invalid Password and Correct domain

Case Sensitive

Password is case-sensitive?
Username is case-sensitive?


Maxlength
Username has maxlength?
Password has maxlength?

Alignment

Username and Password text fields are in proper alignment?
Username and Password labels are aligned properly?
Login button is placed in alignment and is not far from the text fields?


Input Validation


Alphabets
Alphabets + Numerical
Alphabets + Special Characters
Alphanumeric + Special Characters
Quotes, Double Quotes, Tilde
How does the login behave with the usage of different charset?
Changing the order of these characters like; AB1, 1AB (Adding numeric to end and adding numeric to first)


Keyboard mapping


Enter username and password and then press "Enter" key. Does it invoke Submit button?
Are there any keyboard shortcuts for Submit and Cancel?


 Feel free to add more by commenting to this blog post.




Recommended: Darren McMillan created a mindmap of Login Test Ideas and you can view it at


http://www.bettertesting.co.uk/content/?p=1372











				

				

					Filed in Test Ideas
					|
					
					|
					Comments (14)
				

			



			

				
Finding bugs from web.config file in ASP.NET

				
Wednesday, August 10, 2011

				


If you are a tester who is testing a product that is developed on ASP.NET technology then this post would educate you in finding bugs in web.config file. Web.config is a configuration file wherein, you include details such as,


    

  1. Data Source
    2. 

  2. SMTP Server
    3. 

  3. Authentication
    4. 

  4. Custom Error / Re-direction
    5. 

  5. Session timeout
    6. 

  6. Cookie exceptions
    7. 



 


And many more details.


 


Example #1


Let’s say you are testing web application for session timeout and you are not aware when it would happen. At such times you might directly go to the /inetpub/wwwroot/ and go to the folder where application is deployed and open the web.config with any text editor (Notepad++ – Recommended) and search for string like “timeout” and now, you see that you get the details. You might also see that there is no timeout XML tag which means you have found a bug which is there is no timeout of session.


 


Example #2


We are experiencing delay in sending or receiving e-mail address. We purchased a cool SMTP server from some cool vendor. In such situation you could go to web.config and see if the SMTP server has the same incoming and outgoing servers which were purchased from that cool vendor. Now, that should be your first test. In case if it’s the same then you need to contact that cool vendor who turned to be not a cool vendor.


 


Example #3


Handling error pages – Let’s say when there is no page that server is looking for, an error page is displayed. Now, there are different status codes and these could be handled in web.config file. You can go to web.config and see if the developer is using custom error pages for all these. You can search for “customErrors” string to find the details if any.


 


For the list of HTTP status code you can refer here.


 


To be continued in the next blog post – Thanks!










				

				

					Filed in Bugs, Security Testing, Test Ideas
					|
					
					|
					Comments (4)