February 27, 2010 by mensming.

The 2010 CWE (Common Weakness Enumeration) / SANS Top 25 Most Dangerous Programming Errors has been released. The full report should be required reading for all web programmers and testers. A pdf version is also available.

Here are the 25 items:

1. Failure to Preserve Web Page Structure (’Cross-site Scripting’)
2. Improper Sanitization of Special Elements used in an SQL Command (’SQL Injection’)
3. Buffer Copy without Checking Size of Input (’Classic Buffer Overflow’)
4. Cross-Site Request Forgery (CSRF)
5. Improper Access Control (Authorization)
6. Reliance on Untrusted Inputs in a Security Decision
7. Improper Limitation of a Pathname to a Restricted Directory (’Path Traversal’)
8. Unrestricted Upload of File with Dangerous Type
9. Improper Sanitization of Special Elements used in an OS Command (’OS Command Injection’)
10. Missing Encryption of Sensitive Data
11. Use of Hard-coded Credentials
12. Buffer Access with Incorrect Length Value
13. Improper Control of Filename for Include/Require Statement in PHP Program (’PHP File Inclusion’)
14. Improper Validation of Array Index
15. Improper Check for Unusual or Exceptional Conditions
16. Information Exposure Through an Error Message
17. Integer Overflow or Wraparound
18. Incorrect Calculation of Buffer Size
19. Missing Authentication for Critical Function
20. Download of Code Without Integrity Check
21. Incorrect Permission Assignment for Critical Resource
22. Allocation of Resources Without Limits or Throttling
23. URL Redirection to Untrusted Site (’Open Redirect’)
24. Use of a Broken or Risky Cryptographic Algorithm
25. Race Condition

Posted in security, web testing | No Comments »

January 16, 2010 by mensming.

I am in the process of watching the videos from the GTAC (Google Test Automation Conference) held in Seattle in October 2003. This post contains my notes for the presentation Taming the Beast - How to Test an AJAX Application (1 hour 1 minute) by Markus Clermont & John Thomas held on October 23, 2008.

I am not recommending spending time watching this video. The presentation is not bad. However, it does not translate well to video. There is a lot of interaction with the audience - which is great when you are present at the presentation. However, in the video the audience cannot be heard and the presenters do not repeat many of the questions / responses. In addition, the talk is misnamed. While an AJAX application is used as the example throughout the application, most of the talk is not about how to test an AJAX application. The talk is a good discussion of how to tame automation - automation of any application.

Here are the slide titles:

• AJAX: A Different Beast
• An Example GWT Application - (GWT = Taming the Beast - How to Test an AJAX Application)
• Some Statistics - (At this point there are questions to the audience regarding their automated testing experience.)
• System Architecture
• Small Medium Large - (Essentially how much of the application is under test)
• Testing Layer Pairs
• Are we done?
• Comparison
• Conclusion

Posted in training, test tools, web testing, conferences | No Comments »

December 20, 2009 by mensming.

A little while ago, I needed to run some Selenium processes against a different server which was https only with a self signed certificate. When Selenium fired up, I saw the SSL certificate warnings followed by the test failing. Even when I inserted a pause into my script so I would have time to add the security exception, the test still failed.

A search on the web led to Elliot Smith’s post entitled Dealing with self-signed SSL certificates when running Selenium server with Firefox. At the time, the post was only a few days old. It was exactly what I needed and worked like a champ. Thank you Elliot!

I would add to Elliot’s procedure that the cert_override.txt and cert8.db files can be added to source control. Even if the person executing the tests has never followed the procedure regarding creating a Firefox profile, the process will still work.

Finally, a minor warning. If you find that you need to add additional self-signed certificates, you will need to do that as part of a full-fledged Firefox profile - not the limited version created here. In that case, just like the first time, you will need to delete all of the Firefox created files and directories except cert_override.txt and cert8.db just like the first time it was setup. (I suppose you could also copy the 2 cert*.* files from a different full fledged profile - as long as you were confident regarding the contents of those files.)

Posted in test tools, web testing | No Comments »

June 4, 2009 by mensming.

A friend sent me a link to this graphic. Not sure who to attribute it to. The image is hosted on http://media.oldben.com.ar.

Posted in system testing, web testing | No Comments »

March 22, 2009 by mensming.

In show 146 of Hanselminutes, Scott interviews agile coach Scott Bellware.

It is an interesting conversation about whether test driven development is a misnomer, the misuse of the word testability, test smells, etc. A valuable conversation for testers to consider when discussing ways to improve the quality of a product. (Especially if someone asserts that additional testing is not required since "we use test driven development".)

Posted in software engineering, process improvement, system testing, web testing | No Comments »

January 10, 2009 by mensming.

In a prior post, I described how to use telnet to verify that the HTTP TRACE command is disabled. A commenter asked:

What if telnet is actively being blocked… is there another way to invoke the TRACE request in an attempt to verify whether the potential vulnerability exists?

My immediate reaction was that I needed to research how to do this. What a fool I am…

The fact of the matter is that if an HTTP connection is able to connect to the server than the method I described will still work. Because we are using telnet to impersonate a browser - connecting via port 80 - even if telnet is blocked (usually port 23), using telnet via port 80 will still work. If the browser can connect via this way, so can telnet via port 80.

Posted in security, web testing | No Comments »

January 3, 2009 by mensming.

With the new year, it is time for me to write my annual bug. Like many products, ours includes a copyright statement of the format "© 2006–2008 Company Name" that is displayed to our users. Every year, I submit a bug to change the ending year.

The United States Copyright Office provides the following guidelines in the copyright basics PDF.

Form of Notice for Visually Perceptible Copies

The notice for visually perceptible copies should contain all the following three elements:

1. The symbol © (the letter C in a circle), or the word “Copyright,” or the abbreviation “Copr.”; and
2. The year of first publication of the work. In the case of compilations or derivative works incorporating previously published material, the year date of first publication of he compilation or derivative work is sufficient. The year date may be omitted where a pictorial, graphic, or sculp­tural work, with accompanying textual matter, if any, is reproduced in or on greeting cards, postcards, stationery, jewelry, dolls, toys, or any useful article; and
3. The name of the owner of copyright in the work, or an abbreviation by which the name can be recognized, or a generally known alternative designation of the owner.

By these guidelines, the second date is not required. However, sometimes it is better to go with the flow.

Posted in system testing, web testing | No Comments »

December 27, 2008 by mensming.

Over several months, Michael Hunter, in his blog on Dr. Dobb’s Portal, ran a series of posts with the title of "You Are Not Done Yet", each of which picked an area of a software deliverable and listed items that a tester needs to consider before considering themselves done testing it. This is a great series and I have referred numerous individuals to it time and again.

I recently wanted to refer someone to it and it took me a while to find the particular URL I needed. So, in order to save myself some time, here is the link to the table of contents to all of the articles in the series.

Posted in system testing, web testing | No Comments »

December 20, 2008 by mensming.

Bruce McLeod recently posted on the topic of browser compatibility testing. This is an excellent post and I agree with Bruce’s analysis as to what to include and to why. It was also timely because Google’s Chrome had just gone out of beta which spurred me to reconsider what to include in my matrix.

What is lacking in Bruce’s post is an analysis of which operating systems should each browser be run on. This is especially important when considering Firefox which is often run on Windows, Linux and Mac. Taking Bruce’s list, I would modify it as follows:

• Internet Explorer 7.x - Windows Vista
• Internet Explorer 6.x - Windows XP
• Firefox 3.0 - Windows XP or Windows Vista
• Firefox 3.0 - Mac OS X
• Safari 3.x - Mac OS X
• Internet Explorer 8.x - Windows Vista
• Google Chrome - Windows XP or Windows Vista

This is what I would put on my tier B list (after completing the list above):

• Safari 3.x - Windows Vista
• Firefox 3.0 - Linux

Posted in web testing | No Comments »

December 8, 2008 by mensming.

In the past, the TRACE command in the HTTP specification was considered a “safe” command. However, due to the information disclosed combined with other cross-domain exploits, TRACE is no longer considered safe. See US-CERT Vulnerability Note VU#867593 for more information.

I was asked how to verify that the TRACE command (in Apache) is disabled. The easiest way to do this is to use telnet. Launch telnet.

telnet hostname 80

Now, we can issue the TRACE command for a given url.

TRACE /index.html HTTP/1.0



If TRACE is enabled, you will get output that looks something like this:

HTTP/1.1 200 OK
Date: Fri, 05 Dec 2008 05:59:45 GMT
Server: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.3 with Suhosin-Patch
Connection: close
Content-Type: message/http

Connection closed by foreign host.


Now, if TRACE is disabled, the output will look like this:


HTTP/1.1 405 Method Not Allowed
Date: Mon, 08 Dec 2008 21:26:13 GMT
Server: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.4 with Suhosin-Patch
Allow:
Content-Length: 347
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>405 Method Not Allowed</title>
</head><body>
<h1>Method Not Allowed</h1>
<p>The requested method TRACE is not allowed for the URL /index.html.</p>
<hr>
<address>Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.4 with Suhosin-Patch Server at localhost Port 80</address>
</body></html>
Connection closed by foreign host.


Posted in security, web testing | 5 Comments »