Friday, June 3, 2016

Testing for security attack

In my earlier post Security Testing I have explained what is security testing and what are different types of attacks that can occur on a website.

Now let's see what are different security testing approaches -


1. Test Password cracking
Most web applications use log-in screens to authenticate users. In password cracking tester should for password complexity enforced by website.
If username and password are stored in cookie make sure they are highly encrypted as without encrypting attacker can use different methods to steal the cookies.

2. Test URL manipulation 
The tester should check if the application passes important information in the query string (url). As url is easily accessible attacker can steal data from url. Tester can modify a parameter value in the query string to check if the server accepts it. Also test for the url entered directly in address bar without navigating from previous page.

3. Test SQL Injection
In UI controls like textboxes enter SQL statements which are always true like '1=1' (with quotes).
Make sure textbox does not accepts ('). If some database error is thrown after insterting above data that means application accepted the input, executed the statement on server. This is highly vunerable.

4. Cross Site Scripting (XSS)
The tester should also test for XSS (Cross site scripting). Any HTML code or any script code should not be accepted by the application. Many web applications use variables in url to pass data to server. E.g.:
http://www.mysite.com/Home.aspx?query=abcd
Attacker can easily pass some <script> code as a ‘query’ parameter. When page is sent, malicious <script> is executed on server.


Note - In order to perform a useful security test of a web application, the tester should have good knowledge of the HTTP protocol. It is important to have an understanding of how the client (browser) and the server communicate using HTTP. Additionally, the tester should at least know the basics of SQL injection and XSS.

Did you like the post? Please share your feedback!

Security Testing

Security testing is a testing process which tests an application for confidentiality, integrity, authentication, availability, authorization and non-repudiation.

In short words we can say verifying that data is available and accessible to authentic users only and amount of data available to any user is as per their authorization level.

As more and more online transaction being performed online through website, proper security testing of web applications is becoming very important.

Below are various type of popular security attacks - 

URL manipulation - 
Some web application send user data to server after appending to the url. This gives hacker a chance to manipulate the data and send wrong information.


SQL injection
In this process SQL statement are inserted into UI controls of the application. When the page is submitted to server, those statements are executed on server causing attack on user data.


Spoofing
Attacking users by creating hoax look-alike websites or emails. So user navigates to their site thinking it is the original site and enters sensitive data.


Attacking XSS
Cross-site scripting allows attackers to inject client side script and bypass access controls.

In next post we will look at different approaches to test website for security attacks.

Please let me know your feedback about this post.



Friday, May 20, 2016

Deserialize JSON to C# Object

JSON (JavaScript Object Notation) is a lightweight data-interchange text format.
Due to light weight characteristic, it is now a days heavily used as data interchange medium.
Web services are exposing data in JSON format.

In this example we will look at sample code in C# to consume JSON data and deserialize it in class objects

Suppose one of such web service exposes data in below JSON format - 

[{"StudentNumber":1,"StudentFirstName":"Tom","StudentLastName":"Alter"},{"StudentNumber":2,"StudentFirstName":"Bruce","StudentLastName":"Lee"},{"StudentNumber":3,"StudentFirstName":"Bret","StudentLastName":"Lee"},{"StudentNumber":4,"StudentFirstName":"Mickey","StudentLastName":"Mouse"},{"StudentNumber":5,"StudentFirstName":"Donald","StudentLastName":"Duck"},{"StudentNumber":6,"StudentFirstName":"Vicky","StudentLastName":"Joseph"}]

Following sample will provide you one way of deserializing JSON data to C# objects and help you to understand it.

1. First we create a public class with public properties. These properties correspond to members of JSON. For above sample JSON public class would be -

public class Student
{
public int StudentNumber { get; set; }
public string StudentFirstName { get; set; }
public string StudentSecondName { get; set; }
} 

In sample JSON we can see StudentNumber, StudentFirstName and 
StudentSecondName are repeating so whole data will be stored in collection of type Student.

2. Next we write a method which will store the data to C# objects  - 
private void JSONToCsharp<T>()
{
WebClient wc = new WebClient();
wc.UseDefaultCredentials = true;
var data = wc.DownloadString(JsonUri);
MemoryStream ms = new MemoryStream(Encoding.Unicode.GetBytes(data));
DataContractJsonSerializer serializer = new DataContractJsonSerializer(typeof(List<T>));
var result = serializer.ReadObject(ms);
ms.Close();
ms.Dispose();
}

Once this method is executed, result can easily be type casted to Student and we will have a collection of Student,where  Student[0] will correspond to first record in JSON. ie. 
Student[0].StudentNumber will be 1
Student[0].StudentFirstName will be Tom
Student[0].StudentSecondName will be Alter

Lets look at the code in depth - 
Code is quite easy to understand, WebClient provides methods for sending data to and receiving data from a resource identified by a URI.

var data = wc.DownloadString(JsonUri)
This will download the JSON data to data object of type var.

DataContractJsonSerializer class serializes objects to the JSON and deserializes JSON data to objects. 

While calling above JSONToCsharp method, <T> is replaced with class name ie. Student
JSONToCsharp <Student>();

Finally result object will hold complete JSON data in the form of collection of Student
which can later will type casted like 
Student students = (Student)result;

Note - Following namespaces will be required to use WebClient and DataContractJsonSerializer classes.
using System.Net;
using System.Runtime.Serialization.Json;

Please do share your views about the post.

Tuesday, April 26, 2016

Verification and Validation

Verification

  • When we check that application is created as per the SRS (software Requirement Specification). Means application performs what user wants it to do.
  • It comes before validation.
  • Static testing like reviews is verification process.

Validation
  • When we test that application is performing its action in correct way. Here we do not check whether application meets user requirement or not, that part is already tested in verification. Here we test whatever application is doing, it does it in correct way.
  • It is performed after verification.
  • Test are executed in validation.

Let us go through one example - 

Requirement specification says that - 
User wants to control the lights in 4 rooms by remote command sent from the UI for each room separately.

Then functional specification is created as follows - 
1. The UI will contain 4 checkboxes labelled according to rooms they control.
2. When a checkbox is checked, the signal is sent to corresponding light. A green dot appears next to the checkbox.
3. When a checkbox is unchecked, the signal (turn off) is sent to corresponding light. A red dot appears next to the checkbox.


Verification
We now verify that  - 
  • Requirement specification is complete and correct such that anyone can understand the requirement easily.
  • Functional specification creates design correctly.
  • Source code has functions for 4 checkboxes to send the signals.


Validation
Now we validate that - 
  • Checkboxes accepts input from user 
  • Lights are actually controlled by checkboxes.

Please let me know your views about the post.

Monday, April 25, 2016

Severity and Priority of bug


Every bug has two fields called as severity and priority that has always confused most of testers. 
Let us understand them with simple examples.

Severity 
It means how severe is the impact of bug on application.

Priority
It means how soon bug should be fixed.

Now we can four combinations of severity and priority.

High Priority & High Severity
Consider an application that maintains student details, and when new record is created application terminates abruptly.

High Priority & Low Severity
The spell mistakes that happens on the cover page or title of an application or company logo is missing.

Low Priority & High Severity
A feature that is rarely used in application is broken, say application has annual report feature but it picks wrong months like from Jan to Dec instead of April to March.

Low Priority and Low Severity
Any spell issues which is with in a paragraph or in alternate text of image.