what is vulnerability testing?

Vulnerablity testing is nothing but to identify the  network holes and the weakness of the product or application.

There are lot of  vulnerabilty scanning tools are available like nikto, paros proxy, web inspect, web scarab, acunetix web vulnerability scanner etc..,  by using these tools you can do vulnerability testing.

 

 

QTP Mini program

This is to count the no of ‘a’s in aword.

str=”adorable”

l=len(str)

For i=1 to l

ch=mid(str,i,1)

If ch=”a” Then

cntr=cntr+1

End If

Next

msgbox “The Number of a’s present in ” &str & ” is “&cntr

 

 

 

 

Smart Identification in qtp

Smart Identification is a mechanism provided by Quick

Test to identify dynamic bjects whose properties are
changing time to time....( Say a Submit button changes to
Save after clicking once)
Now the test property of that button is changed.If we
generate the script statement
Window("windowname").dialog("dialogname").winbutton
("submit").click

beacuse submit button is no more available in window

Generally Object Identification is done using the physical
description (Mandatory and Assistive properties) of that
object in the object repository.

But If we want to enable Smart Identification we have 2
ways.

1) enable Smart Identification for Object class
2) enable Smart Identification for a single Object

If we want to enable Smart Identification for entire object
class

Go to Object Identification---> select the environment--->
select the object class---> check the enable smart
identification checkbox in object Identification dialog

If we want to enable Smart Identification for a specific
object 

Go to Object Repository---> select the environment--->
select the object class--->select the object---> check the
enable smart identification checkbox in object Repository
dialog

And we should select the Base Filter and Optional filter
properties for the selected object class/object.

When we enable this smart Identification Quick Test will
try to locate the object based on these properties only.

usability Testing

Usability – Modeling different kind of end-users
While testing for usability I model myself as different kind of users. But, before doing so; I always try to know about for who this product has been developed. This helps me not to fall in the trap where I will be wasting my time as well as effort in modeling different kind of users that are not required for this product. Suppose, if I have to model different kind of users for Orkut my list would be as following,

- Teenagers

- Celebrities

- Business Development Managers

- Professors / Lecturers / Teachers

- Students ( This category also comes under Teenagers, but sometimes other than teenagers too )

- Old people with more than 60+ age

- Developers

- Testers

- Script Kiddies

This list might vary from product to product. But, brainstorming different kind of users might help you achieve more coverage on the product. Depending on the list of different kind of end-users you might have different categories for test ideas. Or, you could use your own approach.

You might want to ask that how does modeling yourself helps you in providing information about Usability quality criteria?

Example 1: Celebrities generally join social networking portals to market their movie or to create hype about the movie or anything that might be. How usable is the portal for celebrities? They might not have used the portal before and this is the first time. How this helps them? Is everything developed so well that a celebrity could register without much hiccup(s)?

Example 2: Old people with age 60+ tend to have visual problems. They might be partially blind but still they might still want to be on social networking portals to get in touch with their buddies and remember their college days and old days. How does this product help them? Do they have any screen readers? Do they have any pan and zoom feature that has been integrated to help old people?
lets explore more in detail abt usability testing…

what is usability? It is an user interface testing or testing for user friendliness………this definition is not enough….a very common definition…lets go in depth…

1) we test the application from user’s point of view to ensure the application is user friendly..
Just keep in mind usability testing is different from functionality testing as the later involves validating the software against the requirements only.
In simple words usability testing includes screen design, consistency in user interface, proper naming conventions of the menus and options.

2) okay lets talk abt validation activity, is usability testing a validation activity? yes its a validation activity because usability plays an important role in the acceptability of the product by the majority of the users. A fairly non buggy software could prove to be a disaster if the users find it awkward to use and demanding, usability testing saves us from such situations.

Usability testing is the component of the high level testing which involves , complete products but as in the cases of other testing, it is better to start early in development cycle.The most appropriate way of ensuring usability is by planning it in two phases , first at development stage and second in the post development stage as part of formal validation stage. The usability has to be kept in mind while developing any product . Usability should be included within design specification to address the usability issues very early in development cycle. The focus should be to specifically include usability provisions in the specifications of the product. If an existing product are being redesigned or small modification is done, usability issues can be avoided using similar layout of the user interface as the user who are already familiar with the product will find it more usable.

Security Testing

Herewith, I’ve consolidated few points about the testing security, that I collected from various documents.

Using the below mentioned general security scenarios you can derive
some general testcases for security.

. Is security adequate?

. Is confidentiality/user privacy protected?

. Is access only successful with 128 bit browsers?

. Does the site prompt for user name and password?

. Does site ask for personal information of children? If so, is it acquired through secure pages

with warning information for parents?

. Are there Digital Certificates, both at server and client?

. Have you verified where encryption begins and ends?

. Are concurrent log-ons permitted?

. Does the application include time-outs due to inactivity?

. Is bookmarking disabled on secure pages?

. Does the key/lock display on status bar for insecure/secure pages?

. Is Right Click, View, Source disabled?

. Are you prevented from doing direct searches by editing content
in the URL?

. If using Digital Certificates, test the browser Cache by enrolling for the Certificate and
completing all of the required security information. After completing the application and
installation of the certificate, try using the <– BackSpace key to see if that security
information is still residing in Cache. If it is, then any user could walk up to the PC and
access highly sensitive Digital Certificate security information.

. Is there an alternative way to access secure pages for browsers under version 3.0, since SSL

is not compatible with those browsers?

. Do your users know when they are entering or leaving secure
portions of your site?

. Does your server lock out an individual who has tried to access
your site multiple times with invalid login/password information?

à to test security for a web application is general we can do

1. access control checking

2. authorization checking

3. encrypiton and decryption

1 & 2 can be done by the testing team where as the 3rd one is done
by the development team.

If you have more knowledge in how to break the system and write
some virus programs then you can test for that also.

I hope these are the basic things what we test for a web security.

à
. Are there Digital Certificates, both at server and client?

. Have you verified where encryption begins and ends?

I think both these points need a more explanation specially the second one. As per knowledge, once u r in an encryption algorythm u do not have control to check such things as tt simply takes input (encryption bit size, public/private key, data) and gives u output.

i want to add some more points on the above topic>

Software security is about making software behave in the presence of a
malicious attack, even though in the real world, software failures usually
happen spontaneously—that is, without intentional mischief.

The difference between software safety and software security is therefore the presence of an intelligent opponent curved( unauthorized) on breaking the system.

If u are going to break software security, then we should think like attacker, is’in it??

White- and black-box testing and analysis methods both attempt to understand software, but they use different approaches depending on whether the analyst or tester has access to source code. White-box analysis involves analyzing and understanding source code and the design. It’s typically very effective in finding programming errors (bugs when automatically scanning code and flaws when doing risk analysis); in some cases, this approach amounts to pattern matching and can even be automated with a static analyzer (the subject of a future installment of this department). One drawback to this kind of testing is that it might report potential weakness where none actually exists (a false positive). Nevertheless, using static analysis methods on source code is a good technique for analyzing certain kinds of software. Similarly, risk analysis is a whitebox, approach based on a deep understanding of software architecture. Black-box analysis refers to analyzing a running program by probing it with various inputs. This kind of testing requires only a running program and doesn’t use source-code analysis of any kind. In the security example, malicious input can be supplied to the program in an effort to break it. If the program breaks during a particular test, then we might have discovered a security problem. Black box testing is possible even without access to binary code—that is, a program can be tested remotely over a network. If the tester can supply the proper input (and observe the test’s effect), then black-box testing is possible. Any testing method can reveal possible software risks and potential exploits. One problem with almost all kinds of security testing (regardless of whether it’s black or whitebox) is the lack of it—

Peer Testing

This is true, peer means “A person who is of equal standing with another in a group” and review is known to eveyone.

So when this term comes in testing field then it means

Reviewing of ur colleague’s work if u r working together. for example, suppose
u and ur colleague are assinged to write test cases for particular module and u have mutually decided to work in one fashion then u both have reviewed each other’s work in terms of correctness, sequence, completeness, duplicacy.

This is the general process everyone is doing or If u r reviewing the authored testcases in tems of helping ur TL to finalize the test cases.

This is all about ‘peer review’ My dear friend. Hope will help u.

You can get me @ mohan.btech.it@gmail.com and +91-9841797205.

Cookie Testing

Test cases:

1) As a Cookie privacy policy make sure from your design documents that no personal or sensitive data is stored in the cookie.

2) If you have no option than saving sensitive data in cookie make sure data stored in cookie is stored in encrypted format.

3) Make sure that there is no overuse of cookies on your site under test. Overuse of cookies will annoy users if browser is prompting for cookies more often and this could result in loss of site traffic and eventually loss of business.

4) Disable the cookies from your browser settings: If you are using cookies on your site, your sites major functionality will not work by disabling the cookies. Then try to access the web site under test. Navigate through the site. See if appropriate messages are displayed to user like “For smooth functioning of this site make sure that cookies are enabled on your browser”. There should not be any page crash due to disabling the cookies. (Please make sure that you close all browsers, delete all previously written cookies before performing this test)

5) Accepts/Reject some cookies: The best way to check web site functionality is, not to accept all cookies. If you are writing 10 cookies in your web application then randomly accept some cookies say accept 5 and reject 5 cookies. For executing this test case you can set browser options to prompt whenever cookie is being written to disk. On this prompt window you can either accept or reject cookie. Try to access major functionality of web site. See if pages are getting crashed or data is getting corrupted.

6) Delete cookie: Allow site to write the cookies and then close all browsers and manually delete all cookies for web site under test. Access the web pages and check the behavior of the pages.

7) Corrupt the cookies: Corrupting cookie is easy. You know where cookies are stored. Manually edit the cookie in notepad and change the parameters to some vague values. Like alter the cookie content, Name of the cookie or expiry date of the cookie and see the site functionality. In some cases corrupted cookies allow to read the data inside it for any other domain. This should not happen in case of your web site cookies. Note that the cookies written by one domain say rediff.com can’t be accessed by other domain say yahoo.com unless and until the cookies are corrupted and someone trying to hack the cookie data.

8 ) Checking the deletion of cookies from your web application page: Some times cookie written by domain say rediff.com may be deleted by same domain but by different page under that domain. This is the general case if you are testing some ‘action tracking’ web portal. Action tracking or purchase tracking pixel is placed on the action web page and when any action or purchase occurs by user the cookie written on disk get deleted to avoid multiple action logging from same cookie. Check if reaching to your action or purchase page deletes the cookie properly and no more invalid actions or purchase get logged from same user.

9) Cookie Testing on Multiple browsers: This is the important case to check if your web application page is writing the cookies properly on different browsers as intended and site works properly using these cookies. You can test your web application on Major used browsers like Internet explorer (Various versions), Mozilla Firefox, Netscape, Opera etc.

10) If your web application is using cookies to maintain the logging state of any user then log in to your web application using some username and password. In many cases you can see the logged in user ID parameter directly in browser address bar. Change this parameter to different value say if previous user ID is 100 then make it 101 and press enter. The proper access message should be displayed to user and user should not be able to see other users account.

These are some Major test cases to be considered while testing website cookies. You can write multiple test cases from these test cases by performing various combinations. If you have some different application scenario, you can mention your test cases in comments below.

Testcases for date field validation

It has calender provided beside textbox (we need to select date from text box)

1.Should accept dates in any format as decided ie dd/mm/yy or mm/dd/yy or yyyy(ex:1983). Client machine has some format set in regional settings.
2.If the date field is system driven then the format specified in the system should be accepted.
3.Need labels near date field for date format.
4.Cannot be left blank generally.
5.Cannot accept characters in the date function.
6.Should take 30/31 days according to the month of the year.
7.should accept 29 days of february in the leap year.
8.should not accept 000000 as a date.
9.should not accept more than 12 as the month value.
10.should accept 01 or 1 as the month value. The same holds true for day value.
11.should not accept only XX if the format specified is yyyy.
12.start date < end date
13.Separater can be either '-' or '/'
14.Validation of dates should be done by the dates on the server and not on the client.
15.Either any one of the date/month/year should be 00.
16.The present date should not be less than other dates.
17.We should also try for characters n special characters if the text box is editable.
18.We should specifically try dates like 30-02-2004(dd-mm-yyyy).
19.If we click on the text-box the calender should open.
20 We should be able to select the desired day on the calender.
21.After we click on to the selected date date should come in to the box and calender should be disappeared from there.
These should be the test cases for the selection of date in the text box

1. click on to the calender icon in front of the date field. calender should be opened.

2.in the calender current date should be selected

3.we should be able to select the desired date on to the calender

4.after click on to the selected date date should be come in to the box and calender should be disappered from there.
1.Should accept dates in any format as decided ie ddmmyy or mmddyy or yyyy. Client machine has some format set in regional settings.2.If the date field is system driven then the format specified in the system should be accepted.3.Need labels near date field for date format.4.Cannot be left blank generally5.Cannot accept characters in the date function6.Should take 30/31 days according to the month of the year7.should accept 29 days of february in the leap year.8.should not accept 000000 as a date.9.should not accept more than 12 as the month value.10.should accept 01 or 1 as the month value. The same holds true for day value.11.should not accept only XX if the format specified is yyyy.12.start date 31 similarily month should be< 12 and year as per requirement)

3) Also try characters and spcl. characters on date if textbox is editable.

4) Try dates 30-02-2004 i.e validation for month of feb.

5) Check as per requirement if all parts are separated with / or – or . sign

6) 1980- -1980 20/10/2006 etc. if given in requirement this is usually given in search 1980- means search for records after 1980 and so on

Bikram Cheema

(Third party Calendar controls/date pickers will have a text box attached with a button/icon beside it) You can consider the following test cases for a calendar control.

They may be many cases if the text box is editable or not purpose of the date field used etc .

1. Ensure that calendar window is displayed and active when the calendar is invoked by pressing the calendar icon. (Once we faced an issue the calendar window is in minimized state when we invoked the calendar.)

2. Ensure that calendar date is defaulted to system date.

3. Ensure that when a date is selected in the calendar (double click or some other method) the selected date is displayed in the text box.

(Third party Calendar controls/date pickers will have a text box attached with a button/icon beside it) You can consider the following test cases for a calendar control.

They may be many cases ,if the text box is editable or not, purpose of the date field used etc�.

1. Ensure that calendar window is displayed and active, when the calendar is invoked by pressing the calendar icon. (Once we faced an issue, the calendar window is in minimized state when we invoked the calendar.)
2. Ensure that calendar date is defaulted to system date.
3. Ensure that when a date is selected in the calendar (double click, or some other method), the selected date is displayed in the text box.

what is difference between repeatable and reusable test case?and what is

Repeatable means executing the same script number of times
in same project.
Reusable means executing the same script number of times in
different project.

self cleaning test case means user can reach to the location
from where he/she start to execute test case

Test case for an online purchasing system?What testings

1) Validate the details of the item are displayed as in the 
database
2) Validate the availability of the item and number 
available through the database
3) Validate that when you select the item in the front end 
(like a check box) it gets selected
4) Validate you get an error message if you are not a 
registered user
5) Validate you are able to click the 'submit' button and 
the page is reloaded
6) Validate whether you get a success message with the form 
to fill the required info like credit card details and all
7) validate that in the database required updations are done
For online purchasing sys v must perform load test as well 
as stress test.like how many user requests can be processed 
at a time