09 Apr
09 Apr
17 Aug
08 Aug

Security Testing

Security testing is a process that is performed with the intention of revealing flaws in security mechanisms and finding the vulnerabilities or weaknesses of software applications. Recent security breaches of systems at retailers like Target and Home Depot, as well as Apple Pay competitor Current C, underscore the importance of ensuring that your security testing efforts are up to date.

The prime objective of security testing is to find out how vulnerable a system may be and to determine whether its data and resources are protected from potential intruders. Online transactions have increased rapidly of late making security testing as one of the most critical areas of testing for such web applications. Security testing is more effective in identifying potential vulnerabilities when performed regularly.

Normally, security testing has the following attributes:

  • Authentication
  • Authorization
  • Confidentiality
  • Availability
  • Integrity
  • Non-repudiation
  • Resilience


System testing, in the current scenario, is a must to identify and address web application security vulnerabilities to avoid any of the following:

  • Loss of customer trust.
  • Disturbance to your online means of revenue generation/collection.
  • Website downtime, time loss and expenditures in recovering from damage (reinstalling services, restoring backups, etc.)
  • Cost associated with securing web applications against future attacks.
  • Related legal implications and fees for having lax security measures in place.


Here are the different types of threats which can be used to take advantage of security vulnerability.

Privilege Elevation

Privilege elevation is a class of attack where a hacker has an account on a system and uses it to increase his system privileges to a higher level than he/she was not meant to have. If successful, this type of attack can result in a hacker gaining privileges as high as root on a UNIX system. Once a hacker gains super-user privileges, he is able to run code with this level of privilege and the entire system is effectively compromised.

SQL Injection

SQL injection is the most common application layer attack technique used by hackers, in which malicious SQL statements are inserted into an entry field for execution. SQL injection attacks are very critical as an attacker can get critical information from the server database. It is a type of attack which takes the advantage of loopholes present in the implementation of web applications that allows a hacker to hack the system. To check the SQL injection we have to take care of input fields like text boxes, comments, etc. To prevent injections, special characters should be either properly handled or skipped from the input.

Unauthorized Data Access

One of the more popular types of attacks is gaining unauthorized access to data within an application. Data can be accessed on servers or on a network.

Unauthorized access includes:

  • Unauthorized access to data via data-fetching operations
  • Unauthorized access to reusable client authentication information by monitoring the access of others
  • Unauthorized access to data by monitoring the access of others

URL Manipulation

URL manipulation is the process of manipulating the website URL query strings & capture of the important information by hackers. This happens when the application uses the HTTP GET method to pass information between the client and the server. The information is passed in parameters in the query string. The tester can modify a parameter value in the query string to check if the server accepts it.

Denial of Service

A denial-of-service (DoS) attack is an explicit attempt to make a machine or network resource unavailable to its legitimate users. Applications can also be attacked in ways that render the application, and sometimes the entire machine, unusable.

Data Manipulation

In data manipulation, a hacker changes data used by a website in order to gain some advantage or to embarrass the website’s owners. Hackers will often gain access to HTML pages and change them to be satirical or offensive.

Identity Spoofing

Identity spoofing is a technique where a hacker uses the credentials of a legitimate user or device to launch attacks against network hosts, steal data or bypass access controls. Preventing this attack requires IT-infrastructure and network-level mitigations.

Cross-Site Scripting (XSS)

Cross-site scripting is a computer security vulnerability found in web applications. XSS enables attackers to inject client-side script into Web pages viewed by other users and trick a user into clicking on that URL. Once executed by the other user’s browser, this code could then perform actions such as completely changing the behavior of the website, stealing personal data, or performing actions on behalf of the user.

All of the attacks listed above are most critical threat classes but these are not all.

Security Testing


To prevent all of the above security testing threats/flaws and perform security testing on a web application, it is required to have good knowledge of the HTTP protocol and an understanding of client (browser) – server communication through HTTP. Also, basic knowledge of SQL injection and XSS is required. The following techniques will help in performing quality security testing:

Cross Site Scripting (XSS):

The tester should additionally check the web application for XSS (Cross site scripting). Any HTML e.g. <HTML> or any script e.g. <SCRIPT> should not be accepted by the application. If it is, the application can be prone to an attack by Cross Site Scripting.

Attackers can use this method to execute malicious scripts or URLs on a victim’s browser. Using cross-site scripting attackers can use scripts like JavaScript to steal user cookies and information stored in the cookies.

Cross Site Scripting Testing can be done for:

  1. Apostrophe
  2. Greater-Than Sign
  3. Less-Than Sign

Ethical Hacking

Ethical hacking means hacking performed by a company or individual to help identify potential threats on a computer or network. An ethical hacker attempts to bypass the system security and search for any vulnerability that could be exploited by malicious hackers aka Black hats. White hats may suggest changes to systems that make them less likely to be penetrated by black hats.

Password Cracking

Password cracking is the most critical part while doing system testing. In order to access the private areas of an application, hackers can use a password cracking tool or can guess a common username/password. Common usernames and passwords are easily available online along with open source password cracking applications. Until a web application enforces a complex password (e.g. a long password with a combination of numbers, letters, and special characters), it is easy to crack the username and password. Another way of cracking the password is if username/password is to target cookies if cookies are stored without encryption.

Penetration Testing

A penetration test is an attack on a computer system with the intention of finding security loopholes, potentially gaining access to it, its functionality and data.

Risk Assessment

This is a process of assessing and deciding on the risk involved with the type of loss and the possibility of vulnerability occurrence. This is determined within the organization by various interviews, discussions and analysis.

Security Auditing

A security audit is a systematic evaluation of the security of a company’s information system by measuring how well it conforms to a set of established criteria.

Security Scanning

This is a program which communicates with a web application through the web front-end in order to identify potential security vulnerabilities in the web application, OS and Networks.

SQL Injection:

The next thing that should be checked is SQL injection. Entering a single quote (‘) in any textbox should be rejected by the application. Instead, if the tester encounters a database error, it means that the user input is inserted in some query which is then executed by the application. In such a case, the application is vulnerable to SQL injection.

SQL injection attacks are very critical as attackers can get vital information from the server database. To check SQL injection entry points into your web application, find out code from your code base where direct MySQL queries are executed on the database by accepting some user inputs.

SQL Injection Testing can be done for:

  • Apostrophes
  • Brackets
  • Commas
  • Quotation marks

Vulnerability Scanning

The automated computer program to proactively identify security vulnerabilities of computing systems in a network to determine where a system can be exploited and/or threatened.

Posture Assessment

This describes the overall security posture of an organization; it is a combination of Ethical hacking, Security scanning and Risk Assessment.

URL manipulation through HTTP GET methods:

HTTP GET method is used between application client and server to pass on the information. The tester needs to verify if the application is passing vital information in the query string. The information via HTTP is passed in parameters in the query string. To test this, a parameter value can be modified in the query string to check if the server accepts it.

Generally user information is passed through HTTP GET request to the server for either authentication or fetching data. Hackers can manipulate the input of this GET request to the server so that the required information can be gathered or to corrupt the data. Any abrupt behavior of application or web server, in such condition, is the key for a hacker to slip into the application.

Ad hoc Data Testing can also be done as a part of security testing:

  • Testing random data which is included in requests.
  • Testing random data which is included as parameters.
  • Testing encoded random data included as parameters.

Buffer Overflow Testing

  • Boundary value testing on Lengths of strings e.g. 128 bytes, 256 bytes, 1024 bytes
  • Long strings of a single character
  • Varied string patterns


We can take the following approach while preparing and planning for Security testing:

  • Security Architecture Study: The first step is to understand the business requirements, security goals, and objectives in terms of the security compliance of the organization. The test planning should consider all security factors, like the organization might have planned to achieve PCI compliance.
  • Security Architecture Analysis: Understand and analyze the requirements of the application under test.
  • Classify Security Testing: Collect all system setup information used for development of Software and Networks like Operating Systems, technology, hardware. Make out the list of Vulnerabilities and Security Risks.
  • Threat Modelling: Based on above step, prepare Threat profile.
  • Test Planning: Based on identified Threat, Vulnerabilities and Security Risks prepare test plan to address these issues.
  • Traceability Matrix Preparation: For each identified Threat, Vulnerabilities and Security Risks prepare Traceability Matrix.
  • Security Testing Tool identification: All security testing cannot be executed manually, so identify the tool to execute all security test cases faster & more reliably.
  • Test Case Preparation: Prepare the Security tests case document.
  • Test Case Execution: Perform the Security Test cases execution and retest the defect fixes. Execute the Regression Test cases.
  • Reports: Prepare detailed report of Security Testing which contains Vulnerabilities and Threats contained, detailing risks, and still open issues etc.


These are just a few of the security testing tools available for web applications.

Tools Description Requirement
BeEF BeEF (Browser Exploitation Framework) is a tool which focuses on the web browser – this means it takes advantage of the fact that an open web-browser is the crack into a target system and designs its attacks to go on from this point onwards. Linux, Apple Mac OS X and Microsoft Windows
BFBTester – Brute Force Binary Tester BFBTester is a tool for security checks of binary programs. BFBTester will perform checks of single and multiple argument command line overflows and environment variable overflows. This tool alerts the security professional for any programs using unsafe tempfile names by watching for tempfile creation activity. POSIX, BSD, FreeBSD, OpenBSD, Linux
Brakeman Brakeman is an open source vulnerability scanner which is designed for Ruby on Rails applications. It statically analyzes Rails application code to find security issues at any stage of development. Rails 3
CROSS The CROSS (Codenomicon Robust Open Source Software) program is designed to help open source projects, that are part of the infrastructure of the internet, fix critical flaws in their code. Codenomicon’s product line is a suite of network protocol testing tools called DEFENSICS which helps the projects find and fix a large number of critical flaws very rapidly. 130 protocol interfaces and formats
Ettercap Ettercap is a free and open source network security tool for man-in-the-middle attacks (MITM) on LAN. The security tool can be used to analyze computer network protocols within a security auditing context.
Flawfinder Program that scans C/C++ source code and reports potential security flaws. By default, it sorts its reports by risk level. Python 1.5 or greater
Gendarme Gendarme is an extensible rule-based tool to find problems in .NET applications and libraries. Gendarme inspects programs and libraries that contain code in ECMA CIL format (Mono and .NET) and looks for common problems with the code, problems that compilers do not typically check or have not historically checked. .NET (Mono or MS runtime)
Knock Subdomain Scan Knock is an effective scanning tool to scan Transfer Zone discovery, subdomains, Wildcard testing with internal or external wordlist. This tool can be very helpful in black box penetration test to find vulnerable subdomains. Linux, Windows and MAC OS X with Python version 2.x
Metasploit The Metasploit Framework is an advanced open-source platform for developing, testing, and using exploit code. This project initially started off as a portable network game and has evolved into a powerful tool for penetration testing, exploit development, and vulnerability research. Win32 / UNIX
Nessus The Nessus vulnerability scanner is the world-leader in active scanners, featuring high speed discovery, configuration auditing, asset profiling, sensitive data discovery and vulnerability analysis of your security posture. Nessus scanners can be distributed throughout an entire enterprise, inside DMZs, and across physically separate networks. Linux, Solaris, Mac, Windows
Nikto Nikto is an open source web server scanner that caters to web servers specially to detect outdated software configurations, invalid data and/or CGIs etc. It performs comprehensive tests multiple times against web servers. Windows/UNIX
Nmap Nmap (Network Mapper) is an open source scanner for network discovery and security auditing. Nmap uses raw IP packets to determine available hosts on the network, what services (app name, version) those hosts are offering, what operating systems and OS versions they are running on, what type of packet filters/firewalls are in use, and other such characteristics. Linux, Windows, and Mac OS X.
nsiqcppstyle nsiqcppstyle is aiming to provide an extensible, easy to use, highly maintainable coding style checker for C/C++ source code. The rules and analysis engine are separated and users can develop their own C/C++ coding style rules. Furthermore, there is a customizable rule server as well. Platform Independent
Oedipus Oedipus is an open source web application security analysis and testing suite written in Ruby. It is capable of parsing different types of log files off-line and identifying security vulnerabilities. Using the analyzed information, Oedipus can dynamically test web sites for application and web server vulnerabilities. OS Independent
Zed Attack Proxy The Zed Attack Proxy (ZAP) is an easy to use integrated penetration testing tool for finding vulnerabilities in web applications. It is designed to be used by people with a wide range of security experience and as such is ideal for developers and functional testers who are new to penetration testing. Windows, Linux, Mac OS
Paros Paros is a Java based HTTP/HTTPS proxy for assessing web application vulnerability. All HTTP and HTTPS data between server and client, including cookies and form fields, can be intercepted and modified using this scanners. Cross-platform, Java JRE/JDK 1.4.2 or above
Social Engineer Toolkit The Social-Engineer Toolkit (SET) is an open source tool and the concept that it is based on is that attacks are targeted at the human element than on the system element. It enables you to send emails, java applets etc. containing the attack code. Linux, Apple Mac OS X and Microsoft Windows
Skipfish Skipfish is an active web application vulnerability security scanning tool. Security professionals use this tool to scan their own sites for vulnerabilities. Reports generated by the tool are meant to serve as a foundation for professional web application security assessments. Linux, FreeBSD, MacOS X, and Windows
Vega Vega is a GUI-based, multi-platform and open source web security tool which is used to find instances of SQL injection, cross-site scripting (XSS), and other vulnerabilities in web applications. Vega also includes an intercepting proxy for interactive web application debugging. Vega attack modules are written in JavaScript, users can easily modify them or write their own. Java, Linux, Windows.
Wapiti Wapiti is an open source and web-based tool that scans the web pages of the deployed web applications, looking for scripts and forms where it can inject data. It is built with Python and can detect File handling errors, Database, XSS, LDAP and CRLF injections, Command execution detection. Python
WebScarab A framework with multiple plug in, written entirely in Java, for analyzing the applications that communicate through HTTP/HTTPS protocols. This tool is primarily designed for developers who can write code themselves. OS Independent
Websecurify Websecurify is an open source tool to automatically identify web application vulnerabilities by using advanced discovery and fuzzing technologies. It can create simple reports once ran. The tool is multilingual. Unix, Linux, and Windows
Wireshark Wireshark, earlier known as Ethereal, is a network packet analyzer. It is used by network professionals around the globe for troubleshooting, analysis, software and protocol development. As a Network Protocol analyzer it has all the standard features one would expect, and many features not available in any competitive product. Unix, Linux, and W
Share this
08 Aug

You will become master if u follow these steps for JMeter








8. https://www.youtube.com/watch?v=3TZegZPz3a4&list=UU8w8_H_1uDfi2ftQx7a64uQ


Share this
08 Aug

Appium tutorial [Steps for Windows & OSX]

Step by step guide for instaling Appium  for Windows


  1. Download Android SDK
  2. Android Setup guide: http://spring.io/guides/gs/android/
  3. Android-Sdk must be installed and ANDROID_HOME set
    1. http://developer.android.com/sdk/older_releases.html
    3. VARIABLE VALUE: C:\android_sdk\adt-bundle-windows-x86_64-20131030\sdk
    4. Open CMD and go to the location: C:\android_sdk\adt-bundle-windows-x86_64-20131030\sdk
    5. Type: android
    6. Inside AVD Manager Select the Tools checkbox.
    7. Select the checkbox for the latest Android SDK, Android 4.2.2 (API Level 17) as of this writing.
    8. From the Extras folder, select the checkbox for the Android Support Library.
    9. Click the Install packages… button to complete the download and installation.
  4. Create AVD Emulators
  5. android create avd –name Default –target “android-19” –abi armeabi-v7a
    1. –name Name of the new AVD.
    2. –target Target ID of the new AVD.
    3. –abi The CPU/ABI to use for the AVD.
  6. android list targets (displays a list of available targets)
  7. android list avd (Shows the list of virtual devices created)
  8. emulator -avd Default (Verify that emulator is working fine)

PATH: %ANDROID_HOME%\tools;%ANDROID_HOME%\platform-tools



Step-by-Step Guide for Installing Appium on OS X:

Visit: http://appium.io/


Installed OSX 10.9.2 (Mavericks)

Installed XCode Version 5.1 (5B130a)

Step: 1 Install Node.js

Install Homebrew v.0.9.5 (in order to do a brew install in next step)

Install Node.js and npm with Homebrew

First, install Homebrew. Open the terminal and type:

ruby -e “$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/master/install)”

Then, run brew update to ensure your Homebrew is up to date.

brew update

As a safe measure, run brew doctor to make sure your system is ready to brew. Follow any recommendations from brew doctor.

brew doctor

Next, add the Homebrew location to your $PATH and source your bash or zsh profile file after adding/saving this:

export PATH=”/usr/local/bin:$PATH”

Next, install Node (npm will be installed with node):

brew install node

Step 2: Install APPIUM

run ‘npm install -g appium’

run ‘npm install wd’ (you might need to SUDO)

Now run ‘authorize_ios’

You might get this error: “error stderr maxbugger exceeded”

running again as ‘sudo authorize_ios’ but now seeing

— error: Appium will not function correctly if used under sudo. Please rerun as a non-root user. If you had to install Appium using `sudo npm install -g appium`, the solution is to reinstall Node using a method (Homebrew, for example) that doesn’t require sudo to install global npm packages.

 since authorize_ios does not work with sudo you needed to manually run chown on the Applications dir. Just ran this:

cd ‘/Applications/Xcode.app/Contents/Developer/Platforms/iPhoneSimulator.platform/Developer/SDKs/iPhoneSimulator7.1.sdk’

sudo chown -R yourusername>:staff Applications

Once everything is done just type: ‘appium &’ in the terminal and it will start the Appium and you should be ready to use it.

Appium On Windows




Share this
08 Aug
08 Aug

Best Automation Tools 2016











Share this
06 Sep

ParaSoft API Test

Parasoft Service Virtualization is a product you need to seriously consider if you are developing applications that you have to test. But before I continue, let me step back a bit.

What is one of the first things you do when setting up a test environment? Well I guess that largely depends on your budget. Let us assume we all work for a company that conforms to best practices with regards to software development and the SDLC.

The easiest way to emulate the client site is to use virtualization. My current favourite being VirtualBox, but VMWare is also a great choice. Setting up a copy of the client site on a VM is the best method for testing your custom applications. It now gets even better with Parasoft Service Virtualization.

One of the major shortcomings of the old traditional Virtual Machine route is that it is nearly impossible to emulate 3rd party components or dependencies in the virtualized environment. To give you an example, I do ERP customization on a product called SYSPRO. It is always a challenge setting up the ERP copy on the VM to exactly match the client site.

The client ERP installation could also already contain customizations developed by other companies. Imagine this client then also accesses a Web Service to initiate some sort of Approval Workflow or Notification Service for management. It is almost impossible to emulate all this functionality in the Test VM you are setting up for your application.

I say so because to my mind, there are 2 major factors here that limit you from doing this:

  • Development Budget – We all know that a development budget isn’t an endless pit from where you can just dip in to. Spending weeks setting up a fully functional Virtual Machine just will not happen.
  • Environmental Change – Let us assume you manage to spend weeks setting up your Virtual Machine to mimic the client site almost perfectly. That’s nice…. but in the weeks you spent setting up the Virtual Machine, the client site changed significantly. It changes because it is a multi-user site with an ever evolving environment. Can your budget allow you to constantly change and maintain your VM to stay in sync with the client site?

Parasoft Service Virtualization

This all comes down to time. The less time you spend on setting up your test environment, the more time you have for actual testing. The less time you need to spend on mimicking and keeping up with changes to the client environment, the more time you have for actual development.

I don’t know about you, but in my world this equates to better code, less bugs and a healthy ending project expense on completion. Parasoft Service Virtualization allows you to do just that.

Parasoft Service Virtualization – In A Nutshell

Parasoft Service Virtualization allows you to capture and virtualize transaction behavior and the data transmitted between all these systems. This records live transactions in the client environment by analysing transaction logs or by modelling behaviour from a simple interface. In other words, instead of having to virtualize applications and settings, Parasoft ServiceVirtualization allows you to capture and virtualize data and the data between all these systems.

Let us say you are testing a web application, you can easily perform load testing using actual data recorded from the client site. And I know what you are going to ask next…. all the data can be obfuscated. So none of the recorded data can be compromised. This is probably the biggest single most important feature of the product. Imagine the possibilities.

Another fantastic feature is that you can modify recorded data. Let us assume for example that a 3rd party application is used by your client ERP. This 3rd party application generates an average of 50 Sales Orders per day. Each Sales Order is a single line order with a quantity of 1 for a specific stock code. The 3rd party generated Sales Orders are posted to the client ERP. Your application needs to check stock levels and if there is no stock, place the Sales Order on back order.

You can then easily test this by changing the recorded data to make each Sales Order contain line quantities of 1000 instead of 1. This will allow the system to reach the minimum stock level earlier and forcing your application into placing the order on back order. Imagine being able to test your application with large volumes of high quantity Sales Orders. Will it stand up to the onslaught of several sales orders per second? With Parasoft Service Virtualization, you don’t need to wonder any more. You control the data, so you can modify it to suit your test requirement.

You can also copy and modify different scenarios for different test requirements. This makes testing your application very efficient and robust.

Parasoft Service Virtualization – Initial Impressions

The product is an absolute tour de force. The potential cost saving is dramatic, especially considering what you can virtualize using Parasoft Service Virtualization and the benefit that has on development and testing. Being able to capture the interaction between your system and external components helps you understand your system. Being able to edit and replay those interactions as part of your test environment is unheard of until now. This is the power of Parasoft Virtualize.

I will concede that as a user, the configuration and implementation of the product can seem overwhelming. I would list this as a negative point, but I can’t do that. The reason I can’t do that is because Parasoft have put as much (if not more) effort into developing tutorials, training videos and user documentation as what they have in developing this product. Why not head on over to the Parasoft website and request an evaluation. See what Parasoft Service Virtualization can do for your company.

Disclosure of Material Connection: I received one or more of the products or services mentioned above for free in the hope that I would mention it on my blog. Regardless, I only recommend products or services I use personally and believe my readers will enjoy. I am disclosing this in accordance with the

Share this
06 Sep

Protractor Testing Tool


Use npm to install Protractor globally with:

npm install -g protractor

This will install two command line tools, protractor and webdriver-manager. Try running protractor --version to make sure it’s working.

The webdriver-manager is a helper tool to easily get an instance of a Selenium Server running. Use it to download the necessary binaries with:

webdriver-manager update

Now start up a server with:

webdriver-manager start

This will start up a Selenium Server and will output a bunch of info logs. Your Protractor test will send requests to this server to control a local browser. You can see information about the status of the server at http://localhost:4444/wd/hub.

Write a test

Open a new command line or terminal window and create a clean folder for testing.

Protractor needs two files to run, a spec file and a configuration file.

Let’s start with a simple test that navigates to the todo list example in the AngularJS website and adds a new todo item to the list.

Copy the following into todo-spec.js:

describe('angularjs homepage todo list', function() {
  it('should add a todo', function() {

    element(by.model('todoList.todoText')).sendKeys('write first protractor test');

    var todoList = element.all(by.repeater('todo in todoList.todos'));
    expect(todoList.get(2).getText()).toEqual('write first protractor test');

    // You wrote your first test, cross it off the list
    var completedAmount = element.all(by.css('.done-true'));

The describe and it syntax is from the Jasmine framework. browser is a global created by Protractor, which is used for browser-level commands such as navigation with browser.get.


Now create the configuration file. Copy the following into conf.js:

exports.config = {
  seleniumAddress: 'http://localhost:4444/wd/hub',
  specs: ['todo-spec.js']

This configuration tells Protractor where your test files (specs) are, and where to talk to your Selenium Server (seleniumAddress). It will use the defaults for all other configuration. Chrome is the default browser.

Run the test

Now run the test with:

protractor conf.js

You should see a Chrome browser window open up and navigate to the todo list in the AngularJS page, then close itself (this should be very fast!). The test output should be 1 test, 3 assertions, 0 failures. Congratulations, you’ve run your first Protractor test!

Share this

© 2015 QA Programmer. All rights reserved.

Show Buttons
Hide Buttons