Security testing

Security is an exercise in risk management, risk analysis, especially at the design level, can help us identify potential security problems and their impact. Once identified and ranked, software risks can then help guide software security testing. We can find out software security hole using SQL injection and XSS command.

sql injection 

example: Click below link

http://pastebin.com/D2v21Mxh

try this sql injection on password field. sometimes it work for vulnerable webpage. Now question is how its work?

see below link:

http://pastebin.com/DZVByABg

when it get 1=1 portion its return true and injection work.

XSS Command (Cross site scripting)

Try below link any XSS command in a text filed which give output depend on that input, for example: registration page. if it is showing that command then it is sure there is a whole in that application.

http://pastebin.com/Z1t0aVjs

Bug advocacy

Bug advocacy start when you start writing bug. Some points you should maintain before you represent your bug:

• Your bug report  is your representative

• Good reporting earn good reputation and bad reporting generate extra work for developer

• When you write a bug , you're just asking (whom you don't manage) programmer to look at the bug that you found

• Any bug report that you write is an advocacy document and that report repair bug

• Make your bug report effective sales tool (thilient)

• Some bugs are too minor impossible to understand, not reproducible. Report those bug and explain reason in meeting that will result problem/confusion in future.

• Take the time make your bug report valuable because so many people  read and rely on this

• Draw the product owner/project coordinator/stakeholder attention to controversial bugs.

• Report defect promptly because it create confusion for manager. Also you've forgotten key details

• Never assume an obvious bug has already been filled. Lost of people knew about bug but assume someone else reported.

• Uncorner your corner cases.

• Keep clear difference between severity and priority

• Summary line is the most important line in the bug report

• Summary line is the best tool for selling the bug

• Summary can only be not more than 65 char

• Never exaggerate your bugs.

• Make your reports readable even people who are exhausted and cranky

Most common problems with developer............... 

• Developer always discourage QA for posting bug.

• Developer like to comment in JIRA “not a bug”.

• Developer like to say “This is not a requirement”.

• Lots of bug no more bug will post today told by PC.

• No written requirement so developer change their requirement when they want.

• Cache not clear but developer already fixed bug

• Don't post bug I will resolve it within 2 minutes

Set up WebDriver and TestNg

Set up WebDriver

1. Download eclipse: http://www.eclipse.org/downloads/
2. Download JDK http://www.oracle.com/technetwork/java/javase/downloads/jdk8-downloads-2133151.html
3. Set up jdk path (Save jdk and jre C:\Program Files\Java inside this folder)
4. Open eclipse
• Create a project , File-> New ->Java Project in Eclipse
•   File->Properties->Java Build Patha->Add library -> JRE in eclipse
5.       Setup TestNg For the Eclipse plug-in, we suggest using the update site:

1. Select Help / Software updates / Find and Install.
2. Search for new features to install.
3. New remote site.
4. For Eclipse 3.4 and above, enter http://beust.com/eclipse.
5. For Eclipse 3.3 and below, enter http://beust.com/eclipse1.
6. Make sure the check box next to URL is checked and click Next.
7. Eclipse will then guide you through the process.

4.       Restart Eclipse and select the menu Window / Show View / Other...  and you should see the TestNG view listed in the Java category.

5.       Download webDirver: http://seleniumhq.org/download/

6.       Unzipped downloaded file in specific folder

7.       Put all downloaded .jar (webDriver+testNg) in eclipse project as external .jar file (steps are in below)

a.       Create a project in eclipse: File->New->Project-> Select (java project)->Give name (sample1)

b.      

Click on Finish button

c.       Create package under src folder. Give name (webDriver)

d.      

Click on Finish button

e.      Create class under this package

f.        Right click on project name select Properties-> Java build Path->Libraries-> Add External JARs-> (Add webDriver jar files from specific location)->Click on Open

g.       

h.      Repeat step f for add tesNg .jar file from http://search.maven.org/#search%7Cga%7C1%7Ca%3A%22testng%22  here and then add this jar file as external jar file in eclipse.

Performance Testing and its subset

Performance testing is super set of Load testing, Stress testing, Capacity testing, Volume testing, Endurance testing, Spike testing, Scalability testing, Reliability testing [Picture:1]. In real life customer often confused between load test, stress test and performance test. In my last project customer asking for Performance testing but they want to know only "How many user that application can handle within short period". They just want to know maximum successful number of user and what's error occurred when crossed that maximum point? So client want to know about Load testing and Stress testing result.

Load test:  is subset of performance testing. It is done by constantly increasing the load on the application under test till the time it reaches the threshold limit. The main goal of load testing is to identify the upper limit of the system in terms of database, hardware and network etc. Load Testing = Large amount of users
             
For example: 1st I give 90 user  at first in Jemeter then check is there any error or not, if error occur then  give 89, 88... and so on. When I give 83 user no error occurred. So the upper limit is 83 users.

Stress test: Under stress testing, various activities to overload the existing resources with excess jobs are carried out in an attempt to break the system down. Negative testing, which includes removal of the components from the system is also done as a part of stress testing. The purpose behind stress testing is to ascertain the failure of system and to monitor how the system recovers back gracefully. The goal of the stress testing is to analyse post-crash reports to define the behavior of application after failure. The biggest issue is to ensure that the system does not compromise with the security of sensitive data after the failure. In a successful stress testing, the system will come back to normality along with all its components, after even the most terrible break down.

For example: In my project from Load testing I know that 83 user is the maximum load. When I gave 84 user application failed to do some transaction. From Jmeter error list I found out what type error occurred and why? When I monitor error I found out server is over loaded when I gave 84 user at a time but this error not   affect application.

Capacity testing: In short, capacity testing is about figuring out what the capacity of the system under test is. Typically, how many transactions per minute or how many simultaneous users a system can bear without crashing. Load testing and Stress testing two types of capacity testing.


Volume testing:  Volume testing refers to testing a software application with a certain amount of data. if you want to volume test your application with a specific database size, you will expand your database to that size and then test the application's performance on it. Another example could be when there is a requirement for your application to interact with an interface file (could be any file such as .dat, .xml); this interaction could be reading and/or writing on to/from the file. You will create a sample file of the size you want and then test the application's functionality with that file in order to test the performance.

Examples of volume testing: 

• testing a word processor by editing a very large document
• testing a printer by sending it a very large job
• testing a mail server with thousands of users mailboxes
• a specific case of volume testing is zero-volume testing, where the system is fed empty tasks
  
  

Endurance Testing/Soak testing: Checks for memory leaks or other problems that may occur with prolonged execution. it is also called soak testing. it is testing the application under heavy volumes of data for a prolonged period of time.From this term "Endurance Testing" the simple idea you can get by finding the meaning of word "Endurance".This is basically a fitness testing. How application behave in extreme/worst conditions. This is generally related to load testing of application. This type of testing is very important in time critical applications e.g flight control system.

For example: In my project I gave 40 user and ramp up period is 5 and Loop count is forever. Then monitoring  the whole day report which was generated by Jemeter.

Spike testing:  is a type of load test.  The object of this type of performance test is to verify a system's stability during bursts of concurrent user and or system activity to varying degrees of load over varying time periods. This is one kind of load testing.

Scalability testing: Easy to increase the performance of the software if the application demands it. For example, a database application that gives good response time for 10 users should be scalable for 100 users if required.

Reliablity Testing:  software Reliability is the probability that software will work properly in specified environment and for given time. 
Probability = Number of cases when we find failure / Total number of cases under consideration
Using this formula, failure probability is calculated by testing a sample of all available input states. The set of all possible input states is called as input space. To find reliability of software, we need to find output space from given input space and software.