TQ
PM Tutorial
10/1/2013 1:00:00 PM

"How to Break Software: Web
101+ Edition"
Presented by:
Dawn Haynes
PerfTestPlus, Inc...
Dawn Haynes
PerfTestPlus, Inc.
Dawn Haynes is COO, principal trainer, and consultant for PerfTestPlus, Inc., and a former
...
Who am I?
Enhance your strategies for 
testing Web applications

Introductions

Who are you?

Goals
• Show a variety of ap...
© 2013 PerfTestPlus, Inc.

Business processes
Scenarios
Use
cases

Biz
Rules

Procedures

Workflows

Stored
Procs.

Events...
TCP/IP

HTTP(S)

JVMs

Browsers

JavaScript

Hosted

PPTP
SOAP

Flash
Protocol

Implementation
architecture, design
& depl...
© 2013 PerfTestPlus, Inc.

© 2013 PerfTestPlus, Inc.

4
© 2013 PerfTestPlus, Inc.

© 2013 PerfTestPlus, Inc.

5
© 2013 PerfTestPlus, Inc.

© 2013 PerfTestPlus, Inc.

6
© 2013 PerfTestPlus, Inc.

© 2013 PerfTestPlus, Inc.

7
 Cross-site scripting
 SQL injection
 Directory traversal

Language Based Attacks
 Buffer overflows
 Canonicalization...
© 2013 PerfTestPlus, Inc.

© 2013 PerfTestPlus, Inc.

9
HTTP is called a stateless protocol because each command is
executed independently, without any knowledge of the
commands ...
© 2013 PerfTestPlus, Inc.

© 2013 PerfTestPlus, Inc.

11
© 2013 PerfTestPlus, Inc.

© 2013 PerfTestPlus, Inc.

12
Functionality
•Links
•Cookies
•HTML/CSS
•Database

Security

Usability

•Bypass login
•URL tampering
•Input attacks
•Error...
© 2013 PerfTestPlus, Inc.

14
Upcoming SlideShare
Loading in …5
×

How to Break Software: Web 101+ Edition

492 views
371 views

Published on

When testing web applications, you may feel overwhelmed by the technologies of today's web environments. Web testing today requires more than just exercising a system’s functionality. Each system is composed of a customized mix of various layers of technology, each implemented in a different programming language and requiring unique testing strategies. This “stew” often leads to puzzling behavior across browsers; performance problems due to page design and content, server locations, and architecture; and inconsistent operation of navigation controls. Dawn Haynes shares an extensive set of test design ideas, standards, and software attacks. She explains their general applicability, effort needed to execute, and technical skill required for success, so you can determine what’s useful in your situation. Dawn demonstrates a variety of tools to help you improve your web testing of HTML syntax, page layout, download speeds, 508 compliance, readability, and more. From the easy and quick to implement to the techie hard stuff, Dawn has something for every web tester.

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
492
On SlideShare
0
From Embeds
0
Number of Embeds
7
Actions
Shares
0
Downloads
24
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

How to Break Software: Web 101+ Edition

  1. 1. TQ PM Tutorial 10/1/2013 1:00:00 PM "How to Break Software: Web 101+ Edition" Presented by: Dawn Haynes PerfTestPlus, Inc. Brought to you by: 340 Corporate Way, Suite 300, Orange Park, FL 32073 888-268-8770 ∙ 904-278-0524 ∙ sqeinfo@sqe.com ∙ www.sqe.com
  2. 2. Dawn Haynes PerfTestPlus, Inc. Dawn Haynes is COO, principal trainer, and consultant for PerfTestPlus, Inc., and a former director of the Association for Software Testing. Dawn’s unique blend of experience, humor, and effectiveness at providing tools and techniques that help students at all levels generate new approaches to common and complex software testing problems has resulted in her international recognition as an elite trainer of testers. She provides consulting services and is a frequent speaker at testing conferences, local groups, and intimate gatherings of testers.
  3. 3. Who am I? Enhance your strategies for  testing Web applications Introductions Who are you? Goals • Show a variety of approaches  to testing Web apps • Add to your toolbox Agenda • Why is Web testing different? ‐ A Web primer • What’s easy to break? • How do you approach what’s  harder? © 2013 PerfTestPlus, Inc. 1
  4. 4. © 2013 PerfTestPlus, Inc. Business processes Scenarios Use cases Biz Rules Procedures Workflows Stored Procs. Events Batch Functionality Files Data Usability Behavior Records Algorithms Calculations Operations © 2013 PerfTestPlus, Inc. 2
  5. 5. TCP/IP HTTP(S) JVMs Browsers JavaScript Hosted PPTP SOAP Flash Protocol Implementation architecture, design & deployment BI/DW Tiers SOA Plug-ins Adobe AJAX GUI elements Layers H/XTML Objects Biz Objects Navigation Constraints Layout Conventions © 2013 PerfTestPlus, Inc. © 2013 PerfTestPlus, Inc. 3
  6. 6. © 2013 PerfTestPlus, Inc. © 2013 PerfTestPlus, Inc. 4
  7. 7. © 2013 PerfTestPlus, Inc. © 2013 PerfTestPlus, Inc. 5
  8. 8. © 2013 PerfTestPlus, Inc. © 2013 PerfTestPlus, Inc. 6
  9. 9. © 2013 PerfTestPlus, Inc. © 2013 PerfTestPlus, Inc. 7
  10. 10.  Cross-site scripting  SQL injection  Directory traversal Language Based Attacks  Buffer overflows  Canonicalization  NULL-string attacks Attacking the Server  SQL injection II – Stored procedures  Command injection  Fingerprinting the server  Denial of service Authentication     Fake Cryptography Breaking authentication Cross-site tracing Forcing weak cryptography © 2013 PerfTestPlus, Inc. 8
  11. 11. © 2013 PerfTestPlus, Inc. © 2013 PerfTestPlus, Inc. 9
  12. 12. HTTP is called a stateless protocol because each command is executed independently, without any knowledge of the commands that came before it. This is the main reason that it is difficult to implement Web sites that react intelligently to user input. This shortcoming of HTTP is being addressed in a number of new technologies, including ActiveX, Java, JavaScript and cookies. [Reference: wiki.answers.com] © 2013 PerfTestPlus, Inc. © 2013 PerfTestPlus, Inc. 10
  13. 13. © 2013 PerfTestPlus, Inc. © 2013 PerfTestPlus, Inc. 11
  14. 14. © 2013 PerfTestPlus, Inc. © 2013 PerfTestPlus, Inc. 12
  15. 15. Functionality •Links •Cookies •HTML/CSS •Database Security Usability •Bypass login •URL tampering •Input attacks •Error msgs Performance •Load (users, connections, page requests…) •Stress (exceed limits for fields, login, memory…) •Navigation •Content checks •Help, search … Test Plan Interfaces •Web server •Application server •Database server Compatibility •Browser •O/S •Mobile •Printing •508 [Ref: www.softwaretestinghelp.com] © 2013 PerfTestPlus, Inc. © 2013 PerfTestPlus, Inc. 13
  16. 16. © 2013 PerfTestPlus, Inc. 14

×