Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

How to Break Software: Web 101+ Edition


Published on

When testing web applications, you may feel overwhelmed by the technologies of today's web environments. Web testing today requires more than just exercising a system’s functionality. Each system is composed of a customized mix of various layers of technology, each implemented in a different programming language and requiring unique testing strategies. This “stew” often leads to puzzling behavior across browsers; performance problems due to page design and content, server locations, and architecture; and inconsistent operation of navigation controls. Dawn Haynes shares an extensive set of test design ideas, standards, and software attacks. She explains their general applicability, effort needed to execute, and technical skill required for success, so you can determine what’s useful in your situation. Dawn demonstrates a variety of tools to help you improve your web testing of HTML syntax, page layout, download speeds, 508 compliance, readability, and more. From the easy and quick to implement to the techie hard stuff, Dawn has something for every web tester.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

How to Break Software: Web 101+ Edition

  1. 1. TQ PM Tutorial 10/1/2013 1:00:00 PM "How to Break Software: Web 101+ Edition" Presented by: Dawn Haynes PerfTestPlus, Inc. Brought to you by: 340 Corporate Way, Suite 300, Orange Park, FL 32073 888-268-8770 ∙ 904-278-0524 ∙ ∙
  2. 2. Dawn Haynes PerfTestPlus, Inc. Dawn Haynes is COO, principal trainer, and consultant for PerfTestPlus, Inc., and a former director of the Association for Software Testing. Dawn’s unique blend of experience, humor, and effectiveness at providing tools and techniques that help students at all levels generate new approaches to common and complex software testing problems has resulted in her international recognition as an elite trainer of testers. She provides consulting services and is a frequent speaker at testing conferences, local groups, and intimate gatherings of testers.
  3. 3. Who am I? Enhance your strategies for  testing Web applications Introductions Who are you? Goals • Show a variety of approaches  to testing Web apps • Add to your toolbox Agenda • Why is Web testing different? ‐ A Web primer • What’s easy to break? • How do you approach what’s  harder? © 2013 PerfTestPlus, Inc. 1
  4. 4. © 2013 PerfTestPlus, Inc. Business processes Scenarios Use cases Biz Rules Procedures Workflows Stored Procs. Events Batch Functionality Files Data Usability Behavior Records Algorithms Calculations Operations © 2013 PerfTestPlus, Inc. 2
  5. 5. TCP/IP HTTP(S) JVMs Browsers JavaScript Hosted PPTP SOAP Flash Protocol Implementation architecture, design & deployment BI/DW Tiers SOA Plug-ins Adobe AJAX GUI elements Layers H/XTML Objects Biz Objects Navigation Constraints Layout Conventions © 2013 PerfTestPlus, Inc. © 2013 PerfTestPlus, Inc. 3
  6. 6. © 2013 PerfTestPlus, Inc. © 2013 PerfTestPlus, Inc. 4
  7. 7. © 2013 PerfTestPlus, Inc. © 2013 PerfTestPlus, Inc. 5
  8. 8. © 2013 PerfTestPlus, Inc. © 2013 PerfTestPlus, Inc. 6
  9. 9. © 2013 PerfTestPlus, Inc. © 2013 PerfTestPlus, Inc. 7
  10. 10.  Cross-site scripting  SQL injection  Directory traversal Language Based Attacks  Buffer overflows  Canonicalization  NULL-string attacks Attacking the Server  SQL injection II – Stored procedures  Command injection  Fingerprinting the server  Denial of service Authentication     Fake Cryptography Breaking authentication Cross-site tracing Forcing weak cryptography © 2013 PerfTestPlus, Inc. 8
  11. 11. © 2013 PerfTestPlus, Inc. © 2013 PerfTestPlus, Inc. 9
  12. 12. HTTP is called a stateless protocol because each command is executed independently, without any knowledge of the commands that came before it. This is the main reason that it is difficult to implement Web sites that react intelligently to user input. This shortcoming of HTTP is being addressed in a number of new technologies, including ActiveX, Java, JavaScript and cookies. [Reference:] © 2013 PerfTestPlus, Inc. © 2013 PerfTestPlus, Inc. 10
  13. 13. © 2013 PerfTestPlus, Inc. © 2013 PerfTestPlus, Inc. 11
  14. 14. © 2013 PerfTestPlus, Inc. © 2013 PerfTestPlus, Inc. 12
  15. 15. Functionality •Links •Cookies •HTML/CSS •Database Security Usability •Bypass login •URL tampering •Input attacks •Error msgs Performance •Load (users, connections, page requests…) •Stress (exceed limits for fields, login, memory…) •Navigation •Content checks •Help, search … Test Plan Interfaces •Web server •Application server •Database server Compatibility •Browser •O/S •Mobile •Printing •508 [Ref:] © 2013 PerfTestPlus, Inc. © 2013 PerfTestPlus, Inc. 13
  16. 16. © 2013 PerfTestPlus, Inc. 14