Friday 29 June 2012

10 Rules of Software Testing


REMEMBER SOFTWARE TESTING 10 RULES:

1. Test early and test often.
2. Integrate the application development and testing life cycles. You’ll get better results and you won’t have to mediate between two armed camps in your IT shop.
3. Formalize a testing methodology; you’ll test everything the same way and you’ll get uniform results.
4. Develop a comprehensive test plan; it forms the basis for the testing methodology.
5. Use both static and dynamic testing.
6. Define your expected results.
7. Understand the business reason behind the application. You’ll write a better application and better testing scripts.
8. Use multiple levels and types of testing (regression, systems, integration, stress and load).
9. Review and inspect the work, it will lower costs.
10. Don’t let your programmers check their own work; they’ll miss their own errors.

Software Testing @ glance


Steps to perform software testing: 

  • Understand requirements and business logic
  • Determine required standards and processes
  • Set priorities, and determine scope and limitations of tests
  • Determine test approaches and methods
  • Determine test environment, test ware, test input data requirements
  • Set milestones and prepare test plan document
  • Write test cases
  • Have needed reviews/inspections/approvals of test cases
  • Set up test environment
  • Execute test cases
  • Evaluate and report results
  • Bug Tracking and fixing
  • Retesting or regression testing if needed
  • Update test plans, test cases, test results, tractability matrix etc.
 
Components of a Bug Report: 
  • Application name
  • The function, module, name
  • Bug ID
  • Bug reporting date
  • Status
  • Test case ID
  • Bug description
  • Steps needed to reproduce the bug
  • Names and/or descriptions of file/data/messages/etc. used in test
  • Snapshot that would be helpful in finding the cause of the problem
  • Severity estimate
  • Was the bug reproducible?
  • Name of tester
  • Description of problem cause (filled by developers)
  • Description of fix (filled by developers)
  • Code section/file/module/class/method that was fixed (filled by developers)
  • Date of fix (filled by developers)
  • Date of retest or regression testing
  • Any remarks or comments

Web based applications testing guidelines:

Apart from functionality consider the following:
  • What are the expected loads on the server and what kind of performance is expected on the client side?
  • Who is the target audience?
  • Will down time for server and content maintenance / upgrades be allowed?
  • What kinds of security will be required and what is it expected to do?
  • How reliable are the site's Internet / intranet connections required to be?
  • How do the internet / intranet affect backup system or redundant connection requirements and testing?
  • What variations will be allowed for targeted browsers?
  • Will there be any standards or requirements for page appearance and / or graphics throughout a site or parts of a site?
  • How will internal and external links be validated and updated?
  • How are browser caching and variations in browser option settings?
  • How are flash, applets, java scripts, ActiveX components, etc. to be maintained, tracked, controlled, and tested?
From the usability point of view consider the following:
  • Pages should be 3-5 screens longer.
  • The page layouts and design elements should be consistent throughout the application / web site.
  • Pages should be as browser-independent or generate based on the browser-type.
  • There should be no dead-end pages. A link to a contact person or organization should be included on each page.

Thursday 28 June 2012

Integration Testing



Introduction to Integration Testing:
When the modules are under the process of development, the developers develop some interfaces and integrate the module with the help of those interfaces. Here integration is the process of assembling unit-tested modules. We need to test the following aspects, which have not been addressed previously while independently testing the modules:
  • Interfaces: To ensure "interface integrity," the transfer of data between modules is tested. When data is passed to another module, by way of a call, there should not be any loss or corruption of data. The loss or corruption of data can happen due to mis-match or differences in the number or order of calling and receiving parameters.
  • Module combinations may produce a different behavior due to combinations of data that are not exercised during unit testing.
Global data structures, if used, may reveal errors due to unintended usage in some module.
Integration Testing falls under the category of white box testing.
Following four approaches are generally adopted by the developers while integrating the modules.
To illustrate the methodology, let us consider the following arrangement of modules say M1, M2, M3 ……. M7

1) Top Down Approach (TDA):
Involves development of all the topmost / parent modules before hand followed by due integration with child modules.

This approach uses a Program called "Stub". While integrating the modules with this Top Down Approach, if at any stage it is found that some mandatory module is missing, then in such an event that particular module is replaced with a temporary program known as "Stub".

The testing starts with M1. To test M1 in isolation, communications to modules M2, M3 and M4 needs to be simulated by the tester by some means, since these modules may not be ready yet. To simulate responses of M2, M3 and M4 whenever they are to be invoked from M1, "stubs" are created. Simple applications may require stubs, which would simply return the control to their superior modules. More complex situation demand stubs to simulate a full range of responses, including parameter passing. Stubs may be individually created by the tester or they may be provided by a software testing harness, which is a sort of software specifically designed to provide a testing environment.
In the above illustration, M1 would require stubs to simulate the activities of M2, M3 and M4. The integration of M3 would require a stub or stubs for M5 and M4 would require stubs for M6 and M7. Elementary modules i.e. the modules which do not call subordinates would not require any stubs.

Advantages of Top down Approach:
a) This approach is advantageous if all major flaws are captured towards the top of the program
b) Early skeletal program allows demonstrations and boosts the moraleDisadvantages of Top down Approach:
a) Stub modules are essential
b) Test conditions my be impossible, or very difficult, to create
c) Observation of test output is more difficult, as only simulated values will be used initially. For the same reason, program correctness can be misleading

2) Bottom Up Approach (BUA):

Involves development of all the elementary modules or child modules before hand followed by due integration with the corresponding parent modules.
This approach uses a Program called "Driver". While integrating the modules with this Bottom Up Approach, if at any stage it is found that some mandatory module is missing, then in such an event that particular module is replaced with a temporary program known as "Driver".

If M5 is ready, we need to simulate the activities of its superior, M3. Such a "driver" for M5 would simulate the invocation activities of M3. As with the stub, the complexity of a driver would depend upon the application under test. The driver would be responsible for invoking the module under test, it could be responsible for passing test data and it might be responsible for receiving output data. Here as well, the driving function can be provided through a testing harness or may be created by the tester as a program.
For the above-mentioned Bottom-Up example, drivers must be provided for modules M2, M5, M6, M7, M3 and M4. However there is no need for a driver for the topmost Module, M1.

Advantages of Bottom Up Approach:
a) This approach is advantageous if all major flaws are captured towards the bottom of the program
b) Test conditions are easier to create
c) Observations of test results are easier since "live" data is used from the beginning.

Disadvantages of Bottom Up Approach:
a) Driver modules are essential
b) The program as an entity does not exist until the last module is added

3) Big Bang Approach:

Once all the modules are ready after testing individually; the approach of integrating them finally at once is known as big bang approach.

Though Big Bang approach seems to be advantageous when we construct independent module concurrently, this approach is quite challenging and risky as we integrate all modules in a single step and test the resulting system. Locating interface errors, if any, becomes difficult here.

4) Hybrid Approach:
To overcome the limitations and to exploit the advantages of Top-down and Bottom-up approaches, a hybrid approach in testing is used. As the name suggests, it is a mixture of the two approaches like Top Down approach as well as Bottom Up approach.

In this approach the system is viewed as three layers consisting of the main target layer in the middle, another layer above the target layer, and the last layer below the target layer.

The Top-Down approach is used in the topmost layer and Bottom-Up approach is used in the lowermost layer. The lowermost layer contains many general-purpose utility programs, which are helpful in verifying the correctness during the beginning of testing.

Testing converges for the middle level target layers are selected on the basis of system characteristics and the structure of the code. The middle level target layer contains components using the utilities.
Final decision on selecting an integration approach depends on system characteristics as well as on customer expectations. Sometimes the customer wants to see a working version of the application as soon as possible thereby forcing an integration approach aimed at producing a basic working system in the earlier stages of the testing process
.

Selenium Configuration with Eclipse


1. First we need to install JDK
2. Then we need to install Eclipse (http://www.eclipse.org/downloads/)
(No need to install the Eclipse, just unzip the downloaded folder anywhere in local drive. That will provide the ‘eclipse.exe’ which will open the Eclipse framework)
3. Now we need to create a workspace folder –> C\Eclipse-WorkspaceSeleniumTests
(‘Workspace’ is the location where the entire Eclipse project will be saved)
4. Open the Eclipse by ‘eclipse.exe’
5. Close Eclipse welcome screen
6. Click File menu –> Switch Workspace –> other
7. Now Select the C:Eclipse-WorkspaceSeleniumTests folder (refer following screenshot)



8. It has finished setting up the eclipse.  Now, we need to download Selenium RC server / client driver and configure that to Eclipse
9. Download Selenium server:  http://seleniumhq.org/download/
10. Download Selenium Client driver for Java (from Selenium Client Drivers section)
11. Create “Selenium” folder in C: drive and copy the Selenium-server.jar as well as unzip the Selenium Client driver (C:Selenium)
12. Now downloading and unzipping the files into a folder is done.  We need to configure the appropriate Selenium Client driver Jar file to the Eclipse.
a) Go to Eclipse –> Click  File –> New –> Project (from various options need to select just “project”)
b) In Select Wizard –> Click Java –> “Java Project” (refer following screenshot)



c) Give the project name (e.g. FirstProject)
d) Click Finish – Click Yes

13. Now we are done with creation of project and need to configure the Selenium Client driver to this Project
a) Right Click “FirstProject” project



b) Click “Java Build Path”
c) Click Libraries tab
d) Click “Add External JARs” button
e) Select “Selenium Client Drivers” unzipped in C:Selenium folder (Selenium Server JAR file should not be added)
f) Click OK
g) Referenced libraries –> contains both the Selenium Client driver jar files as shown in the below screenshot.


So far, we have done the configuration of Selenium with Eclipse.



Cookie Testing

What is Cookie?
Cookie is small information stored in text file on user’s hard drive by web server. This information is later used by web browser to retrieve information from that machine. Generally cookie contains personalized user data or information that is used to communicate between different web pages.

Two Stage Process:
Cookies are based on a two-stage process. First the cookie is stored in the user's computer without their consent or knowledge. For example, with customizable Web search engines like My Yahoo!, a user selects categories of interest from the Web page. The Web server then creates a specific cookie, which is essentially a tagged string of text containing the user's preferences, and it transmits this cookie to the user's computer. The user's Web browser, if cookie-savvy, receives the cookie and stores it in a special file called a cookie list. This happens without any notification or user consent. As a result, personal information (in this case the user's category preferences) is formatted by the Web server, transmitted, and saved by the user's computer.
During the second stage, the cookie is clandestinely and automatically transferred from the user's machine to a Web server. Whenever a user directs her Web browser to display a certain Web page from the server, the browser will, without the user's knowledge, transmit the cookie containing personal information to the Web server.  

Why Cookies are used?
Cookies are nothing but the user’s identity and used to track where the user navigated throughout the web site pages. The communication between web browser and web server is stateless.
For example if you are accessing domain http://www.domain.com/1.html then web browser will simply query to example.com web server for the page 1.html. Next time if you type page as http://www.domain.com/2.html then new request is send to example.com web server for sending 2.html page and web server don’t know anything about to whom the previous page 1.html served.

What if you want the previous history of this user communication with the web server?
You need to maintain the user state and interaction between web browser and web server somewhere. This is where cookie comes into picture. Cookies serve the purpose of maintaining the user interactions with web server.

How cookies work?
The HTTP protocol used to exchange information files on the web is used to maintain the cookies. There are two types of HTTP protocol. Stateless HTTP and Stateful HTTP protocol. Stateless HTTP protocol does not keep any record of previously accessed web page history. While State full HTTP protocol do keep some history of previous web browser and web server interactions and this protocol is used by cookies to maintain the user interactions.

Whenever user visits the site or page that is using cookie, small code inside that HTML page (Generally a call to some language script to write the cookie like cookies in JavaScript, PHP, Perl) writes a text file on users machine called cookie.

Here is one example of the code that is used to write cookie and can be placed inside any HTML page:

Set-Cookie: NAME=VALUE; expires=DATE; path=PATH; domain=DOMAIN_NAME;

When user visits the same page or domain later time this cookie is read from disk and used to identify the second visit of the same user on that domain. Expiration time is set while writing the cookie. This time is decided by the application that is going to use the cookie.

Generally two types of cookies are written on user machine.

1) Session cookies: This cookie is active till the browser that invoked the cookie is open. When we close the browser this session cookie gets deleted. Some time session of say 20 minutes can be set to expire the cookie.

2) Persistent cookies: The cookies that are written permanently on user machine and lasts for months or years.
Where cookies are stored?
When any web page application writes cookie it get saved in a text file on user hard disk drive. The path where the cookies get stored depends on the browser. Different browsers store cookie in different paths. E.g. Internet explorer store cookies on path “C:\Documents and Settings\Default User\Cookies
Here the “Default User” can be replaced by the current user you logged in as. Like “Administrator”, or user name like “VijayDeenanathChauhan” etc.

The cookie path can be easily found by navigating through the browser options. In Mozilla Firefox browser you can even see the cookies in browser options itself. Open the Mozilla browser, click on Tools->Options->Privacy and then “Show cookies” button.

How cookies are stored?
Let’s take example of cookie written by rediff.com on Mozilla Firefox browser:
On Mozilla Firefox browser when you open the page rediff.com or login to your rediffmail account, a cookie will get written on your Hard disk. To view this cookie simply click on “Show cookies” button mentioned on above path. Click on Rediff.com site under this cookie list. You can see different cookies written by rediff domain with different names.

Site: Rediff.com Cookie name: RMID
Name: RMID (Name of the cookie)
Content: 1d11c8ec44bf49e0… (Encrypted content)
Domain: .rediff.com
Path: / (Any path after the domain name)
Send For: Any type of connection
Expires: Thursday, December 31, 2020 11:59:59 PM





Applications where cookies can be used:


1) To implement shopping cart:
Cookies are used for maintaining online ordering system. Cookies remember what user wants to buy. What if user adds some products in their shopping cart and if due to some reason user don’t want to buy those products this time and closes the browser window? When next time same user visits the purchase page he can see all the products he added in shopping cart in his last visit.

2) Personalized sites:
When user visits certain pages they are asked which pages they don’t want to visit or display. User options are get stored in cookie and till the user is online, those pages are not shown to him.

3) User tracking:
To track number of unique visitors online at particular time.

4) Marketing:
Some companies use cookies to display advertisements on user machines. Cookies control these advertisements. When and which advertisement should be shown? What is the interest of the user? Which keywords he searches on the site? All these things can be maintained using cookies.

5) User sessions:
Cookies can track user sessions to particular domain using user ID and password.

Drawbacks of cookies:

1) Too many Cookies:
If you are writing too many cookies on every page navigation and if user has turned on option to warn before writing cookie, this could turn away user from your site.

2) Security issues:
Some times users personal information is stored in cookies and if someone hack the cookie then hacker can get access to your personal information. Even corrupted cookies can be read by different domains and lead to security issues.

3) Sensitive information:
Some sites may write and store your sensitive information in cookies, which should not be allowed due to privacy concerns.

How do I enable cookie support in my browser?
Cookies are enabled by default in most browsers, however if you think your browser has cookie support disabled then please follow these instructions:-

For Internet Explorer:
1. Left Click the 'Tools' menu.
2. Left Click 'Internet Options'.
3. Left Click 'Privacy' tab.
4. Left Click the 'Sites' button.
5. Type www.weighin.net into the top box.
6. Left Click the 'Allow' button.
7. Left Click the 'Ok' button.
8. Left Click the 'Ok' button.

For Internet Explorer 7 or 8:
1. Click Start > Control Panel. (With Windows XP Classic View, click the Windows Start button > Settings > Control Panel).
2. Double-click the Internet Options icon.
3. Select the Privacy tab.
4. Click Advanced.
5. Select "Override automatic cookie handling" under the "Cookies" section in the Advanced Privacy Settings window.
6. Select the "Accept" or "Prompt" option under "First-party Cookies."
7. Select the "Accept" or "Prompt" option under "Third-party Cookies." (If you select the "Prompt" option, you'll be asked for approval every time a website attempts to send you a cookie.)
8. In the Internet Options window, click OK to exit.

For Mozilla Firefox:
1. Left Click the 'Tools' menu.
2. Left Click 'Options'.
3. Left Click 'Privacy' tab.
4. Left Click 'Exceptions' button.
5. Type www.weighin.net into the top box.
6. Left Click the 'Allow' button.
7. Left Click the 'Close' button.
8. Left Click the 'Ok' button.

For Chrome in Windows:
1. Click the Tools menu.
2. Select Options.
3. Click the Under the Hood tab.
4. Click Content settings in the "Privacy" section.
5. Select Allow local data to be set to allow both first-party and third-party cookies. If you only want to accept first-party cookies, check the box next to "Block all third-party cookies without exception."
Important Scenarios to test cookie testing for websites:

Test cases:
1) As a Cookie privacy policy make sure from your design documents that no personal or sensitive data is stored in the cookie.

2) If you have no option than saving sensitive data in cookie make sure data stored in cookie is stored in encrypted format.

3) Make sure that there is no overuse of cookies on your site under test. Overuse of cookies will annoy users if browser is prompting for cookies more often and this could result in loss of site traffic and eventually loss of business.

4) Disable the cookies from your browser settings: If you are using cookies on your site, your sites major functionality will not work by disabling the cookies. Then try to access the web site under test. Navigate through the site. See if appropriate messages are displayed to user like “For smooth functioning of this site make sure that cookies are enabled on your browser”. There should not be any page crash due to disabling the cookies. (Please make sure that you close all browsers, delete all previously written cookies before performing this test)

5) Accepts/Reject some cookies: The best way to check web site functionality is, not to accept all cookies. If you are writing 10 cookies in your web application then randomly accept some cookies say accept 5 and reject 5 cookies. For executing this test case you can set browser options to prompt whenever cookie is being written to disk. On this prompt window you can either accept or reject cookie. Try to access major functionality of web site. See if pages are getting crashed or data is getting corrupted.

6) Delete cookie: Allow site to write the cookies and then close all browsers and manually delete all cookies for web site under test. Access the web pages and check the behavior of the pages.

7) Corrupt the cookies: Corrupting cookie is easy. You know where cookies are stored. Manually edit the cookie in notepad and change the parameters to some vague values. Like alter the cookie content, Name of the cookie or expiry date of the cookie and see the site functionality. In some cases corrupted cookies allow to read the data inside it for any other domain. This should not happen in case of your web site cookies. Note that the cookies written by one domain say rediff.com can’t be accessed by other domain say yahoo.com unless and until the cookies are corrupted and someone trying to hack the cookie data.

8 ) Checking the deletion of cookies from your web application page: Some times cookie written by domain say rediff.com may be deleted by same domain but by different page under that domain. This is the general case if you are testing some ‘action tracking’ web portal. Action tracking or purchase tracking pixel is placed on the action web page and when any action or purchase occurs by user the cookie written on disk get deleted to avoid multiple action logging from same cookie. Check if reaching to your action or purchase page deletes the cookie properly and no more invalid actions or purchase get logged from same user.

9) Cookie Testing on Multiple browsers: This is the important case to check if your web application page is writing the cookies properly on different browsers as intended and site works properly using these cookies. You can test your web application on Major used browsers like Internet explorer (Various versions), Mozilla Firefox, Netscape, Opera etc.
10) If your web application is using cookies to maintain the logging state of any user then log in to your web application using some username and password. In many cases you can see the logged in user ID parameter directly in browser address bar. Change this parameter to different value says if previous user ID is 100 then make it 101 and press enter. The proper access message should be displayed to user and user should not be able to see other users account.

Security Testing


If you are thinking about Security Testing, here we go:



Security testing:
Security testing is a process to determine that an information system protects data and maintains functionality as intended. The security testing is performed to check whether there is any information leakage in the sense by encrypting the application or using wide range of software’s and hardware's and firewall etc.
The six basic security concepts that need to be covered by security testing are: confidentiality, integrity, authentication, availability, authorization and non-repudiation. Security testing as a term has a number of different meanings and can be completed in a number of different ways.

Authentication - Testing the authentication schema means understanding how the authentication process works and using that information to circumvent the authentication mechanism. Basically, it allows a receiver to have confidence that information it receives originated from a specific known source.

Authorization - Determining that a requester is allowed to receive a service or perform an operation.

Availability- Assuring information and communications services will be ready for use when expected. Information must be kept available to authorized persons when they need it.

Confidentiality - A security measure which protects the disclosure of data or information to parties other than the intended.

Integrity – Whether the intended receiver receives the information or data which is not altered in transmission.

Non-repudiation - Interchange of authentication information with some form of provable time stamp e.g. with session id etc.

Types:
There are two types of security testing that can be performed on Web applications: static analysis and dynamic analysis. In addition, there are two ways of performing security tests: automated and manual.
Dynamic analysis involves performing tests on a running instance of an application and is also known as black box testing. The security test will involve sending requests to the application and observing the responses to see if there was any indication that security vulnerability may be present. Dynamic analysis can be an effective way to test applications, but it is important to understand some limitations. First of all, because the testing is based on analyzing request and response patterns, the results obtained are really only a guess about the internal state of the application -- the tester typically has no knowledge of the actual application source code and what the actual internal state of the application is. In addition, because the tester is only looking at the observable behavior of the application and cannot know the entire attack surface, there is a chance that areas of the application and components of its functionality will be excluded from the test.
Dynamic analysis can either be performed in an automated manner or manually. Web application scanning tools like those from Watch fire and SPI Dynamics are good example of automated dynamic analysis tools. Automated tools are good for finding much common vulnerability such as SQL injection and cross-site scripting (XSS).
Manual testing of Web applications is typically performed using a Web browser and a Web proxy tool like Paros or OWASP's Web Scarab. The commercial scanning tools also typically come with proxies as well so that analysts using their scanners can augment the scanner results with manual tests. Proxies allow the security analyst to create and send arbitrary requests to the application and inspect the results to look for evidence of security issues. As mentioned above, these manual tests to look for data leakage, failures to authorize activities and so on are required for a credible application security assessment.
Where dynamic analysis is performed against an actually running installation of an application, static analysis involves reviewing application assets like source code, configuration files and so on when they are static -- or at rest. This is also known as source code analysis or white box testing. Static analysis opens up opportunities for a more thorough analysis because the analysis being performed has access to the "ground truth" of the source code. Analysts do not have to observe the behavior of an application and make guesses about the internal state of the system; instead the analyst has access to the actual instructions the software will follow when put into production.

Security testing approach:
In order to perform a useful security test of a web application, the security tester should have good knowledge of the HTTP protocol. It is important to have an understanding of how the client (browser) and the server communicate using HTTP. Additionally, the tester should at least know the basics of SQL injection and XSS.

1. Password cracking:
The security testing on a web application can be kicked off by “password cracking”. In order to log in to the private areas of the application, one can either guess a username/ password or use some password cracker tool for the same. Lists of common usernames and passwords are available along with open source password crackers. If the web application does not enforce a complex password (e.g. with alphabets, number and special characters, with at least a required number of characters), it may not take very long to crack the username and password.
If username or password is stored in cookies without encrypting, attacker can use different methods to steal the cookies and then information stored in the cookies like username and password

2. URL manipulation through HTTP GET methods:
The tester should check if the application passes important information in the query string. This happens when the application uses the HTTP GET method to pass information between the client and the server. The information is passed in parameters in the query string. The tester can modify a parameter value in the query string to check if the server accepts it.
Via HTTP GET request user information is passed to server for authentication or fetching data. Attacker can manipulate every input variable passed from this GET request to server in order to get the required information or to corrupt the data. In such conditions any unusual behavior by application or web server is the doorway for the attacker to get into the application.

3. SQL Injection:
The next thing that should be checked is SQL injection. Entering a single quote (‘) in any textbox should be rejected by the application. Instead, if the tester encounters a database error, it means that the user input is inserted in some query which is then executed by the application. In such a case, the application is vulnerable to SQL injection.
SQL injection attacks are very critical as attacker can get vital information from server database. To check SQL injection entry points into your web application, find out code from your code base where direct MySQL queries are executed on database by accepting some user inputs.
If user input data is crafted in SQL queries to query the database, attacker can inject SQL statements or part of SQL statements as user inputs to extract vital information from database. Even if attacker is successful to crash the application, from the SQL query error shown on browser, attacker can get the information they are looking for. Special characters from user inputs should be handled/ escaped properly in such cases.

4. Cross Site Scripting (XSS):
The tester should additionally check the web application for XSS (Cross site scripting). Any HTML e.g. <HTML> or any script e.g. <SCRIPT> should not be accepted by the application. If it is, the application can be prone to an attack by Cross Site Scripting.
Attacker can use this method to execute malicious script or URL on victim’s browser. Using cross-site scripting, attacker can use scripts like JavaScript to steal user cookies and information stored in the cookies.
Many web applications get some user information and pass this information in some variables from different pages.
E.g.: http://www.domain.com/index.php?userid=123&query=xyz
Attacker can easily pass some malicious input or <script> as a ‘&query’ parameter which can explore important user/server data on browser.
Important: During security testing, the tester should be very careful not to modify any of the following:
• Configuration of the application or the server
• Services running on the server
• Existing user or customer data hosted by the application
Additionally, a security test should be avoided on a production system.
The purpose of the security test is to discover the vulnerabilities of the web application so that the developers can then remove these vulnerabilities from the application and make the web application and data safe from unauthorized actions.

When do we use Security Testing?
Security testing is carried out when some important information and assets managed by the software application are of significant importance to the organization. Failures in the software security system can be serious especially when not detected, thereby resulting in a loss or compromise of information without the knowledge of that loss.
The security testing should be performed both prior to the system going into the operation and after the system is put into operation.
Rigorous security testing activities are performed to demonstrate that the system meets the specified security requirements & identify the left out security vulnerabilities, if any.
The extent of testing largely depends upon the security risks, and the test engineers assigned to conduct the security testing are selected according to the estimated sophistication that might be used to penetrate the security.

What are the objectives of Security Testing?
Security defects do not come to surface that easily as other types of defects. Thus security testing is carried out to identify defects that are quite difficult to identify. The security testing is carried out to ensure that the software under test is sufficiently robust and functions in an acceptable manner even in the event of a malicious attack.
The objectives of security testing can be:
1) To ensure that adequate attention is provided to identify the security risks
2) To ensure that a realistic mechanism to define & enforce access to the system is in place
3) To ensure that sufficient expertise exists to perform adequate security testing
4) To conduct reasonable tests to confirm the proper functioning of the implemented security measures

Who should do the Security Testing?
Majority of the security testing techniques are manual, requiring an individual to initiate and conduct the test. Automation tools can be helpful in executing simple tasks, whereas complicated tasks continue to depend largely on the intelligentsia of the test engineer.
Irrespective of the type of testing, the testing engineers that plan and conduct security testing should have significant security and networking related knowledge, including expertise of following areas:
1) Network security
2) Firewalls
3) Intrusion detection system
4) Operating systems
5) Programming and networking protocols like TCP/IP

Security Testing versus Conventional Software Testing
– A Quick Comparison:
Security testing has following attributes:
  • It emphasizes what an application should not do rather than what it should do.
  • It sometimes tests conformance to positive requirements for instance - "User accounts getting disabled after five unsuccessful login attempts" etc.
  • It is aimed to test the negative requirements stating something that should never occur. For example "An external attacker should not be able to modify the contents of the Web page" and "Unauthorized users should not be able to access the data."

Conventional testing has following attributes:
  • It is aimed to test a positive requirement i.e. to create the conditions in which the requirement is intended to hold true and verify that the requirement is satisfied by the software.
  • To apply conventional testing approach to the negative requirements, we need to create every possible set of non-feasible conditions.

Methods of Security Testing:
To confirm if a particular software application meets the security requirements, usually following two methods of testing are adopted

1) Functional security testing: It is meant to ensure that the software behaves according to certain specified functional requirements and is expected to demonstrate that the specified requirements are totally satisfied at the acceptable level. Functional requirement generally have a form like - "When a certain thing takes place, then the software must respond in a particular way."

2) Risk-based security testing: The first step in risk-based testing is the identification of the security risks and the potential loss associated with those risks. It tries to confirm the immunity against specific risks that have been identified through risk analysis effort. Risk-based testing addresses negative requirements, which state what a software system should not do. Tests for negative requirements are derived from a risk analysis, and generally cover not only the high-level risks identified during the design process but also address low-level risks derived from the software itself.

What are the common techniques for Security Testing?
Few of the security testing techniques commonly used are:
  • Network scanning
  • Vulnerability scanning
  • Password cracking
  • Log review
  • Integrity checkers
  • Virus detection
  • War dialing
  • War driving (wireless LAN testing)
  • Penetration testing
In actual practice combination of many such techniques may be used to have a more comprehensive assessment of the overall security aspect.

How to write Security test cases?
I shall deal with the approach and the style for writing security test cases.
Before you begin writing your test cases, note that

1) It is important to segregate based on Roles (something like Admin, Manager, Supervisor etc.)
2) You will need to delve into the negative scenario for a particular event initially before taking up the positive scenarios. This will ensure continuity of the test cases and will greatly help.

—0—x—0—0—0—x—0—0—0—x—0—0—0—x—0—0—0—x—0—0—0—x—0—0—0—x—0—0
Given below is a very simple example for the approach to write security test cases. Once you are aware of the knack of writing simple ones like this, you can graduate to writing larger and complex ones. Yes, It is a great aid to novice and intermediate testers to follow these and test the security for any kind of application.
NO.
Action
Test Steps
Pass/ Fail
Comments
1
Invoke the application by typing the URL “http://abhi/myProj/Default.asp”
The browser should be invoked and the application login page should appear.
Verify the login security for the Project Lead.
2
Login with loginname as “abhilash” and password as “password56″.
The user should be logged in and be directed to the Home page.
3
Verify the menu structure on the Home page.
The home page should contain the following menu structure.
- Projects
- Tasks
- Dashboard
- Reports
- Skills
 4
Verify the menu dropdown for the “Projects” menu.
The “Projects” menu should contain the following menu items.
- Create Task
- Create Build
- Create Module
 ***
Like this you will need to cover the other menus too.
End of verification for the Project Lead.
Verify the login security for a Team Member
 1
Login with loginname “anoop” and password as “anooppass”.
The user should be logged in and navigated to the Home page.
 2
Verify the menu structure on the Home page.
The home page should contain the following menu structure.
- Projects
- Tasks
- Dashboard
- Reports
- Skills
 3
Verify that the user cannot select the menu item “Projects”.
The user should NOT be able to select the menu item “Projects”. The menu should be displayed as disabled.
 4
Verify that the user can select the menu item “Tasks”.
The user should be able to select the menu item “Tasks”. The menu should be displayed as enabled.
 5
Verify that the user cannot select the menu item “Dashboard”.
The user should NOT be able to select the menu item “Dashboard”. The menu should be displayed as disabled.
 6
Verify that the user can select the menu item “Reports”.
The user should be able to select the menu item “Reports”. The menu should be displayed as enabled.
 7
Verify that the user cannot select the menu item “Skills”.
The user should NOT be able to select the menu item “Skills”. The menu should be displayed as disabled.
like this you will need to tackle each content on respective pages.
End of verification for the team member.
—-0—x—0——0—x—0—0—0—x—0—0—0—x—0—0—0—x—0—0—0—x—0—0—0—x—0—0


Web Security Testing Checklist:

1. Try to directly access bookmarked web page without login to the system.
2. Do not sign-on system, directly try to download the file from the available download url, such as the input http://url/download?name=file and check if the systems restrict you to download the file.
3. sign out and then press the Back button to access the page accessed before.
4. ID / password authentication method: check with valid and invalid passwords, password rules say cannot be less than 6 characters, user id and password cannot be the same etc.
5. Important information (such as passwords, ID numbers, credit card numbers, etc.) should not get displayed in the input box when typing. They should be all encrypted and in asterix format.
6. Manually change the parameter value in the URL to check if you can access special pages. For example, suppose in a web system If ordinary users access the corresponding url in the parameters l = e and the corresponding url for advanced users in the parameters l = s. Now if a user manually changes the value from e to s it should not allow you to access the page.
7. In the url, enter the following address to check if it can be downloaded restricted files: http://url/download.jsp?file=C: \ windows \ system32 \ drivers \ etc \ hosts,
http://url/download.jsp?file = / etc / password
8. after session time out try to access restricted page.
9. Error messages whether they contain SQL statements, SQL error messages, as well as web server's absolute path, etc.
10. ID / password authentication, the same account on different machines cannot log on at the same time. So at a time only one user can login to the system with a user id.
11. ID / password authentication methods, entered the wrong password several times and check if the account gets locked.
12. Add or modify important information (passwords, ID numbers, credit card number, etc.). Check if it gets reflected immediately or caching the old values.