Upload
techwellpresentations
View
331
Download
3
Tags:
Embed Size (px)
DESCRIPTION
When testing web applications, you may feel overwhelmed by the technologies of today's web environments. Web testing today requires more than just exercising a system’s functionality. Each system is composed of a customized mix of various layers of technology, each implemented in a different programming language and requiring unique testing strategies. This “stew” often leads to puzzling behavior across browsers; performance problems due to page design and content, server locations, and architecture; and inconsistent operation of navigation controls. Dawn Haynes shares an extensive set of test design ideas, standards, and software attacks. She explains their general applicability, effort needed to execute, and technical skill required for success, so you can determine what’s useful in your situation. Dawn demonstrates a variety of tools to help you improve your web testing of HTML syntax, page layout, download speeds, 508 compliance, readability, and more. From the easy and quick to implement to the techie hard stuff, Dawn has something for every web tester.
Citation preview
TQ PM Tutorial
10/1/2013 1:00:00 PM
"How to Break Software: Web
101+ Edition"
Presented by:
Dawn Haynes
PerfTestPlus, Inc.
Brought to you by:
340 Corporate Way, Suite 300, Orange Park, FL 32073
888-268-8770 ∙ 904-278-0524 ∙ [email protected] ∙ www.sqe.com
Dawn Haynes
PerfTestPlus, Inc.
Dawn Haynes is COO, principal trainer, and consultant for PerfTestPlus, Inc., and a former
director of the Association for Software Testing. Dawn’s unique blend of experience, humor, and
effectiveness at providing tools and techniques that help students at all levels generate new
approaches to common and complex software testing problems has resulted in her international
recognition as an elite trainer of testers. She provides consulting services and is a frequent
speaker at testing conferences, local groups, and intimate gatherings of testers.
1
© 2013 PerfTestPlus, Inc.
Who are you?
Who am I?
• Why is Web testing different?‐ A Web primer
• What’s easy to break?• How do you approach what’s
harder?
Enhance your strategies for testing Web applications
• Show a variety of approaches to testing Web apps
• Add to your toolbox
Introductions
Goals
Agenda
2
© 2013 PerfTestPlus, Inc.
© 2013 PerfTestPlus, Inc.
Functionality
Biz
Rules
Events
Usability
Algorithms
Data
Work-flows
Scenarios
Use cases
Records
Files
StoredProcs.
Calculations
Batch
ProceduresBusiness processes
Operations
Behavior
3
© 2013 PerfTestPlus, Inc.
Implementationarchitecture, design
& deployment
Hosted
Plug-ins
GUI elements
Navigation
Layers
Protocol
HTTP(S)
PPTP
Biz Objects
Tiers
Flash
Constraints
Adobe
BrowsersJVMs
Conventions
Objects
Layout
SOA
BI/DW
JavaScript
H/XTML
AJAX
TCP/IP
SOAP
© 2013 PerfTestPlus, Inc.
4
© 2013 PerfTestPlus, Inc.
© 2013 PerfTestPlus, Inc.
5
© 2013 PerfTestPlus, Inc.
© 2013 PerfTestPlus, Inc.
6
© 2013 PerfTestPlus, Inc.
© 2013 PerfTestPlus, Inc.
7
© 2013 PerfTestPlus, Inc.
© 2013 PerfTestPlus, Inc.
8
© 2013 PerfTestPlus, Inc.
Cross-site scripting SQL injection Directory traversal
Language Based Attacks Buffer overflows Canonicalization NULL-string attacks
Attacking the Server SQL injection II – Stored
procedures Command injection Fingerprinting the server Denial of service
Authentication Fake Cryptography Breaking authentication Cross-site tracing Forcing weak cryptography
9
© 2013 PerfTestPlus, Inc.
© 2013 PerfTestPlus, Inc.
10
© 2013 PerfTestPlus, Inc.
HTTP is called a stateless protocol because each command is executed independently, without any knowledge of the commands that came before it. This is the main reason that it is difficult to implement Web sites that react intelligently to user input. This shortcoming of HTTP is being addressed in a number of new technologies, including ActiveX, Java, JavaScript and cookies.
[Reference: wiki.answers.com]
© 2013 PerfTestPlus, Inc.
11
© 2013 PerfTestPlus, Inc.
© 2013 PerfTestPlus, Inc.
12
© 2013 PerfTestPlus, Inc.
© 2013 PerfTestPlus, Inc.
13
© 2013 PerfTestPlus, Inc.
Test Plan
Functionality•Links
•Cookies•HTML/CSS•Database
Usability•Navigation
•Content checks•Help, search …
Interfaces•Web server
•Application server•Database server
Compatibility•Browser
•O/S•Mobile•Printing
•508
Performance•Load (users,
connections, page requests…)
•Stress (exceed limits for fields, login,
memory…)
Security•Bypass login
•URL tampering•Input attacks•Error msgs
[Ref: www.softwaretestinghelp.com]
© 2013 PerfTestPlus, Inc.
14
© 2013 PerfTestPlus, Inc.