The more I read, the more I acquire, the more certain I am that I know nothing. -Voltaire
SAMIE Detailed Documentation from forums
SourceForge.net: SAMIE Discussion
By: Josh Watts - seajosh
SAMIE documentation
2005-06-06 08:33
Here's my pass at documenting SAMie that I did a while ago and thought I'd post it here as well.
Win32::SAM - Simple Automation Mode for Internet Explorer
* NAME
* SYNOPSIS
* DESCRIPTION
o Methods
* AUTHORS
* SEE ALSO
NAME
Win32::SAM - Simple Automation Mode for Internet Explorer (SAMie)
SYNOPSIS
use strict;
use Win32::OLE;
use Win32::SAM;
$| = 1;
my $URL = 'http://samie.sourceforge.net/popupframes/basepage.html';
my $IEDocument;
my $seconds;
my $htmlseite;
my $item;
$Win32::OLE::Warn = 0;
StartIE();
Navigate($URL);
$IEDocument = GetDocument();
print "Calling WaitForDocumentComplete1\n";
print "Clicking Link one\n";
ClickLink("Link one");
print "Calling WaitForDocumentComplete2()\n";
print "Clicking Link two\n";
ClickLink("Link two");
print "Calling WaitForDocumentComplete3()\n";
print "Clicking Link three\n";
ClickLink("Link three");
print "Calling WaitForDocumentComplete4(8)\n";
SetEditBox("basepage","This is cool basepage");
SetEditBox("popup1","This is cool1");
SetEditBox("popup2","This is cool2");
SetEditBox("popup3","This is cool3");
DESCRIPTION
SAMie allows you to Automate Internet Explorer without having to pay the licensing fees of those ``other automation tools.''
It uses Win32::OLE to get the IE COM object and then a reference to the DOM. Once you have the DOM you're pretty much home free.
For more information on interfaces to the DOM elements, go to http://msdn.microsoft.com/workshop/browser/mshtml/reference/reference.asp
For more information on controlling the IE browser, go to http://msdn.microsoft.com/workshop/browser/webbrowser/browser_control_node_entry.asp
Methods
StartIE()
This class method starts IE and maximizes the IE window.
RefreshIE()
This class method refreshes the page currently loaded in IE.
Navigate($URL[,$POPUP])
This class method tells the browser to load the specified URL. The optional POPUP argument specifies that the URL will open in a popup window.
GetActiveObject()
This class method lets SAMie use a browser that is already open.
ClickBackButton()
This class method emulates clicking the browser's back button.
GetDocument()
This class method returns a reference to the DOM.
DismissSecurityAlert()
This class method closes a Security Alert window.
VerifyMessageBox($CAPTION,$EXPECTEDTEXT)
This class method verifies if EXPECTEDTEXT exists in a popup window with CAPTION in the title.
VerifyCheckBox($NAME,$VALUE)
This class method checks to see the checked status of a checkbox input element with name NAME & value VALUE. It returns 0 if it's checked and 1 if it's unchecked.
VerifyTextPresent($TEXT)
This class method verifies that TEXT is in the browser's document.
VerifyTextArrayPresent(@TEXTARRAY)
Need information here.
VerifyTextNotPresent($TEXT)
This class method verifies that TEXT is not in the browser's document.
ClickTreeNodeOrig($NODE)
Need information here.
ClickTreeNodeIcon($NODE)
Need information here.
ClickTreeNode(@NODES)
Need information here.
PrintAllObjects($IEObjectGroup,$IEObject,$i)
Prints element information for every element in the DOM.
VerifyLinkTextExists($LINKTEXT,$ISFAIL)
Returns 1 if a link with LINKTEXT exists; 0 otherwise. If ISFAIL is 1, the method stops execution of the script.
VerifyFormElementExists($NAME)
Returns if the form element NAME is found; stops execution of the script otherwise.
VerifyEditBox($NAME,$VALUE)
Returns 0 if the form element NAME exists and has a value VALUE; returns 1 if the element isn't found or the element is found but doesn't have a value VALUE.
VerifyTableText($TEXT)
Returns 0 if TEXT is found within a table; returns 1 otherwise.
VerifyListBoxItem($SELECTNAME,$ITEMNAME)
Returns 0 if ITEMNAME is found within select element SELECTNAME; returns 1 otherwise;
SetEditBox($NAME,$VALUE[,$ACTION[,$FORMNAME]])
Sets the text element NAME value to VALUE. If ACTION is 'onblur',the onblur and onchange events are fired. If FORMNAME is defined,looks for the the text element NAME within that form.
ClickDiv($ID)
Clicks the div element with an id of ID.
ClickButton($VALUE[,$WDC[,$POPUP]])
Clicks a button or submit element with a value of VALUE. If WDC is 0, SAMie doesn't wait for the browser to load a page,useful when clicking a link to download a file or display an alert. If POPUP is 1, SAMie waits for a popup window to load a document.
ClickTableData($TITLE)
Clicks a table cell with a title of TITLE.
LookForListBoxItem($ACCOUNTNUMBER,$ITEMNAME)
This function needs to be renamed.
ClickImage($IMAGENAME,$POPUP)
Clicks an image with a src or alt attribute of IMAGENAME and fires the onclick event. If POPUP is defined,SAMie waits for a doucment to load in a popup window.
ClickFormImage($IMAGENAME[,$POPUP[,$CHECKFORMESSAGEBOX]])
Clicks an image with a value or alt attribute of IMAGENAME within a form. If POPUP is defined,SAMie waits for a document to load in a popup window. If CHECKFORMESSAGEBOX is defined,processes an alert or similar message box.
ClickRadioButton($RADIONAME,$RADIOVALUE)
Sets the nth element,defined by RADIOVALUE,in a radio input group defined by RADIONAME.
VerifyRadioButton($RADIONAME,$RADIOVALUE,$STATE)
Returns 0 if the nth element,defined by RADIOVALUE,in a radio input group defined by RADIONAME is checked; returns 1 otherwise.
VerifyStatusBarMessage($STATUSBARMESSAGE)
Returns if the browser's status bar text is equal to $STATUSBARMESSAGE; stops the execution of the script otherwise.
ClickCheckBox($ITEMNAME)
Clicks the check box element with a name of ITEMNAME.
SetCheckBox($NAME,$VALUE[,$FORMNAME])
Sets the check box element' value with a name of NAME to VALUE. If FORMNAME is defined,SAMie only sets the check box element contained in the form FORMNAME.
ClickLink($LINKNAME[,$POPUP[,$CHECKFORMESSAGEBOX[,$INDEX[,$WDC]]]])
Clicks the link where the link's text is equal to LINKNAME. If POPUP is 1,SAMie waits for the document to load in a popup window. If CHECKFORMESSAGEBOX is 1,process an alert or similar message box. If INDEX is defined,clicks the nth link. If WDC is 1,SAMie waits for the document to load; otherwise,it returns from the function.
SetListBoxItem($SELECTNAME,$ITEMNAME[,$FORMNAME])
Sets the select input element's value,defined by SELECTNAME,to the option with a value or text of ITEMNAME. If FORMNAME is defined,only sets the select input element within that form.
GetCurrentListBoxItem()
This function needs to be reworked.
ClickFormButtonByIndex($BUTTONINDEX[,$POPUP[,$CHECKFORMESSAGEBOX[,$FORMNAME]]])
Clicks the nth button,defined by BUTTONINDEX. If POPUP is 1,waits for the document to load in a popup window. If CHECKFORMESSAGEBOX is 1,processes an alert or similar message box. If FORMNAME is defined, clicks the nth button in form FORMNAME.
ClickFormButtonByLabel($BUTTONLABEL,$POPUP,$WINDOWTITLE,$SKIPFIRINGONCLICKEVENT)
Not sure about this function.
ClickFormButton($BUTTONNAME[,$POPUP[,$CHECKFORMESSAGEBOX[,$FORMNAME[,$NOWAIT]]]])
Clicks a button or submit element with a value of VALUE. If POPUP is 1, SAMie waits for a popup window to load a document. If CHECKFORMESSAGEBOX is 1,processes an alert or similar message box. If FORMNAME is defined, clicks the nth button in form FORMNAME. If NOWAIT is 0, SAMie doesn't wait for the browser to load a page,useful when clicking a link to download a file or display an alert.
ClickAClassNameHyperlink($CLASSNAME[,$POPUP[,$CHECKFORMESSAGEBOX]])
Clicks the first link with a class name attribute of CLASSNAME. If POPUP is 1,SAMie waits for a popup window to load a document. If CHECKFORMESSAGEBOX is 1,processes an alert or similar message box.
ListNamespaces()
This function does not return any values.
SetFile($FILEINPUT,$FILEPATH)
Sets the file input element's $FILEINPUT value to $FILEPATH. Using this function uses the Win32::GuiTest SendKeys() function to set the value.
KillPopups($URL)
SAMie doesn't open popup windows with URL in the url of the popup window. Every call to this function adds URL to the array of popup urls to kill.
IgnoreURL($URL)
SAMie doesn't wait for a document to load with a url of URL. Every call to this function adds URL to the array of the urls to ignore.
WaitForRefresh()
This function returns after a document is refreshed.
SaveFile($FILENAME,$DIRECTORYNAME)
This function processes a 'Save File' dialog box. It saves the download file to FILENAME. If DIRECTORYNAME is ``yes'',it prepends the FILENAME argument to the orignal filename in the 'Save File' dialog box; otherwise,the FILENAME argument is an absolute path.
GetLinkURL($LINKNAME)
Gets the url of the link LINKNAME.
AUTHORS
Henry Wasserman,
Josh Watts,
SEE ALSO
.
Win32::SAM - Simple Automation Mode for Internet Explorer
By: Josh Watts - seajosh
SAMIE documentation
2005-06-06 08:33
Here's my pass at documenting SAMie that I did a while ago and thought I'd post it here as well.
Win32::SAM - Simple Automation Mode for Internet Explorer
* NAME
* SYNOPSIS
* DESCRIPTION
o Methods
* AUTHORS
* SEE ALSO
NAME
Win32::SAM - Simple Automation Mode for Internet Explorer (SAMie)
SYNOPSIS
use strict;
use Win32::OLE;
use Win32::SAM;
$| = 1;
my $URL = 'http://samie.sourceforge.net/popupframes/basepage.html';
my $IEDocument;
my $seconds;
my $htmlseite;
my $item;
$Win32::OLE::Warn = 0;
StartIE();
Navigate($URL);
$IEDocument = GetDocument();
print "Calling WaitForDocumentComplete1\n";
print "Clicking Link one\n";
ClickLink("Link one");
print "Calling WaitForDocumentComplete2()\n";
print "Clicking Link two\n";
ClickLink("Link two");
print "Calling WaitForDocumentComplete3()\n";
print "Clicking Link three\n";
ClickLink("Link three");
print "Calling WaitForDocumentComplete4(8)\n";
SetEditBox("basepage","This is cool basepage");
SetEditBox("popup1","This is cool1");
SetEditBox("popup2","This is cool2");
SetEditBox("popup3","This is cool3");
DESCRIPTION
SAMie allows you to Automate Internet Explorer without having to pay the licensing fees of those ``other automation tools.''
It uses Win32::OLE to get the IE COM object and then a reference to the DOM. Once you have the DOM you're pretty much home free.
For more information on interfaces to the DOM elements, go to http://msdn.microsoft.com/workshop/browser/mshtml/reference/reference.asp
For more information on controlling the IE browser, go to http://msdn.microsoft.com/workshop/browser/webbrowser/browser_control_node_entry.asp
Methods
StartIE()
This class method starts IE and maximizes the IE window.
RefreshIE()
This class method refreshes the page currently loaded in IE.
Navigate($URL[,$POPUP])
This class method tells the browser to load the specified URL. The optional POPUP argument specifies that the URL will open in a popup window.
GetActiveObject()
This class method lets SAMie use a browser that is already open.
ClickBackButton()
This class method emulates clicking the browser's back button.
GetDocument()
This class method returns a reference to the DOM.
DismissSecurityAlert()
This class method closes a Security Alert window.
VerifyMessageBox($CAPTION,$EXPECTEDTEXT)
This class method verifies if EXPECTEDTEXT exists in a popup window with CAPTION in the title.
VerifyCheckBox($NAME,$VALUE)
This class method checks to see the checked status of a checkbox input element with name NAME & value VALUE. It returns 0 if it's checked and 1 if it's unchecked.
VerifyTextPresent($TEXT)
This class method verifies that TEXT is in the browser's document.
VerifyTextArrayPresent(@TEXTARRAY)
Need information here.
VerifyTextNotPresent($TEXT)
This class method verifies that TEXT is not in the browser's document.
ClickTreeNodeOrig($NODE)
Need information here.
ClickTreeNodeIcon($NODE)
Need information here.
ClickTreeNode(@NODES)
Need information here.
PrintAllObjects($IEObjectGroup,$IEObject,$i)
Prints element information for every element in the DOM.
VerifyLinkTextExists($LINKTEXT,$ISFAIL)
Returns 1 if a link with LINKTEXT exists; 0 otherwise. If ISFAIL is 1, the method stops execution of the script.
VerifyFormElementExists($NAME)
Returns if the form element NAME is found; stops execution of the script otherwise.
VerifyEditBox($NAME,$VALUE)
Returns 0 if the form element NAME exists and has a value VALUE; returns 1 if the element isn't found or the element is found but doesn't have a value VALUE.
VerifyTableText($TEXT)
Returns 0 if TEXT is found within a table; returns 1 otherwise.
VerifyListBoxItem($SELECTNAME,$ITEMNAME)
Returns 0 if ITEMNAME is found within select element SELECTNAME; returns 1 otherwise;
SetEditBox($NAME,$VALUE[,$ACTION[,$FORMNAME]])
Sets the text element NAME value to VALUE. If ACTION is 'onblur',the onblur and onchange events are fired. If FORMNAME is defined,looks for the the text element NAME within that form.
ClickDiv($ID)
Clicks the div element with an id of ID.
ClickButton($VALUE[,$WDC[,$POPUP]])
Clicks a button or submit element with a value of VALUE. If WDC is 0, SAMie doesn't wait for the browser to load a page,useful when clicking a link to download a file or display an alert. If POPUP is 1, SAMie waits for a popup window to load a document.
ClickTableData($TITLE)
Clicks a table cell with a title of TITLE.
LookForListBoxItem($ACCOUNTNUMBER,$ITEMNAME)
This function needs to be renamed.
ClickImage($IMAGENAME,$POPUP)
Clicks an image with a src or alt attribute of IMAGENAME and fires the onclick event. If POPUP is defined,SAMie waits for a doucment to load in a popup window.
ClickFormImage($IMAGENAME[,$POPUP[,$CHECKFORMESSAGEBOX]])
Clicks an image with a value or alt attribute of IMAGENAME within a form. If POPUP is defined,SAMie waits for a document to load in a popup window. If CHECKFORMESSAGEBOX is defined,processes an alert or similar message box.
ClickRadioButton($RADIONAME,$RADIOVALUE)
Sets the nth element,defined by RADIOVALUE,in a radio input group defined by RADIONAME.
VerifyRadioButton($RADIONAME,$RADIOVALUE,$STATE)
Returns 0 if the nth element,defined by RADIOVALUE,in a radio input group defined by RADIONAME is checked; returns 1 otherwise.
VerifyStatusBarMessage($STATUSBARMESSAGE)
Returns if the browser's status bar text is equal to $STATUSBARMESSAGE; stops the execution of the script otherwise.
ClickCheckBox($ITEMNAME)
Clicks the check box element with a name of ITEMNAME.
SetCheckBox($NAME,$VALUE[,$FORMNAME])
Sets the check box element' value with a name of NAME to VALUE. If FORMNAME is defined,SAMie only sets the check box element contained in the form FORMNAME.
ClickLink($LINKNAME[,$POPUP[,$CHECKFORMESSAGEBOX[,$INDEX[,$WDC]]]])
Clicks the link where the link's text is equal to LINKNAME. If POPUP is 1,SAMie waits for the document to load in a popup window. If CHECKFORMESSAGEBOX is 1,process an alert or similar message box. If INDEX is defined,clicks the nth link. If WDC is 1,SAMie waits for the document to load; otherwise,it returns from the function.
SetListBoxItem($SELECTNAME,$ITEMNAME[,$FORMNAME])
Sets the select input element's value,defined by SELECTNAME,to the option with a value or text of ITEMNAME. If FORMNAME is defined,only sets the select input element within that form.
GetCurrentListBoxItem()
This function needs to be reworked.
ClickFormButtonByIndex($BUTTONINDEX[,$POPUP[,$CHECKFORMESSAGEBOX[,$FORMNAME]]])
Clicks the nth button,defined by BUTTONINDEX. If POPUP is 1,waits for the document to load in a popup window. If CHECKFORMESSAGEBOX is 1,processes an alert or similar message box. If FORMNAME is defined, clicks the nth button in form FORMNAME.
ClickFormButtonByLabel($BUTTONLABEL,$POPUP,$WINDOWTITLE,$SKIPFIRINGONCLICKEVENT)
Not sure about this function.
ClickFormButton($BUTTONNAME[,$POPUP[,$CHECKFORMESSAGEBOX[,$FORMNAME[,$NOWAIT]]]])
Clicks a button or submit element with a value of VALUE. If POPUP is 1, SAMie waits for a popup window to load a document. If CHECKFORMESSAGEBOX is 1,processes an alert or similar message box. If FORMNAME is defined, clicks the nth button in form FORMNAME. If NOWAIT is 0, SAMie doesn't wait for the browser to load a page,useful when clicking a link to download a file or display an alert.
ClickAClassNameHyperlink($CLASSNAME[,$POPUP[,$CHECKFORMESSAGEBOX]])
Clicks the first link with a class name attribute of CLASSNAME. If POPUP is 1,SAMie waits for a popup window to load a document. If CHECKFORMESSAGEBOX is 1,processes an alert or similar message box.
ListNamespaces()
This function does not return any values.
SetFile($FILEINPUT,$FILEPATH)
Sets the file input element's $FILEINPUT value to $FILEPATH. Using this function uses the Win32::GuiTest SendKeys() function to set the value.
KillPopups($URL)
SAMie doesn't open popup windows with URL in the url of the popup window. Every call to this function adds URL to the array of popup urls to kill.
IgnoreURL($URL)
SAMie doesn't wait for a document to load with a url of URL. Every call to this function adds URL to the array of the urls to ignore.
WaitForRefresh()
This function returns after a document is refreshed.
SaveFile($FILENAME,$DIRECTORYNAME)
This function processes a 'Save File' dialog box. It saves the download file to FILENAME. If DIRECTORYNAME is ``yes'',it prepends the FILENAME argument to the orignal filename in the 'Save File' dialog box; otherwise,the FILENAME argument is an absolute path.
GetLinkURL($LINKNAME)
Gets the url of the link LINKNAME.
AUTHORS
Henry Wasserman,
Josh Watts,
SEE ALSO
Win32::SAM - Simple Automation Mode for Internet Explorer
Interview Questions for Software Testers
Interview Questions for Software Testers
Interview Questions
On this page I put more than 200 different interview questions from different recourses. Some of them are very simple some are a little bit difficult. If you would like to check you technical knowledge or to see more questions and answers you can Download now a free copy of Exam application or read more on “ Software We Recommend" page
Please do not send me e-mails asking the answers to these questions.
This page is being updated on a quarterly basis
Test Automation:
1. What automating testing tools are you familiar with?
2. How did you use automating testing tools in your job?
3. Describe some problem that you had with automating testing tool.
4. How do you plan test automation?
5. Can test automation improve test effectiveness?
6. What is data - driven automation?
7. What are the main attributes of test automation?
8. Does automation replace manual testing?
9. How will you choose a tool for test automation?
10. How you will evaluate the tool for test automation?
11. What are main benefits of test automation?
12. What could go wrong with test automation?
13. How you will describe testing activities?
14. What testing activities you may want to automate?
15. Describe common problems of test automation.
16. What types of scripting techniques for test automation do you know?
17. What are principles of good testing scripts for automation?
18. What tools are available for support of testing during software development life cycle?
19. Can the activities of test case design be automated?
20. What are the limitations of automating software testing?
21. What skills needed to be a good test automator?
22. How to find that tools work well with your existing system?
23.Describe some problem that you had with automating testing tool.
24.What are the main attributes of test automation?
25.What testing activities you may want to automate in a project?
26.How to find that tools work well with your existing system?
From "Test Automation Architectures
A Context-Based Approach"
By Bret Pettichord , 2002
Ready to Automate?
1. Is automation (or testing) a label for other problems?
No = 15 points
2. Are testers trying to use automation to prove their prowess?
No = 10 points
3. Can testability features be added to the product code?
Yes = 10 points
4. Do testers and developers work cooperatively and with mutual respect?
Yes = 15 points
5. Is automation is developed on an iterative basis?
Yes = 10 points
6. Have you defined the requirements and success criteria for automation?
Yes = 15 points
7. Are you open to different concepts of what test automation can mean?
Yes = 10 points
8. Is test automation lead by someone with an understanding of both programming
and testing?
Yes = 15 points
Ready to Automate?
Scoring
Nevermind 55 or less
Wait and See 60-65
Time for More Training 70-75
Win Over Some Converts 80-85
Ready to Automate 90-100
Load Testing:
1.What criteria would you use to select Web transactions for
load testing?
2.For what purpose are virtual users created?
3.Why it is recommended to add verification checks to your
all your scenarios?
4.In what situation would you want to parameterize a
text verification check?
5.Why do you need to parameterize fields in your virtual user script?
6.What are the reasons why parameterization is necessary when
load testing the Web server and the database server?
7.How can data caching have a negative effect on load testing results?
8.What usually indicates that your virtual user script has
dynamic data that is dependent on you parameterized fields?
9.What are the benefits of creating multiple actions within
any virtual user script?
General questions:
1. What types of documents would you need for QA, QC, and Testing?
2. What did you include in a test plan?
3. Describe any bug you remember.
4. What is the purpose of the testing?
5. What do you like (not like) in this job?
6. What is quality assurance?
7. What is the difference between QA and testing?
8. How do you scope, organize, and execute a test project?
9. What is the role of QA in a development project?
10. What is the role of QA in a company that produces software?
11. Define quality for me as you understand it
12. Describe to me the difference between validation and verification.
13. Describe to me what you see as a process. Not a particular process, just the basics of having a process.
14. Describe to me when you would consider employing a failure mode and effect analysis.
15. Describe to me the Software Development Life Cycle as you would define it.
16. What are the properties of a good requirement?
17. How do you differentiate the roles of Quality Assurance Manager and Project Manager?
18. Tell me about any quality efforts you have overseen or implemented. Describe some of the challenges you faced and how you overcame them.
19. How do you deal with environments that are hostile to quality change efforts?
20. In general, how do you see automation fitting into the overall process of testing?
21. How do you promote the concept of phase containment and defect prevention?
22. If you come onboard, give me a general idea of what your first overall tasks will be as far as starting a quality effort.
23. What kinds of testing have you done?
24. Have you ever created a test plan?
25. Have you ever written test cases or did you just execute those written by others?
26. What did your base your test cases?
27. How do you determine what to test?
28. How do you decide when you have 'tested enough?'
29. How do you test if you have minimal or no documentation about the product?
30. Describe me to the basic elements you put in a defect report?
31. How do you perform regression testing?
32. At what stage of the life cycle does testing begin in your opinion?
33. How do you analyze your test results? What metrics do you try to provide?
34. Realising you won't be able to test everything - how do you decide what to test first?
35. Where do you get your expected results?
36. If automating - what is your process for determining what to automate and in what order?
37. In the past, I have been asked to verbally start mapping out a test plan for a common situation, such as an ATM. The interviewer might say, "Just thinking out loud, if you were tasked to test an ATM, what items might you test plan include?" These type questions are not meant to be answered conclusively, but it is a good way for the interviewer to see how you approach the task.
38. If you're given a program that will average student grades, what kinds of inputs would you use?
39. Tell me about the best bug you ever found.
40. What made you pick testing over another career?
41. What is the exact difference between Integration & System testing, give me examples with your project.
42. How did you go about testing a project?
43. When should testing start in a project? Why?
44. How do you go about testing a web application?
45. Difference between Black & White box testing
46. What is Configuration management? Tools used?
47. What do you plan to become after say 2-5yrs (Ex: QA Manager, Why?)
48. Would you like to work in a team or alone, why?
49. Give me 5 strong & weak points of yours
50. Why do you want to join our company?
51. When should testing be stopped?
52. What sort of things would you put down in a bug report?
53. Who in the company is responsible for Quality?
54. Who defines quality?
55. What is an equivalence class?
56. Is a "A fast database retrieval rate" a testable requirement?
57. Should we test every possible combination/scenario for a program?
58. What criteria do you use when determining when to automate a test or leave it manual?
59. When do you start developing your automation tests?
60. Discuss what test metrics you feel are important to publish an organization?
61. In case anybody cares, here are the questions that I will be asking:
62. Describe the role that QA plays in the software lifecycle.
63. What should Development require of QA?
64. What should QA require of Development?
65. How would you define a "bug?"
66. Give me an example of the best and worst experiences you've had with QA.
67. How does unit testing play a role in the development / software lifecycle?
68. Explain some techniques for developing software components with respect to testability.
69. Describe a past experience with implementing a test harness in the development of software.
70. Have you ever worked with QA in developing test tools? Explain the participation Development should have with QA in leveraging such test tools for QA use.
71. Give me some examples of how you have participated in Integration Testing.
72. How would you describe the involvement you have had with the bug-fix cycle between Development and QA?
72. What is unit testing?
73. Describe your personal software development process.
74. How do you know when your code has met specifications?
75. How do you know your code has met specifications when there are no specifications?
76. Describe your experiences with code analyzers.
77. How do you feel about cyclomatic complexity?
78. Who should test your code?
79.How do you survive chaos?
80. What processes/methodologies are you familiar with?
81. What type of documents would you need for QA/QC/Testing?
82. How can you use technology to solve problem?
83. What type of metrics would you use?
84. How to find that tools work well with your existing system?
85. What automated tools are you familiar with?
86. How well you work with a team?
87. How would you ensure 100% coverage of testing?
88. How would you build a test team?
89. What problem you have right now or in the past? How you solved it?
90. What you will do during the first day of job?
91. What would you like to do five years from now?
92. Tell me about the worst boss you've ever had.
93. What are your greatest weaknesses?
94. What are your strengths?
95. What is a successful product?
96. What do you like about Windows?
97. What is good code?
98. Who is Kent Beck, Dr Grace Hopper, Dennis Ritchie?
99. What are basic, core, practises for a QA specialist?
100. What do you like about QA?
101. What has not worked well in your previous QA experience and what would you change?
102. How you will begin to improve the QA process?
103. What is the difference between QA and QC?
104. What is UML and how to use it for testing?
105. What is CMM and CMMI? What is the difference?
106. What do you like about computers?
107. Do you have a favourite QA book? More than one? Which ones? And why.
108. What is the responsibility of programmers vs QA?
109.What are the properties of a good requirement?
110.Ho to do test if we have minimal or no documentation about the product?
111.What are all the basic elements in a defect report?
112.Is an "A fast database retrieval rate" a testable requirement?
From Cem Kaner article: "Recruiting testers" December 1999
1. What is software quality assurance?
2. What is the value of a testing group? How do you justify your work and budget?
3. What is the role of the test group vis-à¶is documentation, tech support, and so forth?
4. How much interaction with users should testers have, and why?
5. How should you learn about problems discovered in the field, and what should you learn from those problems?
6. What are the roles of glass-box and black-box testing tools?
7. What issues come up in test automation, and how do you manage them?
8. What development model should programmers and the test group use?
9. How do you get programmers to build testability support into their code?
10. What is the role of a bug tracking system?
11. What are the key challenges of testing?
12. Have you ever completely tested any part of a product? How?
13. Have you done exploratory or specification-driven testing?
14. Should every business test its software the same way?
15. Discuss the economics of automation and the role of metrics in testing.
16. Describe components of a typical test plan, such as tools for interactive products and for database products, as well as cause-and-effect graphs and data-flow diagrams.
17. When have you had to focus on data integrity?
18. What are some of the typical bugs you encountered in your last assignment?
19. How do you prioritize testing tasks within a project?
20. How do you develop a test plan and schedule? Describe bottom-up and top-down approaches.
21. When should you begin test planning?
22. When should you begin testing?
23. Do you know of metrics that help you estimate the size of the testing effort?
24. How do you scope out the size of the testing effort?
25. How many hours a week should a tester work?
26. How should your staff be managed? How about your overtime?
27. How do you estimate staff requirements?
28. What do you do (with the project tasks) when the schedule fails?
29. How do you handle conflict with programmers?
30. How do you know when the product is tested well enough?
31. What characteristics would you seek in a candidate for test-group manager?
32. What do you think the role of test-group manager should be? Relative to senior management?
Relative to other technical groups in the company? Relative to your staff?
33. How do your characteristics compare to the profile of the ideal manager that you just described?
34. How does your preferred work style work with the ideal test-manager role that you just described? What is different between the way you work and the role you described?
35. Who should you hire in a testing group and why?
36. What is the role of metrics in comparing staff performance in human resources management?
37. How do you estimate staff requirements?
38. What do you do (with the project staff) when the schedule fails?
39. Describe some staff conflicts youÂ’ve handled.
Here are some questions you might be asked on a job interview for a testing opening: (from MU COSC 198 Software Testing by Dr. Corliss)
1. Why did you ever become involved in QA/testing?
2. What is the testing lifecycle and explain each of its phases?
3. What is the difference between testing and Quality Assurance?
4. What is Negative testing?
5. What was a problem you had in your previous assignment (testing if possible)? How did you resolve it?
6. What are two of your strengths that you will bring to our QA/testing team?
7. How would you define Quality Assurance?
8. What do you like most about Quality Assurance/Testing?
9. What do you like least about Quality Assurance/Testing?
10. What is the Waterfall Development Method and do you agree with all the steps?
11. What is the V-Model Development Method and do you agree with this model?
12. What is the Capability Maturity Model (CMM)? At what CMM level were the last few companies you worked?
13. What is a "Good Tester"?
14. Could you tell me two things you did in your previous assignment (QA/Testing related hopefully) that you are proud of?
15. List 5 words that best describe your strengths.
16. What are two of your weaknesses?
17. What methodologies have you used to develop test cases?
18. In an application currently in production, one module of code is being modified. Is it necessary to re- test the whole application or is it enough to just test functionality associated with that module?
19. Define each of the following and explain how each relates to the other: Unit, System, and Integration testing.
20. Define Verification and Validation. Explain the differences between the two.
21. Explain the differences between White-box, Gray-box, and Black-box testing.
22. How do you go about going into a new organization? How do you assimilate?
23. Define the following and explain their usefulness: Change Management, Configuration Management, Version Control, and Defect Tracking.
24. What is ISO 9000? Have you ever been in an ISO shop?
25. When are you done testing?
26. What is the difference between a test strategy and a test plan?
27. What is ISO 9003? Why is it important
28. What are ISO standards? Why are they important?
29. What is IEEE 829? (This standard is important for Software Test Documentation-Why?)
30. What is IEEE? Why is it important?
31. Do you support automated testing? Why?
32. We have a testing assignment that is time-driven. Do you think automated tests are the best solution?
33. What is your experience with change control? Our development team has only 10 members. Do you think managing change is such a big deal for us?
34. Are reusable test cases a big plus of automated testing and explain why.
35. Can you build a good audit trail using Compuware's QACenter products. Explain why.
36. How important is Change Management in today's computing environments?
37. Do you think tools are required for managing change. Explain and please list some tools/practices which can help you managing change.
38. We believe in ad-hoc software processes for projects. Do you agree with this? Please explain your answer.
39. When is a good time for system testing?
40. Are regression tests required or do you feel there is a better use for resources?
41. Our software designers use UML for modeling applications. Based on their use cases, we would like to plan a test strategy. Do you agree with this approach or would this mean more effort for the testers.
42. Tell me about a difficult time you had at work and how you worked through it.
43. Give me an example of something you tried at work but did not work out so you had to go at things another way.
44. How can one file compare future dated output files from a program which has change, against the baseline run which used current date for input. The client does not want to mask dates on the output files to allow compares. - Answer-Rerun baseline and future date input files same # of days as future dated run of program with change. Now run a file compare against the baseline future dated output and the changed programs' future dated output.
Interviewing Suggestions
1. If you do not recognize a term ask for further definition. You may know the methodology/term but you have used a different name for it.
2. Always keep in mind that the employer wants to know what you are going to do for them, with that you should always stay/be positive.
Preinterview Questions
1. What is the structure of the company?
2. Who is going to do the interview-possible background information of interviewer?
3. What is the employer's environment (platforms, tools, etc.)?
4. What are the employer's methods and processes used in software arena?
5. What is the employer's philosophy?
6. What is the project all about you are interviewing for-as much information as possible.
7. Any terminologies that the company may use.
Interview Questions
On this page I put more than 200 different interview questions from different recourses. Some of them are very simple some are a little bit difficult. If you would like to check you technical knowledge or to see more questions and answers you can Download now a free copy of Exam application or read more on “ Software We Recommend" page
Please do not send me e-mails asking the answers to these questions.
This page is being updated on a quarterly basis
Test Automation:
1. What automating testing tools are you familiar with?
2. How did you use automating testing tools in your job?
3. Describe some problem that you had with automating testing tool.
4. How do you plan test automation?
5. Can test automation improve test effectiveness?
6. What is data - driven automation?
7. What are the main attributes of test automation?
8. Does automation replace manual testing?
9. How will you choose a tool for test automation?
10. How you will evaluate the tool for test automation?
11. What are main benefits of test automation?
12. What could go wrong with test automation?
13. How you will describe testing activities?
14. What testing activities you may want to automate?
15. Describe common problems of test automation.
16. What types of scripting techniques for test automation do you know?
17. What are principles of good testing scripts for automation?
18. What tools are available for support of testing during software development life cycle?
19. Can the activities of test case design be automated?
20. What are the limitations of automating software testing?
21. What skills needed to be a good test automator?
22. How to find that tools work well with your existing system?
23.Describe some problem that you had with automating testing tool.
24.What are the main attributes of test automation?
25.What testing activities you may want to automate in a project?
26.How to find that tools work well with your existing system?
From "Test Automation Architectures
A Context-Based Approach"
By Bret Pettichord , 2002
Ready to Automate?
1. Is automation (or testing) a label for other problems?
No = 15 points
2. Are testers trying to use automation to prove their prowess?
No = 10 points
3. Can testability features be added to the product code?
Yes = 10 points
4. Do testers and developers work cooperatively and with mutual respect?
Yes = 15 points
5. Is automation is developed on an iterative basis?
Yes = 10 points
6. Have you defined the requirements and success criteria for automation?
Yes = 15 points
7. Are you open to different concepts of what test automation can mean?
Yes = 10 points
8. Is test automation lead by someone with an understanding of both programming
and testing?
Yes = 15 points
Ready to Automate?
Scoring
Nevermind 55 or less
Wait and See 60-65
Time for More Training 70-75
Win Over Some Converts 80-85
Ready to Automate 90-100
Load Testing:
1.What criteria would you use to select Web transactions for
load testing?
2.For what purpose are virtual users created?
3.Why it is recommended to add verification checks to your
all your scenarios?
4.In what situation would you want to parameterize a
text verification check?
5.Why do you need to parameterize fields in your virtual user script?
6.What are the reasons why parameterization is necessary when
load testing the Web server and the database server?
7.How can data caching have a negative effect on load testing results?
8.What usually indicates that your virtual user script has
dynamic data that is dependent on you parameterized fields?
9.What are the benefits of creating multiple actions within
any virtual user script?
General questions:
1. What types of documents would you need for QA, QC, and Testing?
2. What did you include in a test plan?
3. Describe any bug you remember.
4. What is the purpose of the testing?
5. What do you like (not like) in this job?
6. What is quality assurance?
7. What is the difference between QA and testing?
8. How do you scope, organize, and execute a test project?
9. What is the role of QA in a development project?
10. What is the role of QA in a company that produces software?
11. Define quality for me as you understand it
12. Describe to me the difference between validation and verification.
13. Describe to me what you see as a process. Not a particular process, just the basics of having a process.
14. Describe to me when you would consider employing a failure mode and effect analysis.
15. Describe to me the Software Development Life Cycle as you would define it.
16. What are the properties of a good requirement?
17. How do you differentiate the roles of Quality Assurance Manager and Project Manager?
18. Tell me about any quality efforts you have overseen or implemented. Describe some of the challenges you faced and how you overcame them.
19. How do you deal with environments that are hostile to quality change efforts?
20. In general, how do you see automation fitting into the overall process of testing?
21. How do you promote the concept of phase containment and defect prevention?
22. If you come onboard, give me a general idea of what your first overall tasks will be as far as starting a quality effort.
23. What kinds of testing have you done?
24. Have you ever created a test plan?
25. Have you ever written test cases or did you just execute those written by others?
26. What did your base your test cases?
27. How do you determine what to test?
28. How do you decide when you have 'tested enough?'
29. How do you test if you have minimal or no documentation about the product?
30. Describe me to the basic elements you put in a defect report?
31. How do you perform regression testing?
32. At what stage of the life cycle does testing begin in your opinion?
33. How do you analyze your test results? What metrics do you try to provide?
34. Realising you won't be able to test everything - how do you decide what to test first?
35. Where do you get your expected results?
36. If automating - what is your process for determining what to automate and in what order?
37. In the past, I have been asked to verbally start mapping out a test plan for a common situation, such as an ATM. The interviewer might say, "Just thinking out loud, if you were tasked to test an ATM, what items might you test plan include?" These type questions are not meant to be answered conclusively, but it is a good way for the interviewer to see how you approach the task.
38. If you're given a program that will average student grades, what kinds of inputs would you use?
39. Tell me about the best bug you ever found.
40. What made you pick testing over another career?
41. What is the exact difference between Integration & System testing, give me examples with your project.
42. How did you go about testing a project?
43. When should testing start in a project? Why?
44. How do you go about testing a web application?
45. Difference between Black & White box testing
46. What is Configuration management? Tools used?
47. What do you plan to become after say 2-5yrs (Ex: QA Manager, Why?)
48. Would you like to work in a team or alone, why?
49. Give me 5 strong & weak points of yours
50. Why do you want to join our company?
51. When should testing be stopped?
52. What sort of things would you put down in a bug report?
53. Who in the company is responsible for Quality?
54. Who defines quality?
55. What is an equivalence class?
56. Is a "A fast database retrieval rate" a testable requirement?
57. Should we test every possible combination/scenario for a program?
58. What criteria do you use when determining when to automate a test or leave it manual?
59. When do you start developing your automation tests?
60. Discuss what test metrics you feel are important to publish an organization?
61. In case anybody cares, here are the questions that I will be asking:
62. Describe the role that QA plays in the software lifecycle.
63. What should Development require of QA?
64. What should QA require of Development?
65. How would you define a "bug?"
66. Give me an example of the best and worst experiences you've had with QA.
67. How does unit testing play a role in the development / software lifecycle?
68. Explain some techniques for developing software components with respect to testability.
69. Describe a past experience with implementing a test harness in the development of software.
70. Have you ever worked with QA in developing test tools? Explain the participation Development should have with QA in leveraging such test tools for QA use.
71. Give me some examples of how you have participated in Integration Testing.
72. How would you describe the involvement you have had with the bug-fix cycle between Development and QA?
72. What is unit testing?
73. Describe your personal software development process.
74. How do you know when your code has met specifications?
75. How do you know your code has met specifications when there are no specifications?
76. Describe your experiences with code analyzers.
77. How do you feel about cyclomatic complexity?
78. Who should test your code?
79.How do you survive chaos?
80. What processes/methodologies are you familiar with?
81. What type of documents would you need for QA/QC/Testing?
82. How can you use technology to solve problem?
83. What type of metrics would you use?
84. How to find that tools work well with your existing system?
85. What automated tools are you familiar with?
86. How well you work with a team?
87. How would you ensure 100% coverage of testing?
88. How would you build a test team?
89. What problem you have right now or in the past? How you solved it?
90. What you will do during the first day of job?
91. What would you like to do five years from now?
92. Tell me about the worst boss you've ever had.
93. What are your greatest weaknesses?
94. What are your strengths?
95. What is a successful product?
96. What do you like about Windows?
97. What is good code?
98. Who is Kent Beck, Dr Grace Hopper, Dennis Ritchie?
99. What are basic, core, practises for a QA specialist?
100. What do you like about QA?
101. What has not worked well in your previous QA experience and what would you change?
102. How you will begin to improve the QA process?
103. What is the difference between QA and QC?
104. What is UML and how to use it for testing?
105. What is CMM and CMMI? What is the difference?
106. What do you like about computers?
107. Do you have a favourite QA book? More than one? Which ones? And why.
108. What is the responsibility of programmers vs QA?
109.What are the properties of a good requirement?
110.Ho to do test if we have minimal or no documentation about the product?
111.What are all the basic elements in a defect report?
112.Is an "A fast database retrieval rate" a testable requirement?
From Cem Kaner article: "Recruiting testers" December 1999
1. What is software quality assurance?
2. What is the value of a testing group? How do you justify your work and budget?
3. What is the role of the test group vis-à¶is documentation, tech support, and so forth?
4. How much interaction with users should testers have, and why?
5. How should you learn about problems discovered in the field, and what should you learn from those problems?
6. What are the roles of glass-box and black-box testing tools?
7. What issues come up in test automation, and how do you manage them?
8. What development model should programmers and the test group use?
9. How do you get programmers to build testability support into their code?
10. What is the role of a bug tracking system?
11. What are the key challenges of testing?
12. Have you ever completely tested any part of a product? How?
13. Have you done exploratory or specification-driven testing?
14. Should every business test its software the same way?
15. Discuss the economics of automation and the role of metrics in testing.
16. Describe components of a typical test plan, such as tools for interactive products and for database products, as well as cause-and-effect graphs and data-flow diagrams.
17. When have you had to focus on data integrity?
18. What are some of the typical bugs you encountered in your last assignment?
19. How do you prioritize testing tasks within a project?
20. How do you develop a test plan and schedule? Describe bottom-up and top-down approaches.
21. When should you begin test planning?
22. When should you begin testing?
23. Do you know of metrics that help you estimate the size of the testing effort?
24. How do you scope out the size of the testing effort?
25. How many hours a week should a tester work?
26. How should your staff be managed? How about your overtime?
27. How do you estimate staff requirements?
28. What do you do (with the project tasks) when the schedule fails?
29. How do you handle conflict with programmers?
30. How do you know when the product is tested well enough?
31. What characteristics would you seek in a candidate for test-group manager?
32. What do you think the role of test-group manager should be? Relative to senior management?
Relative to other technical groups in the company? Relative to your staff?
33. How do your characteristics compare to the profile of the ideal manager that you just described?
34. How does your preferred work style work with the ideal test-manager role that you just described? What is different between the way you work and the role you described?
35. Who should you hire in a testing group and why?
36. What is the role of metrics in comparing staff performance in human resources management?
37. How do you estimate staff requirements?
38. What do you do (with the project staff) when the schedule fails?
39. Describe some staff conflicts youÂ’ve handled.
Here are some questions you might be asked on a job interview for a testing opening: (from MU COSC 198 Software Testing by Dr. Corliss)
1. Why did you ever become involved in QA/testing?
2. What is the testing lifecycle and explain each of its phases?
3. What is the difference between testing and Quality Assurance?
4. What is Negative testing?
5. What was a problem you had in your previous assignment (testing if possible)? How did you resolve it?
6. What are two of your strengths that you will bring to our QA/testing team?
7. How would you define Quality Assurance?
8. What do you like most about Quality Assurance/Testing?
9. What do you like least about Quality Assurance/Testing?
10. What is the Waterfall Development Method and do you agree with all the steps?
11. What is the V-Model Development Method and do you agree with this model?
12. What is the Capability Maturity Model (CMM)? At what CMM level were the last few companies you worked?
13. What is a "Good Tester"?
14. Could you tell me two things you did in your previous assignment (QA/Testing related hopefully) that you are proud of?
15. List 5 words that best describe your strengths.
16. What are two of your weaknesses?
17. What methodologies have you used to develop test cases?
18. In an application currently in production, one module of code is being modified. Is it necessary to re- test the whole application or is it enough to just test functionality associated with that module?
19. Define each of the following and explain how each relates to the other: Unit, System, and Integration testing.
20. Define Verification and Validation. Explain the differences between the two.
21. Explain the differences between White-box, Gray-box, and Black-box testing.
22. How do you go about going into a new organization? How do you assimilate?
23. Define the following and explain their usefulness: Change Management, Configuration Management, Version Control, and Defect Tracking.
24. What is ISO 9000? Have you ever been in an ISO shop?
25. When are you done testing?
26. What is the difference between a test strategy and a test plan?
27. What is ISO 9003? Why is it important
28. What are ISO standards? Why are they important?
29. What is IEEE 829? (This standard is important for Software Test Documentation-Why?)
30. What is IEEE? Why is it important?
31. Do you support automated testing? Why?
32. We have a testing assignment that is time-driven. Do you think automated tests are the best solution?
33. What is your experience with change control? Our development team has only 10 members. Do you think managing change is such a big deal for us?
34. Are reusable test cases a big plus of automated testing and explain why.
35. Can you build a good audit trail using Compuware's QACenter products. Explain why.
36. How important is Change Management in today's computing environments?
37. Do you think tools are required for managing change. Explain and please list some tools/practices which can help you managing change.
38. We believe in ad-hoc software processes for projects. Do you agree with this? Please explain your answer.
39. When is a good time for system testing?
40. Are regression tests required or do you feel there is a better use for resources?
41. Our software designers use UML for modeling applications. Based on their use cases, we would like to plan a test strategy. Do you agree with this approach or would this mean more effort for the testers.
42. Tell me about a difficult time you had at work and how you worked through it.
43. Give me an example of something you tried at work but did not work out so you had to go at things another way.
44. How can one file compare future dated output files from a program which has change, against the baseline run which used current date for input. The client does not want to mask dates on the output files to allow compares. - Answer-Rerun baseline and future date input files same # of days as future dated run of program with change. Now run a file compare against the baseline future dated output and the changed programs' future dated output.
Interviewing Suggestions
1. If you do not recognize a term ask for further definition. You may know the methodology/term but you have used a different name for it.
2. Always keep in mind that the employer wants to know what you are going to do for them, with that you should always stay/be positive.
Preinterview Questions
1. What is the structure of the company?
2. Who is going to do the interview-possible background information of interviewer?
3. What is the employer's environment (platforms, tools, etc.)?
4. What are the employer's methods and processes used in software arena?
5. What is the employer's philosophy?
6. What is the project all about you are interviewing for-as much information as possible.
7. Any terminologies that the company may use.
Matt O'Kane - ASP.NET Client-side validation Controls that work in Firefox as well as Internet Explorer
Matt O'Kane - ASP.NET Client-side validation Controls that work in Firefox as well as Internet Explorer: "ASP.NET Client-side validation Controls that work in Firefox as well as Internet Explorer
Here, you can download controls that work the same as ASP.NET standard validation controls with two important differences. Firstly, the controls will work in Firefox 1.0 and later, as well as IE. Secondly, they are fully HTML DOM compliant.
This work is a minor improvement on the fantastic work by Paul Glavich.
For all intensive purposes, these controls work exactly the same as the regular validation controls (that is CompareValidator, CustomValidator, ValidationSummary, RangeValidator, RegularExpressionValidator, and RequiredValidator) except their names are slighlty different. But the properties and methods are a one-to-one match.
To run these, you need to refer to the compiled DLL (in the Release directory). This will add the controls.
Also the source code (in c#) is included in case you want to compile or modify the library yourself."
Here, you can download controls that work the same as ASP.NET standard validation controls with two important differences. Firstly, the controls will work in Firefox 1.0 and later, as well as IE. Secondly, they are fully HTML DOM compliant.
This work is a minor improvement on the fantastic work by Paul Glavich.
For all intensive purposes, these controls work exactly the same as the regular validation controls (that is CompareValidator, CustomValidator, ValidationSummary, RangeValidator, RegularExpressionValidator, and RequiredValidator) except their names are slighlty different. But the properties and methods are a one-to-one match.
To run these, you need to refer to the compiled DLL (in the Release directory). This will add the controls.
Also the source code (in c#) is included in case you want to compile or modify the library yourself."
Modeling Artifacts (different ways of modeling)
News aggregator | testingReflections.com: "Modeling Artifacts (different ways of modeling)
Submitted by darrell on Wed, 22/06/2005 - 13:51.
Scott Ambler has a great page that lists 35 modeling artifact types. The page links to summary descriptions of a wide variety of modeling artifacts. Each page describes the artifact, provides an example or two, and provides links to suggested resources. In this list he also indicates if the technique is simple enough for stakeholders to learn, whether it is usually a paper-based artifact, whether he suggests creating it on a whiteboard, and what type of software he would consider using to create and maintain it.
Modeling Artifact
Business Rule
Change Case
Class Responsibility Collaborator (CRC) model
Constraint
Contract model
Data Flow Diagram (DFD)
Essential Use Case
Essential User Interface Prototype
Feature
Free-Form Diagrams
Flow Chart
Glossary
Logical Data Model (LDM)
Network Diagram
Object Role Model (ORM) Diagram
Physical Data Model (PDM)
Robustness Diagram
System Use Case
Technical Requirement
UML 2 Activity Diagram
UML 2 Class Diagram
UML 2 Communication/Collaboration Diagram
UML 2 Component Diagram
UML 2 Composite Structure Diagram
UML 2 Deployment Diagram
UML 2 Interaction Overview Diagram
UML 2 Object Diagram
UML 2 Package Diagram
UML 2 Sequence Diagram
UML 2 State Machine Diagram
UML 2 Timing Diagram
UML 2 Use Case Diagram
User Interface Flow Diagram (Storyboard)
User Interface Prototype
User Story
Submitted by darrell on Wed, 22/06/2005 - 13:51.
Scott Ambler has a great page that lists 35 modeling artifact types. The page links to summary descriptions of a wide variety of modeling artifacts. Each page describes the artifact, provides an example or two, and provides links to suggested resources. In this list he also indicates if the technique is simple enough for stakeholders to learn, whether it is usually a paper-based artifact, whether he suggests creating it on a whiteboard, and what type of software he would consider using to create and maintain it.
Modeling Artifact
Business Rule
Change Case
Class Responsibility Collaborator (CRC) model
Constraint
Contract model
Data Flow Diagram (DFD)
Essential Use Case
Essential User Interface Prototype
Feature
Free-Form Diagrams
Flow Chart
Glossary
Logical Data Model (LDM)
Network Diagram
Object Role Model (ORM) Diagram
Physical Data Model (PDM)
Robustness Diagram
System Use Case
Technical Requirement
UML 2 Activity Diagram
UML 2 Class Diagram
UML 2 Communication/Collaboration Diagram
UML 2 Component Diagram
UML 2 Composite Structure Diagram
UML 2 Deployment Diagram
UML 2 Interaction Overview Diagram
UML 2 Object Diagram
UML 2 Package Diagram
UML 2 Sequence Diagram
UML 2 State Machine Diagram
UML 2 Timing Diagram
UML 2 Use Case Diagram
User Interface Flow Diagram (Storyboard)
User Interface Prototype
User Story
Advanced events
Advanced events
Advanced events
Events can be used to pass information to the clients. In this chapter I will describe a technique to pass data from the event source to the client using the parameters of the eventhandler.
The Delphi wizard assumes that the server eventsource only has to handle one eventsink at the time. For some clients this will limit the number of different events that can be sinked to just one. In this chapter I will describe the way to support multiple sinks and show how a C# client can function fully with all events of my eventsource including their data.
Advanced events
Events can be used to pass information to the clients. In this chapter I will describe a technique to pass data from the event source to the client using the parameters of the eventhandler.
The Delphi wizard assumes that the server eventsource only has to handle one eventsink at the time. For some clients this will limit the number of different events that can be sinked to just one. In this chapter I will describe the way to support multiple sinks and show how a C# client can function fully with all events of my eventsource including their data.
Creating ISO images with Nero 5.5 Express
Mark Michaelis' Weblog - August, 2003: "Creating ISO images with Nero 5.5 Express
I recently set up an old computer for my son, Benjamin, as he keeps messing up my wifes desktop and then I have to figure out how to get it back to the way she wants it. Anyway, as part of doing this I didn't want my son putting CDs in and out of the computer as he tends to scratch them. Instead, I decided to create ISO images of them and have him use them directly from the computer using Daemon-Tools. The problem, was how to create ISO images? I had a copy of Nero Express 5.5 but it took me some time to figure out exactly how to get it to make ISO images. (If you happen to have the full version of Nero you can find instructions for creating ISO images here.)
Here are the steps for Nero Express 5.5:
1. Launch Nero Express 5.5 (yes there is a 6 version out there but I don't have it.)
2. Select the Copy Entire Disk option.
3. Click the More>> button.
4. Click the Configure option
5. Select the Expert Features tab.
6. Check the 'Enable Image Recorder for all supported recorder formats' option.
7. Push the OK button to close the dialog.
8. Push the Save Track to HD button.
9. After selecting the CD drive (assuming you have more than one or Daemon-Tools is running) change the output file format to Nero ISO Compilation (*.iso)
10. Use the ellipses (...) to select a path and file name and push the Go button.
11. Check the location for you new ISO file.
Since I couldn't find this option at first I did some digging on the Internet for finding other methods of creating image files. Perhaps one of the most promising programs is Alcohol 120% from Alcohol Soft. The company also makes Alcohol 52%, which is CD/DVD emulation software similar to Daemon-Tools except it appears to also support CUE and BIN formats (these were new formats to me).
I am curious as to the name of this company but I assume given the prominence of this compan"
I recently set up an old computer for my son, Benjamin, as he keeps messing up my wifes desktop and then I have to figure out how to get it back to the way she wants it. Anyway, as part of doing this I didn't want my son putting CDs in and out of the computer as he tends to scratch them. Instead, I decided to create ISO images of them and have him use them directly from the computer using Daemon-Tools. The problem, was how to create ISO images? I had a copy of Nero Express 5.5 but it took me some time to figure out exactly how to get it to make ISO images. (If you happen to have the full version of Nero you can find instructions for creating ISO images here.)
Here are the steps for Nero Express 5.5:
1. Launch Nero Express 5.5 (yes there is a 6 version out there but I don't have it.)
2. Select the Copy Entire Disk option.
3. Click the More>> button.
4. Click the Configure option
5. Select the Expert Features tab.
6. Check the 'Enable Image Recorder for all supported recorder formats' option.
7. Push the OK button to close the dialog.
8. Push the Save Track to HD button.
9. After selecting the CD drive (assuming you have more than one or Daemon-Tools is running) change the output file format to Nero ISO Compilation (*.iso)
10. Use the ellipses (...) to select a path and file name and push the Go button.
11. Check the location for you new ISO file.
Since I couldn't find this option at first I did some digging on the Internet for finding other methods of creating image files. Perhaps one of the most promising programs is Alcohol 120% from Alcohol Soft. The company also makes Alcohol 52%, which is CD/DVD emulation software similar to Daemon-Tools except it appears to also support CUE and BIN formats (these were new formats to me).
I am curious as to the name of this company but I assume given the prominence of this compan"
C# Script
C# Script
There is VBScript, JScript and PHP. But there isn't anything like C#-Script. So, I decided to play around a bit, only as a matter of checking out the possibilties.
The plan:
Create a CS-Script.exe file that we can use to 'launch' a .cs file. Without having to add the file to a solution or anything.
A very basic tool, that can launch one .cs file. View it as some sort of batch scripting tool. Where you can quickly open notepad, write something and run it.
Our goal is to reach it through the right click menu in the shell. For every file! So we'll create a console app (CS-Script) that accepts one argument, the filename.
We want to let the user know when he fucks up and doesn't provide an argument, so we add a reference to System.Windows.Forms and display a MessageBox.
There is VBScript, JScript and PHP. But there isn't anything like C#-Script. So, I decided to play around a bit, only as a matter of checking out the possibilties.
The plan:
Create a CS-Script.exe file that we can use to 'launch' a .cs file. Without having to add the file to a solution or anything.
A very basic tool, that can launch one .cs file. View it as some sort of batch scripting tool. Where you can quickly open notepad, write something and run it.
Our goal is to reach it through the right click menu in the shell. For every file! So we'll create a console app (CS-Script) that accepts one argument, the filename.
We want to let the user know when he fucks up and doesn't provide an argument, so we add a reference to System.Windows.Forms and display a MessageBox.
MSDN Webcast: Advanced Windows Forms Data Binding in .Net 2.0 (Level 300)
Events Home: "MSDN Webcast: Advanced Windows Forms Data Binding in .Net 2.0 (Level 300)"
Web Application Security Consortium
Home - Web Application Security Consortium
The Web Application Security Consortium (WASC) is an international group of experts, industry practitioners, and organizational representatives who produce open source and widely agreed upon best-practice security standards for the World Wide Web.
As an active community, WASC facilitates the exchange ideas and organizes several industry projects. WASC consistently releases technical information, contributed articles, security guidelines, and other useful documentation. Businesses, educational institutions, governments, application developers, security professionals, and software vendors all over the world utilize our materials to assist with the challenges presented by web application security.
The Web Application Security Consortium (WASC) is an international group of experts, industry practitioners, and organizational representatives who produce open source and widely agreed upon best-practice security standards for the World Wide Web.
As an active community, WASC facilitates the exchange ideas and organizes several industry projects. WASC consistently releases technical information, contributed articles, security guidelines, and other useful documentation. Businesses, educational institutions, governments, application developers, security professionals, and software vendors all over the world utilize our materials to assist with the challenges presented by web application security.
HACKING WITH JAVASCRIPT
: "HACKING WITH JAVASCRIPT Dr_aMado Sun, 11 Apr 2004 16:40:13 UTC This tutorial is an overview of how javascript can be used to bypass simple/advanced html forms and how it can be used to override cookie/session authentication. SIMPLE HTML FORMS 1. Bypassing Required Fields Surely you have met a webpage that requires you to fill all fields in a form in order to submit it. It is possible to bypass these types of restrictions on any webpage. If you take a look at the webpage's source and follow it down to the form's code, you will notice the onsubmit form attribute. Hopefully by this time you have experienced the power of javascript and you know that javascript has control over every single element in a webpage, including forms.We can use javascript to our advantage in every page we view for we can modify, delete, or add any element to the webpage. In this case we wish to clear the form's onsubmit attribute in order for the form to be submitted successfully. The onsubmit attribute generally points to a function that checks the form to have the correct format. A function that does this may look something like this: function formSubmit(x) { if(x.email.value=='') return false; return true; } ... I will not go into great detail about how the formSubmit function works. You should know that if the (textfield/optionfield/option/..) field is left blank, the form will not be submitted to process.php. Now comes the moment of truth, how do we modify the form so that onsubmit returns true everytime? The way we can access the form with javascript and do this is: document.forms[x].onsubmit='return true;'; or document.spamform.onsubmit='return true;'; Both of these 'queries' will allow you to submit the form free of restrictions. The secret is how to execute this. I do this using my browser's Location bar. All you have to do is enter this text into the location bar and pr"
SQL Injection - Tricks
Tricks attackers use
UNION statements to append data ripped from other SQL
“--”double hyphen comment indicator to block out the rest of the
intended SQL
Try a single quote in input fields to see if the query fails (failure usually
indicates bad input validation and possible exploitation)
Use logical expression ‘OR 1=1 -- To return multiple records
exec master..xp_cmdshell ‘ping HACKER_IP’to
check for ‘sa’-level exploitable hosts
select name from sysobjects where type = ‘u’
can expose tables to exploit
Insert tablename exec sp_whatever –good way to see
output of stored procedures
Use @@version to return SQL Server and OS versions and Service
Packs
UNION statements to append data ripped from other SQL
“--”double hyphen comment indicator to block out the rest of the
intended SQL
Try a single quote in input fields to see if the query fails (failure usually
indicates bad input validation and possible exploitation)
Use logical expression ‘OR 1=1 -- To return multiple records
exec master..xp_cmdshell ‘ping HACKER_IP’to
check for ‘sa’-level exploitable hosts
select name from sysobjects where type = ‘u’
can expose tables to exploit
Insert tablename exec sp_whatever –good way to see
output of stored procedures
Use @@version to return SQL Server and OS versions and Service
Packs
Taken from Document on "Search engines as penetration testing tools
Metatag
In addition to server-wide robot control using robots.txt, administrators can also
specify that certain pages should not be indexed by search engine robots, or that
the links on the page should not be followed by robots. The Robots META tag,
placed in the HTML < HEAD > section of a page, can specify either or both of
these actions. Many, but not all, search engine robots will recognize this tag and
follow the rules for each page. If you want to prevent all robots from archiving
content on your site, use the NOARCHIVE meta tag.
< META NAME="GOOGLEBOT" CONTENT="NOARCHIVE" >
For more information’s on the use of Metatag to exclude robots, visit the HTML
Author's Guide to the Robots META tag [8].
In addition to server-wide robot control using robots.txt, administrators can also
specify that certain pages should not be indexed by search engine robots, or that
the links on the page should not be followed by robots. The Robots META tag,
placed in the HTML < HEAD > section of a page, can specify either or both of
these actions. Many, but not all, search engine robots will recognize this tag and
follow the rules for each page. If you want to prevent all robots from archiving
content on your site, use the NOARCHIVE meta tag.
< META NAME="GOOGLEBOT" CONTENT="NOARCHIVE" >
For more information’s on the use of Metatag to exclude robots, visit the HTML
Author's Guide to the Robots META tag [8].
Q134 Is it possible to send an email from a JavaScript?
Q134 Is it possible to send an email from a JavaScript?: "Q134 Is it possible to send an email from a JavaScript?
Using an HTML link:
email someone
Using a Form:
Both methods suggested are completely non-JavaScript methods - but possibly useful nevertheless.
The ACTION='mailto:...' works on some other browsers than just Netscape, although its effect is undefined by the specifications.
In HTML, you can also use forms to set up possibilities for sending E-mail from Web pages - take a look at the list of JavaScript Email articles for further information.
Thanks to Jukka Korpela for updates to this answer."
Using an HTML link:
email someone
Using a Form:
Both methods suggested are completely non-JavaScript methods - but possibly useful nevertheless.
The ACTION='mailto:...' works on some other browsers than just Netscape, although its effect is undefined by the specifications.
In HTML, you can also use forms to set up possibilities for sending E-mail from Web pages - take a look at the list of JavaScript Email articles for further information.
Thanks to Jukka Korpela for updates to this answer."
CROSS-SITE SCRIPTING : Penetration Test Report paper
CROSS-SITE SCRIPTING
Severity: Medium
An attacker can take advantage of numerous input fields in the application
in order to mislead an innocent customer entering the site into giving away
information, or as a tunnel for the attacker for future purchases on behalf
of the first. Input fields include the comments area, the search page, and
the new user signup form.
The first cross site scripting attack is based on a malicious user
embedding malicious code (in the form of Javascript or VBScript) in the
search field of the search.asp page. This allows an attacker to send a mail
to any user asking him to view a list of search results. If the innocent user
would surf to this linked page, where the malicious code is injected by the
attacker he would have a response script sent to him. This can result in
the user’s session cookie sent to the attacker for instance, which will
enable the attacker to act on the user’s behalf without his knowledge.
Severity: Medium
An attacker can take advantage of numerous input fields in the application
in order to mislead an innocent customer entering the site into giving away
information, or as a tunnel for the attacker for future purchases on behalf
of the first. Input fields include the comments area, the search page, and
the new user signup form.
The first cross site scripting attack is based on a malicious user
embedding malicious code (in the form of Javascript or VBScript) in the
search field of the search.asp page. This allows an attacker to send a mail
to any user asking him to view a list of search results. If the innocent user
would surf to this linked page, where the malicious code is injected by the
attacker he would have a response script sent to him. This can result in
the user’s session cookie sent to the attacker for instance, which will
enable the attacker to act on the user’s behalf without his knowledge.
Search engines as penetration testing tools
Professional Security Testers resources warehouse - Downloads: "Search engines as penetration testing tools"
Description: Through examples, the paper will show how the techniques subsequently described can be used to steal or corrupt large quantities of sensitive information, to perform large-scale system recognition and to disrupt those systems in more subtle ways. All this while remaining anonymous and in many cases by never accessing the target server itself. A brief presentation will be made about how intrusion detection system signatures can be used to format new queries, which are likely to return many vulnerable and/or misconfigured servers. Finally, the paper presents the few solutions available and demonstrates how to properly implement them.
Version: V1 Filesize: 76.00 Kb
Description: Through examples, the paper will show how the techniques subsequently described can be used to steal or corrupt large quantities of sensitive information, to perform large-scale system recognition and to disrupt those systems in more subtle ways. All this while remaining anonymous and in many cases by never accessing the target server itself. A brief presentation will be made about how intrusion detection system signatures can be used to format new queries, which are likely to return many vulnerable and/or misconfigured servers. Finally, the paper presents the few solutions available and demonstrates how to properly implement them.
Version: V1 Filesize: 76.00 Kb
SQL Injections: from previous link
SQL Injections [At the Database Level]
The first step before SQL Injections is to test whether a site is vulnerable to SQL Injections or not. It can be achieved by giving some arbitrary input. If input results in an error message (other than user generated error message), it means site is vulnerable to SQL Injections. To find whether a sire is vulnerable to SQL injections try followings special characters in input:
‘ ; , ‘‘ % - *
Bypassing User Authentication:
An attacker can easily bypass Login Page without providing a valid user name & password. He just need to give:
' Or 1=1;-- (In the User Name text Box)
On submitting this page SQL query (at the server) becomes:
Select * from authentication where Name =' ' or 1=1; --
Note: MS SQL Server treats anything after; -- as comment so rest of the query will be ignored. What attacker has done here is without specifying a valid username & password he bypasses the Login page.
Telling you frankly even if site is vulnerable to SQL Injections most of the time it will not work. It depends on the way ASP Code is written. Key thing behind SQL Injection is your input should be according to ASP code to get desired result. Here I would like to suggest that you should try all the following possible combinations and more, which you can think.
1. ' Or 1=1; --
2. ' Or 1=1); --
3. ' any_bad_value
4. ‘ “
5. ‘ “or”
6.“ any_bad_value” ‘ etc.
Note: This explanation is just for understanding from this test scenario. This varies on your Web Application code.
The first step before SQL Injections is to test whether a site is vulnerable to SQL Injections or not. It can be achieved by giving some arbitrary input. If input results in an error message (other than user generated error message), it means site is vulnerable to SQL Injections. To find whether a sire is vulnerable to SQL injections try followings special characters in input:
‘ ; , ‘‘ % - *
Bypassing User Authentication:
An attacker can easily bypass Login Page without providing a valid user name & password. He just need to give:
' Or 1=1;-- (In the User Name text Box)
On submitting this page SQL query (at the server) becomes:
Select * from authentication where Name =' ' or 1=1; --
Note: MS SQL Server treats anything after; -- as comment so rest of the query will be ignored. What attacker has done here is without specifying a valid username & password he bypasses the Login page.
Telling you frankly even if site is vulnerable to SQL Injections most of the time it will not work. It depends on the way ASP Code is written. Key thing behind SQL Injection is your input should be according to ASP code to get desired result. Here I would like to suggest that you should try all the following possible combinations and more, which you can think.
1. ' Or 1=1; --
2. ' Or 1=1); --
3. ' any_bad_value
4. ‘ “
5. ‘ “or”
6.“ any_bad_value” ‘ etc.
Note: This explanation is just for understanding from this test scenario. This varies on your Web Application code.
Open Information Systems Security Group - SQL Injection
Open Information Systems Security Group - SQL Injection: "SQL Injection"
This article shed insight on the art of sql injection in data base driven applications. It follows structured approach and after going through it a reader will have a better understanding of sql injections.
This document discuss in detail common as well as some advance SQL Injection techniques as it applies to Microsoft Internet Information Server / Active Server Pages / Microsoft SQL Server. It discusses the various ways in which SQL can be injected & how one can protect him against the SQL injections. This document also contains brief description of the terms used in the context of databases & web Application.
What is SQL Injection?
It's a technique where an attacker creates or alters existing SQL commands (by using some special symbol) to gain access to unintended data or even the ability to execute system level commands in the server. SQL injections are the result of Poor Input Validation and can be blocked by proper input validation.
Application that do not correctly validate and/or sanitize the user input, can potentially be exploited in several ways:
· Changing SQL values
· Concatenating SQL Values
· Adding Function calls & stored Procedures to a statement
· Typecast and concatenate retrieved data
· Adding system functions & procedure to find out critical information about the server
Download
This article shed insight on the art of sql injection in data base driven applications. It follows structured approach and after going through it a reader will have a better understanding of sql injections.
This document discuss in detail common as well as some advance SQL Injection techniques as it applies to Microsoft Internet Information Server / Active Server Pages / Microsoft SQL Server. It discusses the various ways in which SQL can be injected & how one can protect him against the SQL injections. This document also contains brief description of the terms used in the context of databases & web Application.
What is SQL Injection?
It's a technique where an attacker creates or alters existing SQL commands (by using some special symbol) to gain access to unintended data or even the ability to execute system level commands in the server. SQL injections are the result of Poor Input Validation and can be blocked by proper input validation.
Application that do not correctly validate and/or sanitize the user input, can potentially be exploited in several ways:
· Changing SQL values
· Concatenating SQL Values
· Adding Function calls & stored Procedures to a statement
· Typecast and concatenate retrieved data
· Adding system functions & procedure to find out critical information about the server
Download
SQL Injection Attacks by Example
SQL Injection Attacks by Example: "SQL Injection Attacks by Example "
NGS Research: Whitepapers
NGS Research: Whitepapers
The NISR team have produced a variety of detailed papers exploring technical skills development and threat dissection. These papers are provided free of charge as an addendum to our other published materials.
The NISR team have produced a variety of detailed papers exploring technical skills development and threat dissection. These papers are provided free of charge as an addendum to our other published materials.
A Developer's Introduction to Web Parts
Summary: Learn what Web Parts are and how to create them. Developers can build Web Parts as ASP.NET custom controls. Administrators can install Web Parts on any site based on Windows SharePoint Services. Users can add Web Parts to pages by dragging and dropping in a browser, and they can personalize them by setting properties. Web Parts can connect to other Web Parts using standard interfaces. (43 printed pages)
A sample Visual Studio .NET solution that contains two custom Web Parts written in C# accompanies this article. With the first Web Part, users can select a customer and view configurable information about the customer. With the second Web Part, users can view the orders for a single customer. A user can add these Web Parts to a Web Part Page and connect them to each other, so that the second Web Part displays orders for the customer selected in the first Web Part.
Note This paper introduces Web Parts to developers. This is not an introduction to Windows SharePoint Services or SharePoint Portal Server. For more information see SharePoint Products and Technologies.
The information in this article also applies to Microsoft Office SharePoint Portal Server 2003, which is built on the Windows SharePoint Services platform. The code samples that accompany this article should work when loaded into sites created with SharePoint Portal Server.
A sample Visual Studio .NET solution that contains two custom Web Parts written in C# accompanies this article. With the first Web Part, users can select a customer and view configurable information about the customer. With the second Web Part, users can view the orders for a single customer. A user can add these Web Parts to a Web Part Page and connect them to each other, so that the second Web Part displays orders for the customer selected in the first Web Part.
Note This paper introduces Web Parts to developers. This is not an introduction to Windows SharePoint Services or SharePoint Portal Server. For more information see SharePoint Products and Technologies.
The information in this article also applies to Microsoft Office SharePoint Portal Server 2003, which is built on the Windows SharePoint Services platform. The code samples that accompany this article should work when loaded into sites created with SharePoint Portal Server.
Detection of SQL Injection and Cross-site Scripting Attacks
Detection of SQL Injection and Cross-site Scripting Attacks: "2.1 Regex for detection of SQL meta-characters
/(\%27)|(\')|(\-\-)|(\%23)|(#)/ix
Explanation:
We first detect either the hex equivalent of the single-quote, the single-quote itself or the presence of the double-dash. These are SQL characters for MS SQL Server and Oracle, which denote the beginning of a comment, and everything that follows is ignored. Additionally, if you're using MySQL, you need to check for presence of the '#' or its hex-equivalent. Note that we do not need to check for the hex-equivalent of the double-dash, because it is not an HTML meta-character and will not be encoded by the browser. Also, if an attacker tries to manually modify the double-dash to its hex value of %2D (using a proxy like Achilles [ref 5]), the SQL Injection attack fails."
/(\%27)|(\')|(\-\-)|(\%23)|(#)/ix
Explanation:
We first detect either the hex equivalent of the single-quote, the single-quote itself or the presence of the double-dash. These are SQL characters for MS SQL Server and Oracle, which denote the beginning of a comment, and everything that follows is ignored. Additionally, if you're using MySQL, you need to check for presence of the '#' or its hex-equivalent. Note that we do not need to check for the hex-equivalent of the double-dash, because it is not an HTML meta-character and will not be encoded by the browser. Also, if an attacker tries to manually modify the double-dash to its hex value of %2D (using a proxy like Achilles [ref 5]), the SQL Injection attack fails."
Penetration Testing for Web Applications (Part One)
Penetration Testing for Web Applications (Part One)
This is the first in a series of three articles on penetration testing for Web applications. The first installment provides the penetration tester with an overview of Web applications - how they work, how they interact with users, and most importantly how developers can expose data and systems with poorly written and secured Web application front-ends
This is the first in a series of three articles on penetration testing for Web applications. The first installment provides the penetration tester with an overview of Web applications - how they work, how they interact with users, and most importantly how developers can expose data and systems with poorly written and secured Web application front-ends
Internet Application Testing
From: The Open Source Security Testing Methodology Manual
5 . Internet Application Testing
An Internet application test employs different software testing techniques to find "security bugs" in server/client
applications of the system from the Internet. In this module, we refer the server/client applications to those
proprietarily developed by the system owners serving dedicate business purposes and the applications can be
developed with any programming languages and technologies. E.g. web application for business transactions is a
target in this module. "Black box" and/or "White box" testing can be used in this module.
Expected Results: List of applications
List of application components
List of application vulnerabilities
List of application system trusts
R e -En g i n e e r i n g
1. Decompose or deconstruct the binary codes, if accessible.
2. Determines the protocol specification of the server/client application.
3. Guess program logic from the error/debug messages in the application outputs and program
behaviors/performance.
A u t h e n t i c a t i o n
4. Find possible brute force password guessing access points in the applications.
5. Find a valid login credentials with password grinding, if possible.
6. Bypass authentication system with spoofed tokens.
7. Bypass authentication system with replay authentication information.
8. Determine the application logic to maintain the authentication sessions - number of (consecutive) failure
logins allowed, login timeout, etc.
9. Determine the limitations of access control in the applications - access permissions, login session
duration, idle duration.
S e s s i o n M a n a g e m e n t
10. Determine the session management information - number of concurrent sessions, IP-based
authentication, role-based authentication, identity-based authentication, cookie usage, session ID in URL
encoding string, session ID in hidden HTML field variables, etc.
11. Guess the session ID sequence and format
12. Determine the session ID is maintained with IP address information; check if the same session
information can be retried and reused in another machine.
13. Determine the session management limitations - bandwidth usages, file download/upload limitations,
transaction limitations, etc.
14. Gather excessive information with direct URL, direct instruction, action sequence jumping and/or pages
skipping.
15. Gather sensitive information with Man-In-the-Middle attacks.
16. Inject excess/bogus information with Session-Hijacking techniques.
17. Replay gathered information to fool the applications.
I n p u t M a n i p u l a t i o n
18. Find the limitations of the defined variables and protocol payload - data length, data type, construct
format, etc.
19. Use exceptionally long character-strings to find buffer overflows vulnerability in the applications.
20. Concatenate commands in the input strings of the applications.
21. Inject SQL language in the input strings of database-tired web applications.
22. Examine "Cross-Site Scripting" in the web applications of the system.
23. Examine unauthorized directory/file access with path/directory traversal in the input strings of the
applications.
24. Use specific URL-encoded strings and/or Unicode-encoded strings to bypass input validation
mechanisms of the applications.
25. Execute remote commands through "Server Side Include".
26. Manipulate the session/persistent cookies to fool or modify the logic in the server-side web applications.
27. Manipulate the (hidden) field variable in the HTML forms to fool or modify the logic in the server-side web
applications.
28. Manipulate the "Referrer", "Host", etc. HTTP Protocol variables to fool or modify the logic in the serverside
web applications.
29. Use illogical/illegal input to test the application error-handling routines and to find useful debug/error
messages from the applications.
Ou t p u t M a n i p u l a t i o n
30. Retrieve valuable information stored in the cookies
31. Retrieve valuable information from the client application cache.
32. Retrieve valuable information stored in the serialized objects.
33. Retrieve valuable information stored in the temporary files and objects.
I n f o rma t i o n L e a k a g e
34. Find useful information in hidden field variables of the HTML forms and comments in the HTML
documents.
35. Examine the information contained in the application banners, usage instructions, welcome messages,
farewell messages, application help messages, debug/error messages, etc.
5 . Internet Application Testing
An Internet application test employs different software testing techniques to find "security bugs" in server/client
applications of the system from the Internet. In this module, we refer the server/client applications to those
proprietarily developed by the system owners serving dedicate business purposes and the applications can be
developed with any programming languages and technologies. E.g. web application for business transactions is a
target in this module. "Black box" and/or "White box" testing can be used in this module.
Expected Results: List of applications
List of application components
List of application vulnerabilities
List of application system trusts
R e -En g i n e e r i n g
1. Decompose or deconstruct the binary codes, if accessible.
2. Determines the protocol specification of the server/client application.
3. Guess program logic from the error/debug messages in the application outputs and program
behaviors/performance.
A u t h e n t i c a t i o n
4. Find possible brute force password guessing access points in the applications.
5. Find a valid login credentials with password grinding, if possible.
6. Bypass authentication system with spoofed tokens.
7. Bypass authentication system with replay authentication information.
8. Determine the application logic to maintain the authentication sessions - number of (consecutive) failure
logins allowed, login timeout, etc.
9. Determine the limitations of access control in the applications - access permissions, login session
duration, idle duration.
S e s s i o n M a n a g e m e n t
10. Determine the session management information - number of concurrent sessions, IP-based
authentication, role-based authentication, identity-based authentication, cookie usage, session ID in URL
encoding string, session ID in hidden HTML field variables, etc.
11. Guess the session ID sequence and format
12. Determine the session ID is maintained with IP address information; check if the same session
information can be retried and reused in another machine.
13. Determine the session management limitations - bandwidth usages, file download/upload limitations,
transaction limitations, etc.
14. Gather excessive information with direct URL, direct instruction, action sequence jumping and/or pages
skipping.
15. Gather sensitive information with Man-In-the-Middle attacks.
16. Inject excess/bogus information with Session-Hijacking techniques.
17. Replay gathered information to fool the applications.
I n p u t M a n i p u l a t i o n
18. Find the limitations of the defined variables and protocol payload - data length, data type, construct
format, etc.
19. Use exceptionally long character-strings to find buffer overflows vulnerability in the applications.
20. Concatenate commands in the input strings of the applications.
21. Inject SQL language in the input strings of database-tired web applications.
22. Examine "Cross-Site Scripting" in the web applications of the system.
23. Examine unauthorized directory/file access with path/directory traversal in the input strings of the
applications.
24. Use specific URL-encoded strings and/or Unicode-encoded strings to bypass input validation
mechanisms of the applications.
25. Execute remote commands through "Server Side Include".
26. Manipulate the session/persistent cookies to fool or modify the logic in the server-side web applications.
27. Manipulate the (hidden) field variable in the HTML forms to fool or modify the logic in the server-side web
applications.
28. Manipulate the "Referrer", "Host", etc. HTTP Protocol variables to fool or modify the logic in the serverside
web applications.
29. Use illogical/illegal input to test the application error-handling routines and to find useful debug/error
messages from the applications.
Ou t p u t M a n i p u l a t i o n
30. Retrieve valuable information stored in the cookies
31. Retrieve valuable information from the client application cache.
32. Retrieve valuable information stored in the serialized objects.
33. Retrieve valuable information stored in the temporary files and objects.
I n f o rma t i o n L e a k a g e
34. Find useful information in hidden field variables of the HTML forms and comments in the HTML
documents.
35. Examine the information contained in the application banners, usage instructions, welcome messages,
farewell messages, application help messages, debug/error messages, etc.
Foundations of Software Engineering - Home
Foundations of Software Engineering - Home
The goal of the Foundations of Software Engineering (FSE) group at Microsoft Research in Redmond, Wash., is to improve software development productivity by using automated software verification.
The term automated software verification refers to machine-assisted techniques that compare the actual behavior of a software component with its predicted behavior. Verification can occur at design time or during the program’s execution. Whether static or dynamic, automated verification always operates with respect to a notion of predicted system behavior, which is typically expressed in the form of a specification. Specifications may be generic, for instance the code should not crash, or can be specific to the system.
Specification-based software verification can occur at three levels of detail: the system or architecture level, the unit or class level and the source code level. Benefits of introducing specifications are numerous: they document design decisions, they enable early automatic analysis of designs, they enable test to start much earlier, and they allow automatic test case generation and execution.
The goal of the Foundations of Software Engineering (FSE) group at Microsoft Research in Redmond, Wash., is to improve software development productivity by using automated software verification.
The term automated software verification refers to machine-assisted techniques that compare the actual behavior of a software component with its predicted behavior. Verification can occur at design time or during the program’s execution. Whether static or dynamic, automated verification always operates with respect to a notion of predicted system behavior, which is typically expressed in the form of a specification. Specifications may be generic, for instance the code should not crash, or can be specific to the system.
Specification-based software verification can occur at three levels of detail: the system or architecture level, the unit or class level and the source code level. Benefits of introducing specifications are numerous: they document design decisions, they enable early automatic analysis of designs, they enable test to start much earlier, and they allow automatic test case generation and execution.
The Vulnerabilities of Developing on the Net - Apr 2001
STSC CrossTalk - The Vulnerabilities of Developing on the Net - Apr 2001: "The Vulnerabilities of Developing on the Net"
Disaster has struck. You would think that firewalls, combined with filtering routers, password protection, encryption, and disciplined use of access controls and file permissions would have been enough protection. However, an overlooked flaw in the commercial web server application allowed a hacker to use a buffer overflow attack to leverage the application's privileges into administrator-level access to the server. From there it was easy to gain access to other machines within the Intranet and replace the public Web pages with details of the hack. With the company's public site showing a live video stream of an ongoing internal, private and sensitive company meeting, it left little room for doubt as to how badly they had been hacked.
Disaster has struck. You would think that firewalls, combined with filtering routers, password protection, encryption, and disciplined use of access controls and file permissions would have been enough protection. However, an overlooked flaw in the commercial web server application allowed a hacker to use a buffer overflow attack to leverage the application's privileges into administrator-level access to the server. From there it was easy to gain access to other machines within the Intranet and replace the public Web pages with details of the hack. With the company's public site showing a live video stream of an ongoing internal, private and sensitive company meeting, it left little room for doubt as to how badly they had been hacked.
SOAP::Lite - SOAP elements access methods
SOAP::Lite - Client and server side SOAP implementation: "$h = $som->headerof('//myheader'); # returns element as SOAP::Header, so
# you can access attributes and values
# with $h->mustUnderstand, $h->actor
# or $h->attr (for all attributes)
}
SOAP::SOM object gives you access to the deserialized envelope via several
methods. All methods accept a node path (similar to XPath notations).
SOM interprets '/' as the root node, '//' as relative location path
('//Body' will find all bodies in document, as well as
'/Envelope//nums' will find all 'nums' nodes under Envelope node),
'[num]' as node number and '[op num]' with C being a comparison
operator ('<', '>', '<=', '>=', '!', '=').
All nodes in nodeset will be returned in document order."
# you can access attributes and values
# with $h->mustUnderstand, $h->actor
# or $h->attr (for all attributes)
}
SOAP::SOM object gives you access to the deserialized envelope via several
methods. All methods accept a node path (similar to XPath notations).
SOM interprets '/' as the root node, '//' as relative location path
('//Body' will find all bodies in document, as well as
'/Envelope//nums' will find all 'nums' nodes under Envelope node),
'[num]' as node number and '[op num]' with C
operator ('<', '>', '<=', '>=', '!', '=').
All nodes in nodeset will be returned in document order."
Invoking .NET Service using C# and SOAP
TopXML : Programming Web Services with SOAP: "Invoking the Service Using SOAP
Creating a SOAP client for the Hello World service using .NET is, surprisingly, harder than creating the service itself. There are tools to make it easier (we will explore them briefly in Chapter 5), but for now we'll go through the steps manually so you know what is going on.
Again using your favorite text editor, create HelloWorld.cs (the .cs extension indicates C# source code) from Example 3-18.
Example 3-18: HelloWorld.cs, a C# HelloWorld Client
// HelloWorld.cs
using System.Diagnostics;
using System.Xml.Serialization;
using System;
using System.Web.Services.Protocols;
using System.Web.Services;
[System.Web.Services.WebServiceBindingAttribute(
Name='Example1Soap',
Namespace='urn:Example1')]
public class Example1 :
System.Web.Services.Protocols.SoapHttpClientProtocol {
public Example1( ) {
this.Url = 'http://localhost/helloworld.asmx ';
}
[System.Web.Services.Protocols.SoapDocumentMethodAttribute(
'urn:Example1/sayHello',
RequestNamespace='urn:Example1',
ResponseNamespace='urn:Example1',
Use=System.Web.Services.Description.SoapBindingUse.Literal,
ParameterStyle=System.Web.Services.Protocols.SoapParameterStyle.Wrapped)]
public string sayHello(string name) {
object[] results = this.Invoke('sayHello',
new object[] {name});
return ((string)(results[0]));
}
public static void Main(string[] args) {
Console.WriteLine('Calling the SOAP Server to say hello');
Example1 example1 = new Example1( );
Console.WriteLine('The SOAP Server says: ' +
example1.sayHello(args[0]));
}
}
The [System.Web.Services.WebserviceBindingAttribute] line tells the .NET managed runtime that this particular .NET assembly is going to be used to invok"
Creating a SOAP client for the Hello World service using .NET is, surprisingly, harder than creating the service itself. There are tools to make it easier (we will explore them briefly in Chapter 5), but for now we'll go through the steps manually so you know what is going on.
Again using your favorite text editor, create HelloWorld.cs (the .cs extension indicates C# source code) from Example 3-18.
Example 3-18: HelloWorld.cs, a C# HelloWorld Client
// HelloWorld.cs
using System.Diagnostics;
using System.Xml.Serialization;
using System;
using System.Web.Services.Protocols;
using System.Web.Services;
[System.Web.Services.WebServiceBindingAttribute(
Name='Example1Soap',
Namespace='urn:Example1')]
public class Example1 :
System.Web.Services.Protocols.SoapHttpClientProtocol {
public Example1( ) {
this.Url = 'http://localhost/helloworld.asmx ';
}
[System.Web.Services.Protocols.SoapDocumentMethodAttribute(
'urn:Example1/sayHello',
RequestNamespace='urn:Example1',
ResponseNamespace='urn:Example1',
Use=System.Web.Services.Description.SoapBindingUse.Literal,
ParameterStyle=System.Web.Services.Protocols.SoapParameterStyle.Wrapped)]
public string sayHello(string name) {
object[] results = this.Invoke('sayHello',
new object[] {name});
return ((string)(results[0]));
}
public static void Main(string[] args) {
Console.WriteLine('Calling the SOAP Server to say hello');
Example1 example1 = new Example1( );
Console.WriteLine('The SOAP Server says: ' +
example1.sayHello(args[0]));
}
}
The [System.Web.Services.WebserviceBindingAttribute] line tells the .NET managed runtime that this particular .NET assembly is going to be used to invok"
Interoperability Issues regarding Perl and .NET SOAP
TopXML : Programming Web Services with SOAP: "Interoperability Issues
At the time of this writing, .NET's SOAP implementation still has a few issues that need to be worked out, primarily in the area of interoperability.
Slight variations between the way .NET implements SOAP and SOAP::Lite's implementation of SOAP, for example, cause some difficulty in allowing the two to work together out of the box. To illustrate the problem, follow the steps shown here. One would think that everything would work fine, but it doesn't. I'll point out why after we walk through it.
First, launch the Java TcpTunnelGui tool that ships with Apache SOAP, specifying port 8080 as the local listening port, and redirecting to whatever server you have your HelloWorld.asmx file deployed to:
C:\book>start java org.apache.soap.util.net.TcpTunnelGui 8080
localhost 80
Then, modify the Perl Hello World client to point to the HelloWorld.asmx file, but replace the server part of the URL with localhost:8080.
When you run the Perl script:
C:\book>perl hello_client1.pl James
The result is not what you would expect. The script ends without ever displaying the 'Hello James' result. If you take a look at the TcpTunnelGui tool, you'll see that the SOAP message is sent, but the .NET runtime rejects the request and issues a SOAP fault in response. This is shown in Example 3-19.
Example 3-19: SOAP fault from .NET
soap:Client
System.Web.Services.Protocols.SoapException: Server did
not recognize the value of HTTP Header SOAPAction:
urn:Example#sayHello.
at System.Web.Services.Protocols.SoapServerProtocol.Initialize( )
at System.Web.Services.Protocols.ServerProtocolFactory.Create(
Type type, HttpContext cont"
At the time of this writing, .NET's SOAP implementation still has a few issues that need to be worked out, primarily in the area of interoperability.
Slight variations between the way .NET implements SOAP and SOAP::Lite's implementation of SOAP, for example, cause some difficulty in allowing the two to work together out of the box. To illustrate the problem, follow the steps shown here. One would think that everything would work fine, but it doesn't. I'll point out why after we walk through it.
First, launch the Java TcpTunnelGui tool that ships with Apache SOAP, specifying port 8080 as the local listening port, and redirecting to whatever server you have your HelloWorld.asmx file deployed to:
C:\book>start java org.apache.soap.util.net.TcpTunnelGui 8080
localhost 80
Then, modify the Perl Hello World client to point to the HelloWorld.asmx file, but replace the server part of the URL with localhost:8080.
When you run the Perl script:
C:\book>perl hello_client1.pl James
The result is not what you would expect. The script ends without ever displaying the 'Hello James' result. If you take a look at the TcpTunnelGui tool, you'll see that the SOAP message is sent, but the .NET runtime rejects the request and issues a SOAP fault in response. This is shown in Example 3-19.
Example 3-19: SOAP fault from .NET
System.Web.Services.Protocols.SoapException: Server did
not recognize the value of HTTP Header SOAPAction:
urn:Example#sayHello.
at System.Web.Services.Protocols.SoapServerProtocol.Initialize( )
at System.Web.Services.Protocols.ServerProtocolFactory.Create(
Type type, HttpContext cont"
Programming Web Services with SOAP
TopXML : Programming Web Services with SOAP: "Invoking the Service Using SOAP
Creating a SOAP client for the Hello World service using .NET is, surprisingly, harder than creating the service itself. There are tools to make it easier (we will explore them briefly in Chapter 5), but for now we'll go through the steps manually so you know what is going on.
Again using your favorite text editor, create HelloWorld.cs (the .cs extension indicates C# source code) from Example 3-18.
Example 3-18: HelloWorld.cs, a C# HelloWorld Client
// HelloWorld.cs
using System.Diagnostics;
using System.Xml.Serialization;
using System;
using System.Web.Services.Protocols;
using System.Web.Services;
[System.Web.Services.WebServiceBindingAttribute(
Name='Example1Soap',
Namespace='urn:Example1')]
public class Example1 :
System.Web.Services.Protocols.SoapHttpClientProtocol {
public Example1( ) {
this.Url = 'http://localhost/helloworld.asmx ';
}
[System.Web.Services.Protocols.SoapDocumentMethodAttribute(
'urn:Example1/sayHello',
RequestNamespace='urn:Example1',
ResponseNamespace='urn:Example1',
Use=System.Web.Services.Description.SoapBindingUse.Literal,
ParameterStyle=System.Web.Services.Protocols.SoapParameterStyle.Wrapped)]
public string sayHello(string name) {
object[] results = this.Invoke('sayHello',
new object[] {name});
return ((string)(results[0]));
}
public static void Main(string[] args) {
Console.WriteLine('Calling the SOAP Server to say hello');
Example1 example1 = new Example1( );
Console.WriteLine('The SOAP Server says: ' +
example1.sayHello(args[0]));
}
}
The [System.Web.Services.WebserviceBindingAttribute] line tells the .NET managed runtime that this particular .NET assembly is going to be used to invok"
Creating a SOAP client for the Hello World service using .NET is, surprisingly, harder than creating the service itself. There are tools to make it easier (we will explore them briefly in Chapter 5), but for now we'll go through the steps manually so you know what is going on.
Again using your favorite text editor, create HelloWorld.cs (the .cs extension indicates C# source code) from Example 3-18.
Example 3-18: HelloWorld.cs, a C# HelloWorld Client
// HelloWorld.cs
using System.Diagnostics;
using System.Xml.Serialization;
using System;
using System.Web.Services.Protocols;
using System.Web.Services;
[System.Web.Services.WebServiceBindingAttribute(
Name='Example1Soap',
Namespace='urn:Example1')]
public class Example1 :
System.Web.Services.Protocols.SoapHttpClientProtocol {
public Example1( ) {
this.Url = 'http://localhost/helloworld.asmx ';
}
[System.Web.Services.Protocols.SoapDocumentMethodAttribute(
'urn:Example1/sayHello',
RequestNamespace='urn:Example1',
ResponseNamespace='urn:Example1',
Use=System.Web.Services.Description.SoapBindingUse.Literal,
ParameterStyle=System.Web.Services.Protocols.SoapParameterStyle.Wrapped)]
public string sayHello(string name) {
object[] results = this.Invoke('sayHello',
new object[] {name});
return ((string)(results[0]));
}
public static void Main(string[] args) {
Console.WriteLine('Calling the SOAP Server to say hello');
Example1 example1 = new Example1( );
Console.WriteLine('The SOAP Server says: ' +
example1.sayHello(args[0]));
}
}
The [System.Web.Services.WebserviceBindingAttribute] line tells the .NET managed runtime that this particular .NET assembly is going to be used to invok"
Adding Macs to Active Directory using Mac OS X 10.3
Adding Macs to Active Directory using Mac OS X 10.3: "Adding Macs to Active Directory using Mac OS X 10.3
2/3/2005
Configuring Directory Access
1. Open the Directory Access application located in /Applications/Utilities/.
2. Click the Padlock buton to authenticate if necessary.
3. Check the box next to Active Directory and click Configure…
4. Enter iastate.edu in the Active Directory Forest and Active Directory Domain fields.
5. Enter a Computer ID that you want to use. A computer object with this ID must be pre-created in Active Directory, which requires Domain Admin rights.
6. Click the Show Advanced Options button.
7. Check the option to “Cache last user logon for offline operation” if needed.
8. Check the option to “Allow Administration by” if you want to allow domain admins or other specified domain users/groups admininstrative rights on this computer. Separate each object with commas. Each domain object listed must be preceded by IASTATE\.
9. Click Bind… You may be asked for a local Admin username and password. Enter this information and click OK.
10. You will then be asked for a Network Administrator username and password. This is simply a domain user with Domain Admin rights. You will also be asked for the Computer OU which is simply the path to the OU that you pre-created your computer object in on Step 5. An example would be CN=workstations,CN=a d p, CN=a d p,CN=vpbus,DC=iastate,DC=edu.Mac OS X 10.3.4 requires you to enter the exact OU, but starting with Mac OS X 10.3.5 you can just leave the default settings and the computer object will be located automatically.
11. You may see the message “Kerberos file already exists”. Click Rename.
12. You will see the message “Join existing account?”. Click OK.
13. Click OK again to get back to the main screen of the Directory Access utility.
14. Click the Authentication tab. Select Custom path fro"
2/3/2005
Configuring Directory Access
1. Open the Directory Access application located in /Applications/Utilities/.
2. Click the Padlock buton to authenticate if necessary.
3. Check the box next to Active Directory and click Configure…
4. Enter iastate.edu in the Active Directory Forest and Active Directory Domain fields.
5. Enter a Computer ID that you want to use. A computer object with this ID must be pre-created in Active Directory, which requires Domain Admin rights.
6. Click the Show Advanced Options button.
7. Check the option to “Cache last user logon for offline operation” if needed.
8. Check the option to “Allow Administration by” if you want to allow domain admins or other specified domain users/groups admininstrative rights on this computer. Separate each object with commas. Each domain object listed must be preceded by IASTATE\.
9. Click Bind… You may be asked for a local Admin username and password. Enter this information and click OK.
10. You will then be asked for a Network Administrator username and password. This is simply a domain user with Domain Admin rights. You will also be asked for the Computer OU which is simply the path to the OU that you pre-created your computer object in on Step 5. An example would be CN=workstations,CN=a d p, CN=a d p,CN=vpbus,DC=iastate,DC=edu.Mac OS X 10.3.4 requires you to enter the exact OU, but starting with Mac OS X 10.3.5 you can just leave the default settings and the computer object will be located automatically.
11. You may see the message “Kerberos file already exists”. Click Rename.
12. You will see the message “Join existing account?”. Click OK.
13. Click OK again to get back to the main screen of the Directory Access utility.
14. Click the Authentication tab. Select Custom path fro"
Let's Play 20 Questions: Tell Me About Your Organization's Quality Assurance and Testing - Mar 2003
STSC CrossTalk - Let's Play 20 Questions: Tell Me About Your Organization's Quality Assurance and Testing - Mar 2003: "Let's Play 20 Questions: Tell Me About Your Organization's Quality Assurance and Testing"
COMPOSING MESSAGES USING RAW XML
SOAP::Data: "COMPOSING MESSAGES USING RAW XML
In some circumstances you may need to encode a message using raw unserialized XML text. To instantiate a SOAP::Data object using raw XML, do the following:
$xml_content = '123 ';
$elem = SOAP::Data->type('xml' => $xml_content);
SOAP::Lite's serializer simple takes whatever text is passed to it, and inserts into the encoded SOAP::Data element verbatim. The text input is validated to ensure it is valid XML, nor is the resulting SOAP::Data element validated to ensure that it will produce valide XML. Therefore, it is incumbant upon the developer to ensure that any XML data used in this fashion is valid and will result in a valid XML document."
In some circumstances you may need to encode a message using raw unserialized XML text. To instantiate a SOAP::Data object using raw XML, do the following:
$xml_content = '
$elem = SOAP::Data->type('xml' => $xml_content);
SOAP::Lite's serializer simple takes whatever text is passed to it, and inserts into the encoded SOAP::Data element verbatim. The text input is validated to ensure it is valid XML, nor is the resulting SOAP::Data element validated to ensure that it will produce valide XML. Therefore, it is incumbant upon the developer to ensure that any XML data used in this fashion is valid and will result in a valid XML document."
How to Call a .NET-based Web Service Using the SOAP::Lite Perl Library
How to Call a .NET-based Web Service Using the SOAP::Lite Perl Library: "BASIC Authentication
In the Introduction, I said that my users were using Perl on Solaris. The previous examples assume that the server has enabled Anonymous Access on the IIS Web server�no username or password is required. However, if you want to use basic authentication on your Web service, SOAP::Lite can send usernames and passwords upon request to your Web service.
To demonstrate SOAP::Lite support for basic authentication, first turn off Anonymous Access and turn on Basic Authentication for the virtual directory containing your Web service. If you are using a Windows machine as your client and not a UNIX machine, turn off Integrated Windows Authentication as well. (Be aware that when you turn off Integrated Windows Authentication for the virtual directory containing your Web service, you cannot debug the Web service in Visual Studio .NET.)
Once you turn on Basic Authentication, go back and run the last example. You should get an error message:
401 Access Denied at Example3.plx line 22
Now add these lines of code anywhere in your example (replacing the words username and password for a real Windows username and password on your Web server):
sub SOAP::Transport::HTTP::Client::get_basic_credentials {
return 'username' => 'password';
}
When your client application tries to access the Web service, the Web server issues a challenge for credentials. When SOAP::Lite receives this challenge, it calls the get_basic_credentials function. In this function, you arrange for the proper username and password pair to be returned to the Web server. You can watch this interaction with tcpTrace.exe."
In the Introduction, I said that my users were using Perl on Solaris. The previous examples assume that the server has enabled Anonymous Access on the IIS Web server�no username or password is required. However, if you want to use basic authentication on your Web service, SOAP::Lite can send usernames and passwords upon request to your Web service.
To demonstrate SOAP::Lite support for basic authentication, first turn off Anonymous Access and turn on Basic Authentication for the virtual directory containing your Web service. If you are using a Windows machine as your client and not a UNIX machine, turn off Integrated Windows Authentication as well. (Be aware that when you turn off Integrated Windows Authentication for the virtual directory containing your Web service, you cannot debug the Web service in Visual Studio .NET.)
Once you turn on Basic Authentication, go back and run the last example. You should get an error message:
401 Access Denied at Example3.plx line 22
Now add these lines of code anywhere in your example (replacing the words username and password for a real Windows username and password on your Web server):
sub SOAP::Transport::HTTP::Client::get_basic_credentials {
return 'username' => 'password';
}
When your client application tries to access the Web service, the Web server issues a challenge for credentials. When SOAP::Lite receives this challenge, it calls the get_basic_credentials function. In this function, you arrange for the proper username and password pair to be returned to the Web server. You can watch this interaction with tcpTrace.exe."
Parsing a result object from SOAP::Lite
Parsing a result object from SOAP::Lite: "Parsing a result object from SOAP::Lite
Users frequently ask, 'how do you iterate over an array returned by a SOAP service that I call.' It asked frequently enough that I figure I should answer it here here. As always, it is a lot simpler than you might think, its just that SOAP::Lite's documentation leaves a lot to be desired.
SOAP::Lite returns a SOAP::SOM object for most SOAP calls. The SOM object provides a simple API for accessing any aspect of the response's SOAP envelope. One accesses those contents via simple XPATH statements.
For example, suppose for the following SOAP Envelope:
abcd
...you wanted to access the value of the bar element. Then you would simply write your code as follows:
my $soap = SOAP::Lite
->uri($SOME_NS)
->proxy($SOME_HOST);
my $som = $soap->foo();
print $som->valueof('//fooResponse/bar');
Let's say that the SOAP Envelope returned contained an array. How would you iterate over each element of that array? Like so:
for my $t ($som->valueof('//catalog/product')) {
print $t->{title} . ' - ' . $t->{our_price} . '\n';
}
It is not always obvious, granted. But with a little tweaking here and there, and some familiarity with XPATH, you will quickly get the hang of it."
Users frequently ask, 'how do you iterate over an array returned by a SOAP service that I call.' It asked frequently enough that I figure I should answer it here here. As always, it is a lot simpler than you might think, its just that SOAP::Lite's documentation leaves a lot to be desired.
SOAP::Lite returns a SOAP::SOM object for most SOAP calls. The SOM object provides a simple API for accessing any aspect of the response's SOAP envelope. One accesses those contents via simple XPATH statements.
For example, suppose for the following SOAP Envelope:
...you wanted to access the value of the bar element. Then you would simply write your code as follows:
my $soap = SOAP::Lite
->uri($SOME_NS)
->proxy($SOME_HOST);
my $som = $soap->foo();
print $som->valueof('//fooResponse/bar');
Let's say that the SOAP Envelope returned contained an array. How would you iterate over each element of that array? Like so:
for my $t ($som->valueof('//catalog/product')) {
print $t->{title} . ' - ' . $t->{our_price} . '\n';
}
It is not always obvious, granted. But with a little tweaking here and there, and some familiarity with XPATH, you will quickly get the hang of it."
perl.com: An Introduction to Quality Assurance
perl.com: An Introduction to Quality Assurance: "An Introduction to Quality Assurance"
perl.com: Automating Windows Applications with Win32::OLE
perl.com: Automating Windows Applications with Win32::OLE: "Automating Windows Applications with Win32::OLE"
Explanation of the most important tags of the WSDL document
15 Seconds : SOAP Test Harness: "explanation of the most important tags of the WSDL document follows:
*: the root element of the WSDL document.
*: a child of the element, it has an attribute 'name' that defines the name of the Web Service.
*: a grandchild of the element, it has an attribute 'location' that specifies the URL of the Web Service.
*: describes the request and response messages. Two are needed for each method that will be exposed through the Web Service. It is a child node of the element.
*: a child of the element, it describes the parameters or return values in the SOAP call.
*: describes the data types and number of parameters or return values for a method call. It is a child element of the element. XSD data types describe the parameters and return values.
*: Describes all the methods exposed through the Web Service for a specified transfer protocol (such as SOAP, HTTPGet, or SMTP).
*: A child of the element, it specifies which message is the input and which message is the output.
*: indicates the transport protocol. It is a child of the element.
*: a grandchild of the element, it has an attribute 'soapAction' that states the SOAPAction HTTP header."
*
*
*
*
*
*
*
*
*
*
The Code Project - Publish, Discover and Invoke Web Services using SOAP and UDDI - C# WebServices
The Code Project - Publish, Discover and Invoke Web Services using SOAP and UDDI - C# WebServices: "Invoking the web service: Now we'll invoke the web service method using the SOAP SDK provided by Microsoft. Invoking services using SoapClient(n) class is fairly easy. Here n means the major version appended to the classes. this number is not associated with SOAP SDK's previous versions than 3.0. MSSoapInit method in SoapClient(n) class initialises the web service for the given WSDL and accepts service name and service port.
private void invoke_Click(object sender, System.EventArgs e))
{
SoapClient30 sc = new SoapClient30();
string translateText=textToTran.Text;
string wsdl=null;
try
{
if(wsUri==null)
throw new Exception('Please Discover the service first');
if((new Regex('(wsdl)$')).IsMatch(wsUri))
//check if it's the real WSDL
wsdl=wsUri;
else
wsdl=wsUri+'?wsdl'; //otherwise append WSDL to the service
sc.MSSoapInit(wsdl, 'piglatin', 'piglatinSoap','');
//specify the service name and port name
Type type =sc.GetType();
object []args = {translateText}; //specified service accepts
//just one argument (textToTranslate)
Response.Write('Invoking method using MS SOAP SDK ...');
object ox = type.InvokeMember('toPigLatin',
BindingFlags.InvokeMethod,null,sc,args); //Dynamic Invocation No
//Proxy class, no web reference
Response.Write('Translated String '+ox.ToString());
}
catch(Exception sEx){Response.Write('Exception occurred '+
sEx.Message);}}}"
private void invoke_Click(object sender, System.EventArgs e))
{
SoapClient30 sc = new SoapClient30();
string translateText=textToTran.Text;
string wsdl=null;
try
{
if(wsUri==null)
throw new Exception('Please Discover the service first');
if((new Regex('(wsdl)$')).IsMatch(wsUri))
//check if it's the real WSDL
wsdl=wsUri;
else
wsdl=wsUri+'?wsdl'; //otherwise append WSDL to the service
sc.MSSoapInit(wsdl, 'piglatin', 'piglatinSoap','');
//specify the service name and port name
Type type =sc.GetType();
object []args = {translateText}; //specified service accepts
//just one argument (textToTranslate)
Response.Write('Invoking method using MS SOAP SDK ...');
object ox = type.InvokeMember('toPigLatin',
BindingFlags.InvokeMethod,null,sc,args); //Dynamic Invocation No
//Proxy class, no web reference
Response.Write('Translated String '+ox.ToString());
}
catch(Exception sEx){Response.Write('Exception occurred '+
sEx.Message);}}}"
Installing Emacs on Windows 95/98/2K/NT/ME/XP
Installing Emacs on Windows 95/98/2K/NT/ME/XP: "Installing Emacs on Windows 95/98/2K/NT/ME/XP"
Unsolicited Commando - AstroBastards.net
This summary is not available. Please
click here to view the post.
ScriptTech
ScriptTech
Seminars
With the popularity of the Climbing Mt. Automation seminars growing over the past few years, we’ve found ourselves unable to keep up with the demand to present the session in the multitude of requested venues. To make up for not being able to present the information in person, we’ve decided to establish a series of virtual seminars that address many of the issues covered in the original Climbing Mt. Automation seminar.
Being a virtual environment, we can expand the scope of the original seminar to include a variety of subjects that will be of interest to automation novices and experts alike. Each will be a short and succinct video of 15 to 20 minutes that covers a specific topic related to software testing and automation. All seminars are free of charge.
The first in the series will be available June 15, 2005 – entitled Climbing Mt. Automation: A background of Automation.
Future topics will include Automation Pain Points, Automation Tools, and Establishing your Automation Plan. New sessions of the Climbing Mt. Automation seminars will be posted every three to four weeks – so check back often.
Seminars
With the popularity of the Climbing Mt. Automation seminars growing over the past few years, we’ve found ourselves unable to keep up with the demand to present the session in the multitude of requested venues. To make up for not being able to present the information in person, we’ve decided to establish a series of virtual seminars that address many of the issues covered in the original Climbing Mt. Automation seminar.
Being a virtual environment, we can expand the scope of the original seminar to include a variety of subjects that will be of interest to automation novices and experts alike. Each will be a short and succinct video of 15 to 20 minutes that covers a specific topic related to software testing and automation. All seminars are free of charge.
The first in the series will be available June 15, 2005 – entitled Climbing Mt. Automation: A background of Automation.
Future topics will include Automation Pain Points, Automation Tools, and Establishing your Automation Plan. New sessions of the Climbing Mt. Automation seminars will be posted every three to four weeks – so check back often.
What are five common solutions to software development problems?
What are five common solutions to software development problems?
1) Solid requirements - clear, complete, detailed, cohesive, attainable, testable
requirements that are agreed to by all players. Use prototypes to help nail
down requirements.
2) Realistic schedules - allow adequate time for planning, design, testing, bug
fixing, re-testing, changes, and documentation; personnel should be able to
complete the project without burning out.
3) Adequate testing - start testing early on, re-test after fixes or changes, plan for
adequate time for testing and bug fixing.
4) Stick to initial requirements as much as possible - be prepared to defend
against changes and additions once development has begun, and be
prepared to explain consequences. If changes are necessary, they should be
adequately reflected in related schedule changes. If possible, use rapid
prototyping during the design phase so that customers can see what to
expect. This will provide a higher comfort level with their requirement
decisions and will minimize changes later on.
5) Communication - require walkthroughs and inspections when appropriate;
make extensive use of group communication tools - e-mail, groupware,
networked bug-tracking tools and change management tools, intranet
capabilities, etc.; insure documentation is available and up-to-date - preferably
electronic, not paper; promote teamwork and cooperation; use prototypes
early on so customers' expectations are clarified.
1) Solid requirements - clear, complete, detailed, cohesive, attainable, testable
requirements that are agreed to by all players. Use prototypes to help nail
down requirements.
2) Realistic schedules - allow adequate time for planning, design, testing, bug
fixing, re-testing, changes, and documentation; personnel should be able to
complete the project without burning out.
3) Adequate testing - start testing early on, re-test after fixes or changes, plan for
adequate time for testing and bug fixing.
4) Stick to initial requirements as much as possible - be prepared to defend
against changes and additions once development has begun, and be
prepared to explain consequences. If changes are necessary, they should be
adequately reflected in related schedule changes. If possible, use rapid
prototyping during the design phase so that customers can see what to
expect. This will provide a higher comfort level with their requirement
decisions and will minimize changes later on.
5) Communication - require walkthroughs and inspections when appropriate;
make extensive use of group communication tools - e-mail, groupware,
networked bug-tracking tools and change management tools, intranet
capabilities, etc.; insure documentation is available and up-to-date - preferably
electronic, not paper; promote teamwork and cooperation; use prototypes
early on so customers' expectations are clarified.
What are five common problems in the software development process?
What are five common problems in the software development process?
1) Poor requirements - if requirements are unclear, incomplete, too general, or
not testable, there will be problems.
2) Unrealistic schedule - if too much work is crammed in too little time, problems
are inevitable.
3) Inadequate testing - no one will know whether or not the program is any good
until the customer complains or systems crash.
4) Featuritic - requests to pile on new features after development is underway;
extremely common.
5) Miscommunication - if developers don't know what is needed or customers
have erroneous expectations, problems are guaranteed.
1) Poor requirements - if requirements are unclear, incomplete, too general, or
not testable, there will be problems.
2) Unrealistic schedule - if too much work is crammed in too little time, problems
are inevitable.
3) Inadequate testing - no one will know whether or not the program is any good
until the customer complains or systems crash.
4) Featuritic - requests to pile on new features after development is underway;
extremely common.
5) Miscommunication - if developers don't know what is needed or customers
have erroneous expectations, problems are guaranteed.
What are the three software development process models?
What are the three software development process models?
1) Waterfall: linear progression of project activities
2) Spiral: bends planning, requirements and design of waterfall back around
three times to allow these activities to be injected with activities of evolution,
risk, verification, and planning based on results of previous spiral. When
reach implementation level, activities follow waterfall model.
Evolutionary: output from each development activity is fed both backwards and forwards.
1) Waterfall: linear progression of project activities
2) Spiral: bends planning, requirements and design of waterfall back around
three times to allow these activities to be injected with activities of evolution,
risk, verification, and planning based on results of previous spiral. When
reach implementation level, activities follow waterfall model.
Evolutionary: output from each development activity is fed both backwards and forwards.
How can it be known when to stop testing?
How can it be known when to stop testing?
This can be difficult to determine. Many modern software applications are so complex, and run in such an interdependent environment, that complete testing can never be done.
Common factors in deciding when to stop are:
?? Deadlines (release deadlines, testing deadlines, etc.)
?? Test cases completed with certain percentage passed
?? Test budget depleted
?? Coverage of code/functionality/requirements reaches a specified point
?? Bug rate falls below a certain level
?? Beta or alpha testing period ends
This can be difficult to determine. Many modern software applications are so complex, and run in such an interdependent environment, that complete testing can never be done.
Common factors in deciding when to stop are:
?? Deadlines (release deadlines, testing deadlines, etc.)
?? Test cases completed with certain percentage passed
?? Test budget depleted
?? Coverage of code/functionality/requirements reaches a specified point
?? Bug rate falls below a certain level
?? Beta or alpha testing period ends
What if there isn't enough time for thorough testing?
What if there isn't enough time for thorough testing?
Use risk analysis to determine where testing should be focused. Since it's rarely possible to
test every possible aspect of an application, every possible combination of events, every
dependency, or everything that could go wrong, risk analysis is appropriate to most software
development projects. This requires judgment skills, common sense, and experience.
Considerations can include:
?? Which functionality is most important to the project's intended purpose?
?? Which functionality is most visible to the user?
?? Which functionality has the largest safety impact?
?? Which functionality has the largest financial impact on users?
?? Which aspects of the application are most important to the customer?
?? Which aspects of the application can be tested early in the development
cycle?
?? Which parts of the code are most complex, and thus most subject to
errors?
?? Which parts of the application were developed in rush or panic mode?
?? Which aspects of similar/related previous projects caused problems?
?? Which aspects of similar/related previous projects had large maintenance
expenses?
?? Which parts of the requirements and design are unclear or poorly thought
out?
?? What do the developers think are the highest-risk aspects of the
application?
?? What kinds of problems would cause the worst publicity?
?? What kinds of problems would cause the most customer service
complaints?
?? What kinds of tests could easily cover multiple functionalities?
?? Which tests will have the best high-risk-coverage to time-required ratio?
Use risk analysis to determine where testing should be focused. Since it's rarely possible to
test every possible aspect of an application, every possible combination of events, every
dependency, or everything that could go wrong, risk analysis is appropriate to most software
development projects. This requires judgment skills, common sense, and experience.
Considerations can include:
?? Which functionality is most important to the project's intended purpose?
?? Which functionality is most visible to the user?
?? Which functionality has the largest safety impact?
?? Which functionality has the largest financial impact on users?
?? Which aspects of the application are most important to the customer?
?? Which aspects of the application can be tested early in the development
cycle?
?? Which parts of the code are most complex, and thus most subject to
errors?
?? Which parts of the application were developed in rush or panic mode?
?? Which aspects of similar/related previous projects caused problems?
?? Which aspects of similar/related previous projects had large maintenance
expenses?
?? Which parts of the requirements and design are unclear or poorly thought
out?
?? What do the developers think are the highest-risk aspects of the
application?
?? What kinds of problems would cause the worst publicity?
?? What kinds of problems would cause the most customer service
complaints?
?? What kinds of tests could easily cover multiple functionalities?
?? Which tests will have the best high-risk-coverage to time-required ratio?
Usability testing tip: File sizes a must?
Downloadable files (pdf, word, etc..) should have file sizes mentioned next to them. This gives the user an idea (especially dialup users) on how much time it will take them to download this file. Additionally, if you have a list of files to download, by knowing file-sizes a user can schedule their downloads accordingly.
Design Patterns: Solidify Your C# Application Architecture with Design Patterns -- MSDN Magazine, July 2001
Design Patterns: Solidify Your C# Application Architecture with Design Patterns -- MSDN Magazine, July 2001: "Design Patterns: Solidify Your C# Application Architecture with Design Patterns"
Subscribe to:
Posts (Atom)
Ramadan - What is it?
Ramadan is one of the most important and holy months in the Islamic calendar. It is a time of fasting, prayer, and spiritual reflection fo...
-
ZipStudio - A versatile Visual Studio add-in to zip up Visual Studio solutions and projects - The Code Project - C# Programming
-
TargetProcess - Agile Project Management & Bug Tracking Software | Download (Project Management Software, Project Tracking, Bug Tracking...