Skip to main content


Showing posts from June, 2005

SAMIE Detailed Documentation from forums SAMIE Discussion

By: Josh Watts - seajosh
SAMIE documentation
2005-06-06 08:33
Here's my pass at documenting SAMie that I did a while ago and thought I'd post it here as well.

Win32::SAM - Simple Automation Mode for Internet Explorer

o Methods


Win32::SAM - Simple Automation Mode for Internet Explorer (SAMie)


use strict;
use Win32::OLE;
use Win32::SAM;

$| = 1;
my $URL = '';
my $IEDocument;
my $seconds;
my $htmlseite;
my $item;
$Win32::OLE::Warn = 0;
$IEDocument = GetDocument();
print "Calling WaitForDocumentComplete1\n";
print "Clicking Link one\n";
ClickLink("Link one");
print "Calling WaitForDocumentComplete2()\n";
print "Clicking Link two\n";
ClickLink("Link two");
print "Calling WaitForDocumentComplete3()\n&qu…

Interview Questions for Software Testers

Interview Questions for Software Testers

Interview Questions

On this page I put more than 200 different interview questions from different recourses. Some of them are very simple some are a little bit difficult. If you would like to check you technical knowledge or to see more questions and answers you can Download now a free copy of Exam application or read more on “ Software We Recommend" page

Please do not send me e-mails asking the answers to these questions.
This page is being updated on a quarterly basis
Test Automation:
1. What automating testing tools are you familiar with?
2. How did you use automating testing tools in your job?
3. Describe some problem that you had with automating testing tool.
4. How do you plan test automation?
5. Can test automation improve test effectiveness?
6. What is data - driven automation?
7. What are the main attributes of test automation?
8. Does automation replace manual testing?
9. How will you choose a tool for test automation?
10. How you will evaluate…

Matt O'Kane - ASP.NET Client-side validation Controls that work in Firefox as well as Internet Explorer

Matt O'Kane - ASP.NET Client-side validation Controls that work in Firefox as well as Internet Explorer: "ASP.NET Client-side validation Controls that work in Firefox as well as Internet Explorer

Here, you can download controls that work the same as ASP.NET standard validation controls with two important differences. Firstly, the controls will work in Firefox 1.0 and later, as well as IE. Secondly, they are fully HTML DOM compliant.

This work is a minor improvement on the fantastic work by Paul Glavich.

For all intensive purposes, these controls work exactly the same as the regular validation controls (that is CompareValidator, CustomValidator, ValidationSummary, RangeValidator, RegularExpressionValidator, and RequiredValidator) except their names are slighlty different. But the properties and methods are a one-to-one match.

To run these, you need to refer to the compiled DLL (in the Release directory). This will add the controls.

Also the source code (in c#) is included in c…

Modeling Artifacts (different ways of modeling)

News aggregator | "Modeling Artifacts (different ways of modeling)
Submitted by darrell on Wed, 22/06/2005 - 13:51.

Scott Ambler has a great page that lists 35 modeling artifact types. The page links to summary descriptions of a wide variety of modeling artifacts. Each page describes the artifact, provides an example or two, and provides links to suggested resources. In this list he also indicates if the technique is simple enough for stakeholders to learn, whether it is usually a paper-based artifact, whether he suggests creating it on a whiteboard, and what type of software he would consider using to create and maintain it.
Modeling Artifact
Business Rule
Change Case
Class Responsibility Collaborator (CRC) model
Contract model
Data Flow Diagram (DFD)
Essential Use Case
Essential User Interface Prototype
Free-Form Diagrams
Flow Chart
Logical Data Model (LDM)
Network Diagram
Object Role Model (ORM) Diagram
Physical Data Model (PDM)

Advanced events

Advanced events

Advanced events

Events can be used to pass information to the clients. In this chapter I will describe a technique to pass data from the event source to the client using the parameters of the eventhandler.

The Delphi wizard assumes that the server eventsource only has to handle one eventsink at the time. For some clients this will limit the number of different events that can be sinked to just one. In this chapter I will describe the way to support multiple sinks and show how a C# client can function fully with all events of my eventsource including their data.

Creating ISO images with Nero 5.5 Express

Mark Michaelis' Weblog - August, 2003: "Creating ISO images with Nero 5.5 Express

I recently set up an old computer for my son, Benjamin, as he keeps messing up my wifes desktop and then I have to figure out how to get it back to the way she wants it. Anyway, as part of doing this I didn't want my son putting CDs in and out of the computer as he tends to scratch them. Instead, I decided to create ISO images of them and have him use them directly from the computer using Daemon-Tools. The problem, was how to create ISO images? I had a copy of Nero Express 5.5 but it took me some time to figure out exactly how to get it to make ISO images. (If you happen to have the full version of Nero you can find instructions for creating ISO images here.)

Here are the steps for Nero Express 5.5:

1. Launch Nero Express 5.5 (yes there is a 6 version out there but I don't have it.)
2. Select the Copy Entire Disk option.
3. Click the More>> button.
4. Click the Configure…

C# Script

C# Script

There is VBScript, JScript and PHP. But there isn't anything like C#-Script. So, I decided to play around a bit, only as a matter of checking out the possibilties.
The plan:

Create a CS-Script.exe file that we can use to 'launch' a .cs file. Without having to add the file to a solution or anything.

A very basic tool, that can launch one .cs file. View it as some sort of batch scripting tool. Where you can quickly open notepad, write something and run it.

Our goal is to reach it through the right click menu in the shell. For every file! So we'll create a console app (CS-Script) that accepts one argument, the filename.

We want to let the user know when he fucks up and doesn't provide an argument, so we add a reference to System.Windows.Forms and display a MessageBox.

Web Application Security Consortium

Home - Web Application Security Consortium

The Web Application Security Consortium (WASC) is an international group of experts, industry practitioners, and organizational representatives who produce open source and widely agreed upon best-practice security standards for the World Wide Web.

As an active community, WASC facilitates the exchange ideas and organizes several industry projects. WASC consistently releases technical information, contributed articles, security guidelines, and other useful documentation. Businesses, educational institutions, governments, application developers, security professionals, and software vendors all over the world utilize our materials to assist with the challenges presented by web application security.


: "HACKING WITH JAVASCRIPT Dr_aMado Sun, 11 Apr 2004 16:40:13 UTC This tutorial is an overview of how javascript can be used to bypass simple/advanced html forms and how it can be used to override cookie/session authentication. SIMPLE HTML FORMS 1. Bypassing Required Fields Surely you have met a webpage that requires you to fill all fields in a form in order to submit it. It is possible to bypass these types of restrictions on any webpage. If you take a look at the webpage's source and follow it down to the form's code, you will notice the onsubmit form attribute. Hopefully by this time you have experienced the power of javascript and you know that javascript has control over every single element in a webpage, including forms.We can use javascript to our advantage in every page we view for we can modify, delete, or add any element to the webpage. In this case we wish to clear the form's onsubmit attribute in order for the form to be submitted successfully. The onsubmi…

SQL Injection - Tricks

 Tricks attackers use
 UNION statements to append data ripped from other SQL
 “--”double hyphen comment indicator to block out the rest of the
intended SQL
 Try a single quote in input fields to see if the query fails (failure usually
indicates bad input validation and possible exploitation)
 Use logical expression ‘OR 1=1 -- To return multiple records
 exec master..xp_cmdshell ‘ping HACKER_IP’to
check for ‘sa’-level exploitable hosts
 select name from sysobjects where type = ‘u’
can expose tables to exploit
 Insert tablename exec sp_whatever –good way to see
output of stored procedures
 Use @@version to return SQL Server and OS versions and Service

Taken from Document on "Search engines as penetration testing tools

In addition to server-wide robot control using robots.txt, administrators can also
specify that certain pages should not be indexed by search engine robots, or that
the links on the page should not be followed by robots. The Robots META tag,
placed in the HTML < HEAD > section of a page, can specify either or both of
these actions. Many, but not all, search engine robots will recognize this tag and
follow the rules for each page. If you want to prevent all robots from archiving
content on your site, use the NOARCHIVE meta tag.
For more information’s on the use of Metatag to exclude robots, visit the HTML
Author's Guide to the Robots META tag [8].

Q134 Is it possible to send an email from a JavaScript?

Q134 Is it possible to send an email from a JavaScript?: "Q134 Is it possible to send an email from a JavaScript?

Using an HTML link:

email someone

Using a Form:

Both methods suggested are completely non-JavaScript methods - but possibly useful nevertheless.

The ACTION='mailto:...' works on some other browsers than just Netscape, although its effect is undefined by the specifications.

In HTML, you can also use forms to set up possibilities for sending E-mail from Web pages - take a look at the list of JavaScript Email articles for further information.

Thanks to Jukka Korpela for updates to this answer."

CROSS-SITE SCRIPTING : Penetration Test Report paper

Severity: Medium
An attacker can take advantage of numerous input fields in the application
in order to mislead an innocent customer entering the site into giving away
information, or as a tunnel for the attacker for future purchases on behalf
of the first. Input fields include the comments area, the search page, and
the new user signup form.
The first cross site scripting attack is based on a malicious user
embedding malicious code (in the form of Javascript or VBScript) in the
search field of the search.asp page. This allows an attacker to send a mail
to any user asking him to view a list of search results. If the innocent user
would surf to this linked page, where the malicious code is injected by the
attacker he would have a response script sent to him. This can result in
the user’s session cookie sent to the attacker for instance, which will
enable the attacker to act on the user’s behalf without his knowledge.

Search engines as penetration testing tools

Professional Security Testers resources warehouse - Downloads: "Search engines as penetration testing tools"

Description: Through examples, the paper will show how the techniques subsequently described can be used to steal or corrupt large quantities of sensitive information, to perform large-scale system recognition and to disrupt those systems in more subtle ways. All this while remaining anonymous and in many cases by never accessing the target server itself. A brief presentation will be made about how intrusion detection system signatures can be used to format new queries, which are likely to return many vulnerable and/or misconfigured servers. Finally, the paper presents the few solutions available and demonstrates how to properly implement them.
Version: V1 Filesize: 76.00 Kb

SQL Injections: from previous link

SQL Injections [At the Database Level]

The first step before SQL Injections is to test whether a site is vulnerable to SQL Injections or not. It can be achieved by giving some arbitrary input. If input results in an error message (other than user generated error message), it means site is vulnerable to SQL Injections. To find whether a sire is vulnerable to SQL injections try followings special characters in input:

‘ ; , ‘‘ % - *

Bypassing User Authentication:
An attacker can easily bypass Login Page without providing a valid user name & password. He just need to give:
' Or 1=1;-- (In the User Name text Box)
On submitting this page SQL query (at the server) becomes:
Select * from authentication where Name =' ' or 1=1; --
Note: MS SQL Server treats anything after; -- as comment so rest of the query will be ignored. What attacker has done here is without specifying a valid username & password he bypasses the Login page.
Telling you frankly even if site is vulnerable to SQL…

Open Information Systems Security Group - SQL Injection

Open Information Systems Security Group - SQL Injection: "SQL Injection"

This article shed insight on the art of sql injection in data base driven applications. It follows structured approach and after going through it a reader will have a better understanding of sql injections.
This document discuss in detail common as well as some advance SQL Injection techniques as it applies to Microsoft Internet Information Server / Active Server Pages / Microsoft SQL Server. It discusses the various ways in which SQL can be injected & how one can protect him against the SQL injections. This document also contains brief description of the terms used in the context of databases & web Application.

What is SQL Injection?
It's a technique where an attacker creates or alters existing SQL commands (by using some special symbol) to gain access to unintended data or even the ability to execute system level commands in the server. SQL injections are the result of Poor Input Validati…

A Developer's Introduction to Web Parts

Summary: Learn what Web Parts are and how to create them. Developers can build Web Parts as ASP.NET custom controls. Administrators can install Web Parts on any site based on Windows SharePoint Services. Users can add Web Parts to pages by dragging and dropping in a browser, and they can personalize them by setting properties. Web Parts can connect to other Web Parts using standard interfaces. (43 printed pages)

A sample Visual Studio .NET solution that contains two custom Web Parts written in C# accompanies this article. With the first Web Part, users can select a customer and view configurable information about the customer. With the second Web Part, users can view the orders for a single customer. A user can add these Web Parts to a Web Part Page and connect them to each other, so that the second Web Part displays orders for the customer selected in the first Web Part.

Note This paper introduces Web Parts to developers. This is not an introduction to Windows SharePoint Servic…

Detection of SQL Injection and Cross-site Scripting Attacks

Detection of SQL Injection and Cross-site Scripting Attacks: "2.1 Regex for detection of SQL meta-characters


We first detect either the hex equivalent of the single-quote, the single-quote itself or the presence of the double-dash. These are SQL characters for MS SQL Server and Oracle, which denote the beginning of a comment, and everything that follows is ignored. Additionally, if you're using MySQL, you need to check for presence of the '#' or its hex-equivalent. Note that we do not need to check for the hex-equivalent of the double-dash, because it is not an HTML meta-character and will not be encoded by the browser. Also, if an attacker tries to manually modify the double-dash to its hex value of %2D (using a proxy like Achilles [ref 5]), the SQL Injection attack fails."

Penetration Testing for Web Applications (Part One)

Penetration Testing for Web Applications (Part One)

This is the first in a series of three articles on penetration testing for Web applications. The first installment provides the penetration tester with an overview of Web applications - how they work, how they interact with users, and most importantly how developers can expose data and systems with poorly written and secured Web application front-ends

Internet Application Testing

From:The Open Source Security Testing Methodology Manual

5 . Internet Application Testing

An Internet application test employs different software testing techniques to find "security bugs" in server/client
applications of the system from the Internet. In this module, we refer the server/client applications to those
proprietarily developed by the system owners serving dedicate business purposes and the applications can be
developed with any programming languages and technologies. E.g. web application for business transactions is a
target in this module. "Black box" and/or "White box" testing can be used in this module.
Expected Results: List of applications
List of application components
List of application vulnerabilities
List of application system trusts
R e -En g i n e e r i n g
1. Decompose or deconstruct the binary codes, if accessible.
2. Determines the protocol specification of the server/client application.
3. Guess program logic from the error/debug messages i…

Foundations of Software Engineering - Home

Foundations of Software Engineering - Home

The goal of the Foundations of Software Engineering (FSE) group at Microsoft Research in Redmond, Wash., is to improve software development productivity by using automated software verification.

The term automated software verification refers to machine-assisted techniques that compare the actual behavior of a software component with its predicted behavior. Verification can occur at design time or during the program’s execution. Whether static or dynamic, automated verification always operates with respect to a notion of predicted system behavior, which is typically expressed in the form of a specification. Specifications may be generic, for instance the code should not crash, or can be specific to the system.

Specification-based software verification can occur at three levels of detail: the system or architecture level, the unit or class level and the source code level. Benefits of introducing specifications are numerous: they document des…

The Vulnerabilities of Developing on the Net - Apr 2001

STSC CrossTalk - The Vulnerabilities of Developing on the Net - Apr 2001: "The Vulnerabilities of Developing on the Net"

Disaster has struck. You would think that firewalls, combined with filtering routers, password protection, encryption, and disciplined use of access controls and file permissions would have been enough protection. However, an overlooked flaw in the commercial web server application allowed a hacker to use a buffer overflow attack to leverage the application's privileges into administrator-level access to the server. From there it was easy to gain access to other machines within the Intranet and replace the public Web pages with details of the hack. With the company's public site showing a live video stream of an ongoing internal, private and sensitive company meeting, it left little room for doubt as to how badly they had been hacked.

SOAP::Lite - SOAP elements access methods

SOAP::Lite - Client and server side SOAP implementation: "$h = $som->headerof('//myheader'); # returns element as SOAP::Header, so
# you can access attributes and values
# with $h->mustUnderstand, $h->actor
# or $h->attr (for all attributes)

SOAP::SOM object gives you access to the deserialized envelope via several
methods. All methods accept a node path (similar to XPath notations).
SOM interprets '/' as the root node, '//' as relative location path
('//Body' will find all bodies in document, as well as
'/Envelope//nums' will find all 'nums' nodes under Envelope node),
'[num]' as node number and '[op num]' with C being a comparison
operator ('<', '>', '<=', '>=', '!', '=').

All nodes in nodeset will be returned in document…

Invoking .NET Service using C# and SOAP

TopXML : Programming Web Services with SOAP: "Invoking the Service Using SOAP

Creating a SOAP client for the Hello World service using .NET is, surprisingly, harder than creating the service itself. There are tools to make it easier (we will explore them briefly in Chapter 5), but for now we'll go through the steps manually so you know what is going on.

Again using your favorite text editor, create HelloWorld.cs (the .cs extension indicates C# source code) from Example 3-18.

Example 3-18: HelloWorld.cs, a C# HelloWorld Client

// HelloWorld.cs

using System.Diagnostics;
using System.Xml.Serialization;
using System;
using System.Web.Services.Protocols;
using System.Web.Services;

public class Example1 :
System.Web.Services.Protocols.SoapHttpClientProtocol {

public Example1( ) {
this.Url = 'http://localhost/helloworld.asmx '…

Interoperability Issues regarding Perl and .NET SOAP

TopXML : Programming Web Services with SOAP: "Interoperability Issues

At the time of this writing, .NET's SOAP implementation still has a few issues that need to be worked out, primarily in the area of interoperability.

Slight variations between the way .NET implements SOAP and SOAP::Lite's implementation of SOAP, for example, cause some difficulty in allowing the two to work together out of the box. To illustrate the problem, follow the steps shown here. One would think that everything would work fine, but it doesn't. I'll point out why after we walk through it.

First, launch the Java TcpTunnelGui tool that ships with Apache SOAP, specifying port 8080 as the local listening port, and redirecting to whatever server you have your HelloWorld.asmx file deployed to:

C:\book>start java 8080
localhost 80

Then, modify the Perl Hello World client to point to the HelloWorld.asmx file, but replace the server part of the URL w…

Programming Web Services with SOAP

TopXML : Programming Web Services with SOAP: "Invoking the Service Using SOAP

Creating a SOAP client for the Hello World service using .NET is, surprisingly, harder than creating the service itself. There are tools to make it easier (we will explore them briefly in Chapter 5), but for now we'll go through the steps manually so you know what is going on.

Again using your favorite text editor, create HelloWorld.cs (the .cs extension indicates C# source code) from Example 3-18.

Example 3-18: HelloWorld.cs, a C# HelloWorld Client

// HelloWorld.cs

using System.Diagnostics;
using System.Xml.Serialization;
using System;
using System.Web.Services.Protocols;
using System.Web.Services;

public class Example1 :
System.Web.Services.Protocols.SoapHttpClientProtocol {

public Example1( ) {
this.Url = 'http://localhost/helloworld.asmx '…

Adding Macs to Active Directory using Mac OS X 10.3

Adding Macs to Active Directory using Mac OS X 10.3: "Adding Macs to Active Directory using Mac OS X 10.3


Configuring Directory Access

1. Open the Directory Access application located in /Applications/Utilities/.

2. Click the Padlock buton to authenticate if necessary.

3. Check the box next to Active Directory and click Configure…

4. Enter in the Active Directory Forest and Active Directory Domain fields.

5. Enter a Computer ID that you want to use. A computer object with this ID must be pre-created in Active Directory, which requires Domain Admin rights.

6. Click the Show Advanced Options button.

7. Check the option to “Cache last user logon for offline operation” if needed.

8. Check the option to “Allow Administration by” if you want to allow domain admins or other specified domain users/groups admininstrative rights on this computer. Separate each object with commas. Each domain object listed must be preceded by IASTATE\.…



In some circumstances you may need to encode a message using raw unserialized XML text. To instantiate a SOAP::Data object using raw XML, do the following:

$xml_content = '123';
$elem = SOAP::Data->type('xml' => $xml_content);

SOAP::Lite's serializer simple takes whatever text is passed to it, and inserts into the encoded SOAP::Data element verbatim. The text input is validated to ensure it is valid XML, nor is the resulting SOAP::Data element validated to ensure that it will produce valide XML. Therefore, it is incumbant upon the developer to ensure that any XML data used in this fashion is valid and will result in a valid XML document."

How to Call a .NET-based Web Service Using the SOAP::Lite Perl Library

How to Call a .NET-based Web Service Using the SOAP::Lite Perl Library: "BASIC Authentication
In the Introduction, I said that my users were using Perl on Solaris. The previous examples assume that the server has enabled Anonymous Access on the IIS Web server�no username or password is required. However, if you want to use basic authentication on your Web service, SOAP::Lite can send usernames and passwords upon request to your Web service.
To demonstrate SOAP::Lite support for basic authentication, first turn off Anonymous Access and turn on Basic Authentication for the virtual directory containing your Web service. If you are using a Windows machine as your client and not a UNIX machine, turn off Integrated Windows Authentication as well. (Be aware that when you turn off Integrated Windows Authentication for the virtual directory containing your Web service, you cannot debug the Web service in Visual Studio .NET.)
Once you turn on Basic Authentication, go back and run the las…

Parsing a result object from SOAP::Lite

Parsing a result object from SOAP::Lite: "Parsing a result object from SOAP::Lite
Users frequently ask, 'how do you iterate over an array returned by a SOAP service that I call.' It asked frequently enough that I figure I should answer it here here. As always, it is a lot simpler than you might think, its just that SOAP::Lite's documentation leaves a lot to be desired.

SOAP::Lite returns a SOAP::SOM object for most SOAP calls. The SOM object provides a simple API for accessing any aspect of the response's SOAP envelope. One accesses those contents via simple XPATH statements.
For example, suppose for the following SOAP Envelope:

abcd wanted to access the value of the bar element. Then you would simply write your code as follows:

my $soap = SOAP::Lite
my $som = $soap->foo();
print $som->valueof('//fooResponse/bar');

Let's say that the SOAP Envelope returned contained an array. How would you iter…

Explanation of the most important tags of the WSDL document

15 Seconds : SOAP Test Harness: "explanation of the most important tags of the WSDL document follows:

* : the root element of the WSDL document.
* : a child of the element, it has an attribute 'name' that defines the name of the Web Service.
* : a grandchild of the element, it has an attribute 'location' that specifies the URL of the Web Service.
* : describes the request and response messages. Two are needed for each method that will be exposed through the Web Service. It is a child node of the element.
* : a child of the element, it describes the parameters or return values in the SOAP call.
* : describes the data types and number of parameters or return values for a method call. It is a child element of the element. XSD data types describe the parameters and return values.
* : Describes all the methods exposed through the Web Service for a specified transfer protocol (such as SOAP, HTTPGet, or SMTP).
* : A child of the elem…

The Code Project - Publish, Discover and Invoke Web Services using SOAP and UDDI - C# WebServices

The Code Project - Publish, Discover and Invoke Web Services using SOAP and UDDI - C# WebServices: "Invoking the web service: Now we'll invoke the web service method using the SOAP SDK provided by Microsoft. Invoking services using SoapClient(n) class is fairly easy. Here n means the major version appended to the classes. this number is not associated with SOAP SDK's previous versions than 3.0. MSSoapInit method in SoapClient(n) class initialises the web service for the given WSDL and accepts service name and service port.

private void invoke_Click(object sender, System.EventArgs e))
SoapClient30 sc = new SoapClient30();
string translateText=textToTran.Text;
string wsdl=null;
throw new Exception('Please Discover the service first');
if((new Regex('(wsdl)$')).IsMatch(wsUri))
//check if it's the real WSDL
wsdl=wsUri+'?wsdl'; //otherwise append WSDL to the service

sc.MSSoapInit(wsdl, 'pigla…