Through this blog post I am sharing some useful points . While trying IDE, I came accross many question and later I found some solutions of them. Some of the questions and answers are here.
Hope they help you lot.........
how selenium IDE handle checkpoint ?
Can selenium IDE handle any checkpoint like QTP, WinRunner?
I have a login page, if I entered a wrong username, password and try to login, application displayed a msg “ Wrong username and Password, how to handle this situation?
Yes We can use a command -
assertTextPresent <"Error Message">
How to capture input given in Rich Text Editor using Selenium IDE?
You can take the id of this editor using xPath.
I face an error "Element not found" while running script. How can I overcome?
Try using 'clickAndWait' command instead of just 'click'.
Or maybe 'waitForPageToLoad' commands..
How to handle timeout situation?
The default time for time out is 30000ms in selnium. you can change this from option.
But this is not good practice to change default time out. best practice can be use of time out command.
setTimeout30000000
I will be posting more so keep visiting the blog.
Monday, August 18, 2008
Thursday, August 7, 2008
Checking security vulnerability -XSS
While testing the web based application we need to test for security . As there are malicious people , you can say hackers , who can apply SQL injection to access some of you data or information of your application. for this we need to check our application for security vulnerabilities. One of the most common vulnerability is XSS (Cross-Site Scripting). This Occurs when web pages accept user input without using proper validation. This allows hackers (or any attacker) to embed malicious script or code which injected to that page. Some time you see some links appearing in any web pages while surfing, these links are kind of this activities. on clicking to these links that embedded code injected to your web pages .
Some of the Risks associated with XSS are:
1- One can track your activities
2- One can stolen your session ID.
3- One can use your cookies
4- One can modify/change/delete the content of your web page.
5- Its possible to crash a browser
6- Some harmful software installation.
and many more..................................
So this is our (Testers) job to find such vulnerabilities while testing. So the question is How to Determine Whether a Web page Is Vulnerable or not?
This is very common vulnerability and can be check easily whether you page is vulnerabile or not.
To check Supply the string"<></>" to your form field which display string.
* If you see "<></>" returned, most likely not vulnerable.
* If you see "<>" returned, most likely vulnerable.
one more simple easy test is to take a current parameter that is sent in the HTTP GET request and modify it. Take for example the following request in the browser address URL bar. This url will take a name parameter that you enter in a textbox and print something on the page. Like "Hello Vishal, thank you for coming to my site"
http://www.yoursite.com/index.html?name=vishal
Now lets modify this request For example try entering something similar to the following request in the browser address URL bar.
http://www.yoursite.com/index.html?name=<script> Alet('You just found a XSS vulnerability')</script>
If this pops up an alert message box stating "You just found a XSS vulnerability", then you know this parameter is vulnerable to XSS attacks. The parameter name is not being validating, it is allowing anything to be processed as a name, including a malicious script that is injected into the parameter passed in. Basically what is occurring is normally where the name George would be entered on the page the message is instead being written to the dynamic page. The alert message just is an example of how to test for the XSS vulnerability. A malicious hacker would be much more devious to this type of security vulnerability.
Cross-site scripting (XSS) attacks are a type of attack in which a variety of techniques are used to attempt to execute malicious script code by injecting it into form input, query strings, or cookies.
XSS vulnerabilities are caused by a failure in the web application to properly validate user input.
what should developer do?
If you are using post method for data submission then client side checks might be sufficient but it is all the more necessary to do server side validation if you are using Get method to retrieve data.
# Always do input validation.
# If possible do output validation as well.
# Never rely on client side scripting.
# Avoid Get method for sending data.
# Always use validateRequest=True;
# Always replace ‘(single quote-if you are storing data in a database especially) to prevent SQL Injection.
# Avoid using Cookies.
# Always verify and check the lengths of string to safeguard against stack-overwriting attacks and SQL errors
So bieng a tester , we need to test our site for this and let dev team know abt this.
There are many tools available to check thesase vulnerabilities. I tried one which is paid but its taril version is available to use. This will facilitate the XSS checking.
http://www.acunetix.com/vulnerability-scanner/
steps:
->open this link
->you need to fill a form with basic info. Make sure you must have to put a valid email id.
->later you wil recieve a mail having a link to download this tool.
->you will get an exe file. install the ......Now what.... play with this and find more.
Happy QA,ing
References:
http://www.nus.edu.sg/
http://www.lboro.ac.uk/
http://www.testingsecurity.com/
Some of the Risks associated with XSS are:
1- One can track your activities
2- One can stolen your session ID.
3- One can use your cookies
4- One can modify/change/delete the content of your web page.
5- Its possible to crash a browser
6- Some harmful software installation.
and many more..................................
So this is our (Testers) job to find such vulnerabilities while testing. So the question is How to Determine Whether a Web page Is Vulnerable or not?
This is very common vulnerability and can be check easily whether you page is vulnerabile or not.
To check Supply the string"<></>" to your form field which display string.
* If you see "<></>" returned, most likely not vulnerable.
* If you see "<>" returned, most likely vulnerable.
one more simple easy test is to take a current parameter that is sent in the HTTP GET request and modify it. Take for example the following request in the browser address URL bar. This url will take a name parameter that you enter in a textbox and print something on the page. Like "Hello Vishal, thank you for coming to my site"
http://www.yoursite.com/index.html?name=vishal
Now lets modify this request For example try entering something similar to the following request in the browser address URL bar.
http://www.yoursite.com/index.html?name=<script> Alet('You just found a XSS vulnerability')</script>
If this pops up an alert message box stating "You just found a XSS vulnerability", then you know this parameter is vulnerable to XSS attacks. The parameter name is not being validating, it is allowing anything to be processed as a name, including a malicious script that is injected into the parameter passed in. Basically what is occurring is normally where the name George would be entered on the page the message is instead being written to the dynamic page. The alert message just is an example of how to test for the XSS vulnerability. A malicious hacker would be much more devious to this type of security vulnerability.
Cross-site scripting (XSS) attacks are a type of attack in which a variety of techniques are used to attempt to execute malicious script code by injecting it into form input, query strings, or cookies.
XSS vulnerabilities are caused by a failure in the web application to properly validate user input.
what should developer do?
If you are using post method for data submission then client side checks might be sufficient but it is all the more necessary to do server side validation if you are using Get method to retrieve data.
# Always do input validation.
# If possible do output validation as well.
# Never rely on client side scripting.
# Avoid Get method for sending data.
# Always use validateRequest=True;
# Always replace ‘(single quote-if you are storing data in a database especially) to prevent SQL Injection.
# Avoid using Cookies.
# Always verify and check the lengths of string to safeguard against stack-overwriting attacks and SQL errors
So bieng a tester , we need to test our site for this and let dev team know abt this.
There are many tools available to check thesase vulnerabilities. I tried one which is paid but its taril version is available to use. This will facilitate the XSS checking.
http://www.acunetix.com/vulnerability-scanner/
steps:
->open this link
->you need to fill a form with basic info. Make sure you must have to put a valid email id.
->later you wil recieve a mail having a link to download this tool.
->you will get an exe file. install the ......Now what.... play with this and find more.
Happy QA,ing
References:
http://www.nus.edu.sg/
http://www.lboro.ac.uk/
http://www.testingsecurity.com/
Wednesday, August 6, 2008
Cookies Testing
Following are some possible test cases to test the cookies. There are more cases are possible. add them and revert back with them
Test1-
----------------------------------------------------------------------------------------------
Purpose: Test for Disable cookies
Test1-
----------------------------------------------------------------------------------------------
Purpose: Test for Disable cookies
Prerequisite: Close all browsers, delete all previously written cookies before performing this test
Steps action: Disable the cookies on browser and open the application.
Expected Result: The major functionalities should not work properly. Appropriate message like “For smooth functioning of this site make sure that cookies are enabled on your browser” should be displayed. There should not be any page crash
Test2-
------------------------------------------------------------------------------------------------
Purpose: Test for Delete cookies
Steps action: Disable the cookies on browser and open the application.
Expected Result: The major functionalities should not work properly. Appropriate message like “For smooth functioning of this site make sure that cookies are enabled on your browser” should be displayed. There should not be any page crash
Test2-
------------------------------------------------------------------------------------------------
Purpose: Test for Delete cookies
Prerequisite: Close all browsers, delete all previously written cookies before performing this test
Steps action: Open site/page and allow cookies to be written and then delete these cookies and then navigate application.
Expected Result:No crash should be there. Site should function well.
Test3-
-------------------------------------------------------------------------------------------------
Purpose: Test for Corrupt cookies
Test4-
-----------------------------------------------------------------------------------------------
Purpose: Test Session cookies
Steps action: Open site/page and allow cookies to be written and then delete these cookies and then navigate application.
Expected Result:No crash should be there. Site should function well.
Test3-
-------------------------------------------------------------------------------------------------
Purpose: Test for Corrupt cookies
Prerequisite: Close all browsers, delete all previously written cookies before performing this test
Steps action: Allow cookies to be written and edit them in note pad by changing the parameters by some vague values. eg. Alter the name or its expiry date. Now navigates the site.
Expected Result:
Steps action: Allow cookies to be written and edit them in note pad by changing the parameters by some vague values. eg. Alter the name or its expiry date. Now navigates the site.
Expected Result:
Test4-
-----------------------------------------------------------------------------------------------
Purpose: Test Session cookies
Prerequisite: Close all browsers, delete all previously written cookies before performing this test
Steps action: allow cookies to be written and then close the browser. Now check for stored cookies
Expected Result: There should be no any cookie stored.
these are some possible points to keep in mind while testing for cookies. Revert back with your feedback. Thanks
Steps action: allow cookies to be written and then close the browser. Now check for stored cookies
Expected Result: There should be no any cookie stored.
these are some possible points to keep in mind while testing for cookies. Revert back with your feedback. Thanks
Tuesday, August 5, 2008
SeleniumIDE- Useful Points part-I
1- Xpaths:-
In one of my project when I was recording my script for create a post, I found that IDE is unable to record the text box activity. Actually that text box was Javascript content editor 'Tinymce' . Later I recognized that IDE is unable to find this editor as there was no label used for this. So I used X paths option available on right click to locate the element ID.
This was like id('tinymce')/p. Here title was not used so we need to pass it's ID manually. It is done using Xpaths .
2- Regular expression:-
Now in case if alert or pop up window appears so how you handle your script. I faced this situation and cane up with this solution.
Why our script fail. The reason is because the alert has a dynamic section and to handle that we need to put a regular expression marker with a regular expression. Your command should look something like verifyAlert ok.
you can also use assetX(asserttext, assetalert.....) for regular expression. I used this for select box functionality (Drop Down).
3-waitFor:-
I created a script and was trying to run this. But failed? why? Its times out!!!!! element not found!!!!! window not appear!!!!!!!....ect.
Actually what was happening , when my script start executing the page element was not loaded.
In AJAX base programing you never know, how long it will take to load the page element. This was the reason my script was failing again and again. Finally I came up with the solution using waitFor command. You can use this command to wait your script execution until the page element not loaded. (This is little similar to wait() command used in win runner )
Here are some expansion for this command : waitForX(waitForElement, waitForText, waitForAlert...........)
In one of my project when I was recording my script for create a post, I found that IDE is unable to record the text box activity. Actually that text box was Javascript content editor 'Tinymce' . Later I recognized that IDE is unable to find this editor as there was no label used for this. So I used X paths option available on right click to locate the element ID.
This was like id('tinymce')/p. Here title was not used so we need to pass it's ID manually. It is done using Xpaths .
2- Regular expression:-
Now in case if alert or pop up window appears so how you handle your script. I faced this situation and cane up with this solution.
Why our script fail. The reason is because the alert has a dynamic section and to handle that we need to put a regular expression marker with a regular expression. Your command should look something like verifyAlert ok.
you can also use assetX(asserttext, assetalert.....) for regular expression. I used this for select box functionality (Drop Down).
3-waitFor:-
I created a script and was trying to run this. But failed? why? Its times out!!!!! element not found!!!!! window not appear!!!!!!!....ect.
Actually what was happening , when my script start executing the page element was not loaded.
In AJAX base programing you never know, how long it will take to load the page element. This was the reason my script was failing again and again. Finally I came up with the solution using waitFor command. You can use this command to wait your script execution until the page element not loaded. (This is little similar to wait() command used in win runner )
Here are some expansion for this command : waitForX(waitForElement, waitForText, waitForAlert...........)
Subscribe to:
Posts
(
Atom
)