Monthly Archives: December 2016

XML External Entity

An XML External Entity vulnerability is used to attack a program that uses XML files from an external source. If executed properly, an attack can let you view the contents of files on a host system. The way this is done is using entity’s in XML which essentially act as variables.
For example:

<?xml version=”1.0″ ?>
<!DOCTYPE student [
<!ELEMENTstudent ANY>
<!ENTITY student “Daniel Mahoney”>
]>
<student>&student;</student>

In the above code any use of the entity student will be replaced with “Daniel Mahoney” when the XML is parsed.

<?xml version=”1.0″ ?>
<!DOCTYPE passwd [
<!ELEMENT passwd ANY>
<!ENTITY passwd SYSTEM “file:///etc/passwd”>
]>
<passwd>&passwd;</passwd>

Adding SYSTEM to the entity now allows you to print out the contents of a file on the host system. This can be used to get sensitive information and, if the file being read provides infinite output, can be used for Denial of Service attacks.

The best way to protect yourself from these attacks is to turn off external entity parsing in the config of whatever software you have.

From the blog CS@Worcester – Site Title by volk676 and used with permission of the author. All other rights reserved by the author.

White-Box, Black-Box, and a Little of both, Gray-Box Testing

When testing a software product the testers need access to some amount of information. The can be given access to just the finished product, just the code, or both. In each case the type of testing can vary.

Black-box testing refers to testing software where you have not been given the source code. In most cases the tested would be given a set of specifications. The tested the preform test on the  product and ensure it complies with the specifications. The main way in which black box testing works is by providing input and verifying the output is what is expected.

With white-box testing the testers have access to the source code. This means the they can examine how the code works. This can prove to be more complex but allows for much more thorough testing. This is where unit testing can really work and test cases can be written to test the code. Metrics can also be generated to show how much of the code was actually covered by test.

The third options involves a little of both categories, this is known as gray-box testing. In most cases involving gray-box testing the tested don’t have access to the source code but do have some knowledge of the inner workings of the program. One example of this would be a team that understands the formulas and methods used by software. This allows them to create more specific test than black-box testing that can target areas that are more likely to have issues. This is a good place for boundary value testing.

From the blog CS@WSU – :(){ :|: &amp; };: by rmurphy12blog and used with permission of the author. All other rights reserved by the author.

Reviewing Code

One way of ensuring good quality is by creating a test suit that actively test the code to fine flaws. Another way is to comb through the code and verify there are no errors in the logic. This process in known as a software technical review.

A software technical review consists of 4 parties, the producer, the recorder, the review leader, and the reviewers.

The producer is the entity that develops the code this could be a single developer and development team or an outside company. They are responsible for providing a frozen copy of the code and a set of requirements and expectations. It is important that the code does not change during the technical review process.

The recorder is responsible for taking notes and documenting what takes place during the review.

The review leader is responsible for scheduling the review, suppling what is necessary for the review, as well as producing the final report and sharing the findings.

The code reviewers as well as the leader and the reported are responsible for looking through the code before the meeting and documenting all errors of other issues found in the code.

During the review each member shares what they found and compares it to the others. As a group the determine if what is found is actually an issue that needs to be fixed. The team does not make suggestions to how the issues can be resolved.

The review leader then takes the information from the review session and generates a final report to be shared with the producer.

From the blog CS@WSU – :(){ :|: &amp; };: by rmurphy12blog and used with permission of the author. All other rights reserved by the author.

On the semester

Well for my last blog of the semester I figured I would give
some thoughts on the semester and my experience blogging. I don’t anticipate
this to be very long but here goes. At first I was unsure what to make of
blogging as I had never done it before, but as I got into it I thought that it
is a great idea to get your ideas out there and to have others see what you’re
up to and what the latest testing and development tools and techniques you have
been using. It seems to be great as well for others to possibly give feedback
on what you’ve written or input on experiences they may have had and can give
advice on how to improve on what you have been doing.
That being said, as far as having to try and come up with
something to write every week after checking out 5 blogs on testing and picking
one that seems to be interesting to you ended up feeling more like a chore to
me. I am not saying I didn’t learn anything or that I didn’t enjoy seeing what
types of testing styles and techniques folks are using in the industry as I
have never worked in the industry as of yet and it gave me a glimpse into what
I might be working with and getting involved in possible. My main issue was
that I was writing about something that I have had no practical experience in
so it was hard to talk about something I haven’t used. I mean it was fine for a
few blogs, but after writing about testing techniques that other people are
writing about, you begin to realize that there seems to be only so many things
and a lot of the blogs talk about similar things or experiences, just in
different companies or settings. The name changed but the test stayed similar.

Overall it was a great learning experience and I would take
any of it back and I hope that some of you had a good experience as well and it
was a pleasure to spend the semester with all of you.

From the blog format c: /s by c-braley and used with permission of the author. All other rights reserved by the author.

On the semester

Well for my last blog of the semester I figured I would give
some thoughts on the semester and my experience blogging. I don’t anticipate
this to be very long but here goes. At first I was unsure what to make of
blogging as I had never done it before, but as I got into it I thought that it
is a great idea to get your ideas out there and to have others see what you’re
up to and what the latest testing and development tools and techniques you have
been using. It seems to be great as well for others to possibly give feedback
on what you’ve written or input on experiences they may have had and can give
advice on how to improve on what you have been doing.
That being said, as far as having to try and come up with
something to write every week after checking out 5 blogs on testing and picking
one that seems to be interesting to you ended up feeling more like a chore to
me. I am not saying I didn’t learn anything or that I didn’t enjoy seeing what
types of testing styles and techniques folks are using in the industry as I
have never worked in the industry as of yet and it gave me a glimpse into what
I might be working with and getting involved in possible. My main issue was
that I was writing about something that I have had no practical experience in
so it was hard to talk about something I haven’t used. I mean it was fine for a
few blogs, but after writing about testing techniques that other people are
writing about, you begin to realize that there seems to be only so many things
and a lot of the blogs talk about similar things or experiences, just in
different companies or settings. The name changed but the test stayed similar.

Overall it was a great learning experience and I would take
any of it back and I hope that some of you had a good experience as well and it
was a pleasure to spend the semester with all of you.

From the blog format c: /s by c-braley and used with permission of the author. All other rights reserved by the author.

On the semester

Well for my last blog of the semester I figured I would give
some thoughts on the semester and my experience blogging. I don’t anticipate
this to be very long but here goes. At first I was unsure what to make of
blogging as I had never done it before, but as I got into it I thought that it
is a great idea to get your ideas out there and to have others see what you’re
up to and what the latest testing and development tools and techniques you have
been using. It seems to be great as well for others to possibly give feedback
on what you’ve written or input on experiences they may have had and can give
advice on how to improve on what you have been doing.
That being said, as far as having to try and come up with
something to write every week after checking out 5 blogs on testing and picking
one that seems to be interesting to you ended up feeling more like a chore to
me. I am not saying I didn’t learn anything or that I didn’t enjoy seeing what
types of testing styles and techniques folks are using in the industry as I
have never worked in the industry as of yet and it gave me a glimpse into what
I might be working with and getting involved in possible. My main issue was
that I was writing about something that I have had no practical experience in
so it was hard to talk about something I haven’t used. I mean it was fine for a
few blogs, but after writing about testing techniques that other people are
writing about, you begin to realize that there seems to be only so many things
and a lot of the blogs talk about similar things or experiences, just in
different companies or settings. The name changed but the test stayed similar.

Overall it was a great learning experience and I would take
any of it back and I hope that some of you had a good experience as well and it
was a pleasure to spend the semester with all of you.

From the blog format c: /s by c-braley and used with permission of the author. All other rights reserved by the author.

On the semester

Well for my last blog of the semester I figured I would give
some thoughts on the semester and my experience blogging. I don’t anticipate
this to be very long but here goes. At first I was unsure what to make of
blogging as I had never done it before, but as I got into it I thought that it
is a great idea to get your ideas out there and to have others see what you’re
up to and what the latest testing and development tools and techniques you have
been using. It seems to be great as well for others to possibly give feedback
on what you’ve written or input on experiences they may have had and can give
advice on how to improve on what you have been doing.
That being said, as far as having to try and come up with
something to write every week after checking out 5 blogs on testing and picking
one that seems to be interesting to you ended up feeling more like a chore to
me. I am not saying I didn’t learn anything or that I didn’t enjoy seeing what
types of testing styles and techniques folks are using in the industry as I
have never worked in the industry as of yet and it gave me a glimpse into what
I might be working with and getting involved in possible. My main issue was
that I was writing about something that I have had no practical experience in
so it was hard to talk about something I haven’t used. I mean it was fine for a
few blogs, but after writing about testing techniques that other people are
writing about, you begin to realize that there seems to be only so many things
and a lot of the blogs talk about similar things or experiences, just in
different companies or settings. The name changed but the test stayed similar.

Overall it was a great learning experience and I would take
any of it back and I hope that some of you had a good experience as well and it
was a pleasure to spend the semester with all of you.

From the blog format c: /s by c-braley and used with permission of the author. All other rights reserved by the author.

On the semester

Well for my last blog of the semester I figured I would give
some thoughts on the semester and my experience blogging. I don’t anticipate
this to be very long but here goes. At first I was unsure what to make of
blogging as I had never done it before, but as I got into it I thought that it
is a great idea to get your ideas out there and to have others see what you’re
up to and what the latest testing and development tools and techniques you have
been using. It seems to be great as well for others to possibly give feedback
on what you’ve written or input on experiences they may have had and can give
advice on how to improve on what you have been doing.
That being said, as far as having to try and come up with
something to write every week after checking out 5 blogs on testing and picking
one that seems to be interesting to you ended up feeling more like a chore to
me. I am not saying I didn’t learn anything or that I didn’t enjoy seeing what
types of testing styles and techniques folks are using in the industry as I
have never worked in the industry as of yet and it gave me a glimpse into what
I might be working with and getting involved in possible. My main issue was
that I was writing about something that I have had no practical experience in
so it was hard to talk about something I haven’t used. I mean it was fine for a
few blogs, but after writing about testing techniques that other people are
writing about, you begin to realize that there seems to be only so many things
and a lot of the blogs talk about similar things or experiences, just in
different companies or settings. The name changed but the test stayed similar.

Overall it was a great learning experience and I would take
any of it back and I hope that some of you had a good experience as well and it
was a pleasure to spend the semester with all of you.

From the blog format c: /s by c-braley and used with permission of the author. All other rights reserved by the author.

On the semester

Well for my last blog of the semester I figured I would give some thoughts on the semester and my experience blogging. I don’t anticipate this to be very long but here goes. At first I was unsure what to make of blogging as I had never done it before, but as I got into it I thought that it is a great idea to get your ideas out there and to have others see what you’re up to and what the latest testing and development tools and techniques you have been using. It seems to be great as well for others to possibly give feedback on what you’ve written or input on experiences they may have had and can give advice on how to improve on what you have been doing.
That being said, as far as having to try and come up with something to write every week after checking out 5 blogs on testing and picking one that seems to be interesting to you ended up feeling more like a chore to me. I am not saying I didn’t learn anything or that I didn’t enjoy seeing what types of testing styles and techniques folks are using in the industry as I have never worked in the industry as of yet and it gave me a glimpse into what I might be working with and getting involved in possible. My main issue was that I was writing about something that I have had no practical experience in so it was hard to talk about something I haven’t used. I mean it was fine for a few blogs, but after writing about testing techniques that other people are writing about, you begin to realize that there seems to be only so many things and a lot of the blogs talk about similar things or experiences, just in different companies or settings. The name changed but the test stayed similar.

Overall it was a great learning experience and I would take any of it back and I hope that some of you had a good experience as well and it was a pleasure to spend the semester with all of you.

From the blog format c: /s by c-braley and used with permission of the author. All other rights reserved by the author.

Mutation Testing (Week 12)

Mutation Testing is a fault based testing technique that variants of a program are changed to determine the effectiveness of the test to identify problems. Some ways this can be done are by changing operators, for instance if you have a function that says “gpa<4.0” a mutation test would be if you changed it to “gpa>4.0” to see if the test case caught the fault. You could do statement removal, where you completely remove a statement to see if the test cases catch the defect, or you can insert the wrong syntax. All of these examples are valid forms of mutation testing.

 

Article i used: http://www.softwaretestinghelp.com/what-is-mutation-testing/

From the blog CS@Worcester – Site Title by jonathanpaizblog and used with permission of the author. All other rights reserved by the author.