Corelab – MYSql and XML = “oh my” via strange HTML encodes (Unicode)

The title of this blog post is a bit strange and its a play on “Lions – Tigers and Bears oh my”

Anyway back on track , I really like strange encodings for HTML and the way in which some characters (chars) will get interpreted by a web-app as something else.

It makes my job as a tester much more interesting. Once you know what you are doing and you have a grasp of the basics you can will find that you can detect  defects where other testers would have passed an Application as ready for production.

This issue is undocumented elsewhere on the net as far as I can see and it can easily bring down a large majority of websites. (Major ones). By bring down I mean a Dos on the home page due to non display of content.

Feel free to investigate further in to it if you wish. However please only test it on sites which you have permission to run tests against.

anyway onto the details.

The issue is caused by characters that cannot be displayed in XML. As XML is unable to render the characters it will just error and display a blank screen to all users. (so now imagine if a site allowed users to input comments which were displayed on the front page).

The character in question is  and for this defect to take place a few things are needed. As the title states the site must have a MySQL back-end (millions of those about). It must also be coded in .Net (C# tested but may also affect VB.Net and other .Net languages) and lastly it must save data from a webform or textbox into the DB using CoreLab data connectors, and then display the data to be webpage via XML.

Now usually you won’t be able to enter  into the webapp but don’t worry as you enter it as valid text. (more on that coming up)

To see an example of this happening open NotePad + Microsoft Word, and the HTML Encoder page on my site.  Now in notepad type in I’ve visited the test Managers Page and do the same in Microsoft word.

now paste them into the decoder and see the difference.

Notepad will give you %27 and microsoft word will have changed your apostrophe to a curly apostrophe %_u2019 (the underscore needs to be removed but I can’t stop wordpress from encoding without it). I and most likely you may know of this as a simple %19 = .

Now Corelab, .Net – XML and MySql can all handle curly apostrophe’s however if you carriage return and some text on the next line after the curly apostrophe then CoreLab will add in a an “r/n – carriage return”. It seems that in the default installation of Corelab it doesn’t encode chars as UTF8 but as something else. Then in the DB you then get the encoded  which XML cannot cope with as its an invalid HTML char. So when that text which now has an invalid HTML char attempts to get rendered back in XML the XML stream fails and the page will fail to display.

Protected: A Big Case of …OOPS (keeping customers data private)

How to Bypass Websense Twitter block

The company I work for has recently introduced Websense to filter out certain sites which they believe to be non-conducive to a working environment. This is not such a bad this as they block certain sites which are deemed to hold malware and other things.

However Websense is quite bad in that it restricts what users can view and this I disagree with.  It’s more than a Malware site filter it also blocks social networking sites and many blogs. Twitter is not a bad site and I wanted to check a tweet of a user who had posted something interesting regarding testing and website security.

But because we have websense it was blocked all I got was the message .

This Websense category is filtered: Social Networking and Personal Sites.
URL:

http://twitter.com/

The other thing I think is bad regarding the use of Websense is that users will attempt to bypass it. Its in their nature especially if you have a team of Web-testers.

So if you don’t want a bunch of proxies and ssh tunnels installed in your network it’s better to just leave it for users to be responsible enough to decide what is a site worthy of visiting in work time.

So now on to the quick and dirty hack to get your twitter feeds on a network that is using Websense.

You can either load up http://www.twittergadget.com/ which is a IGoogle Plugin – It allows tweeting and reading of other tweets from the your personalised Google Homepage.

TIP: I advise that you turn off the thumbnails in twittergadget or your browser will still attempt to make calls which will be logged by Websense.  Once thumbnails are tuned off Websense never logs any twitter traffic.  so you still can make and receive feeds without Websense being any the wiser.

or you can use the below link which allows reading only

Bypass Websense for all Tweets which have the Term Test

You could just as easilly insert the peoples names who tweets you follow and that will work.

Hope you found it useful

****UpDate – 28th Jan-2010****

Google is running a trial or Twitter Feeds in the main results page on normal searches.

Its only on certain “Hot Topics”

the below link is for the new Ipad from Apple.

Google Apple Ipad results with Twitter Feed

see the screenshot.

Screenshot

Quick Tip – Finding (*) Stars in Excel

This is a really quick post.

Today I was looking to see if I could find a star “*” in excel and everytime I pressed search excel treated it as a wildcard and highlighted every cell in turn one by one.

To find the star I had to use the excel escape character of tilda “~”

so in the end in the search box I typed ~* and it found the star just fine.

Like I said just a quick tip in case its useful to anyone else.

Tags: tips

Google’s Clock hits Zero

Google's New Year

Well Its now 2010 and the countdown clock on Google’s I’m Feeling Lucky site is displaying fireworks

Happy New Year Every One.

The URL for I’m feeling lucky is

http://www.google.co.uk/search?&btnI=3564&q=

Just type anything you want at the end of the query (q) parameter to be taken there by Google.

So how could this be used?

Well how about a simple Rick Roll

http://www.google.co.uk/search?&btnI=3564&q=Rick Astley Video

Lets change those words as they look too obvious.

Just a tiny bit of URL Encoding and we’re done

http://www.google.co.uk/search?&btnI=3564&q=%52%69%63%6b%20%41%73%74%6c%65%79%20%56%69%64%65%6f

Yep Looks like a normal Google Link to me. How many people would know that the above URL would get them Rick Rolled?

Well how about I now go out and buy myself I nice IDN Domain which looks exactly like Google.Com but no matter what you type in I return all pay-per-click ads (remeber the site would look exactly like Google.com).

I’m sure you now get the idea that just because someone posts a google link and it could even be a Real Google Link like I used above in my examples, it doesn’t mean that you are not going to get sent to a virus site or a site you did not intend to visit.

BeSafe and Once again Happy New Year

Google Fireworks

Google’s new year count down clock

New Google Easter Egg - Feeling Lucky

Well it seems that Google has placed an new easter egg on its main site for UK searches.

If you click on the I’m Feeling Lucky Button you will be taken to a count down clock.

There was a lot of speculation about what the countdown timer meant.

But it seems quite obvious that it is the New Year Count Down Clock. (Nice Touch).

In the past they have had other strange Easter eggs (Aliens /Crop Circles, Infinite Loops and the famous Konami Code)

All good fun and its nice to break  up the monotony of carrying out tons of searches.

If you’ve found any interesting east eggs in any of the major search engines then fee free to post below in the comments.

TaDa Lists (Easy to Use ToDo Lists to make you more productive)

To Do lists

I’ve been using TADA lists for about 3 months now and I love them. They just do exactly what you would expect.

You set up a list and you can move the priorities around depending on how your plans throughout the day change.

I have lists created for

In Test

In Staging

In Planning (soon to be handed to test)

Handed Back to Developement for defect correction.

Let me make clear that this is not meant to replace any defect management system you may have in place. Its far to basic for that.

However if like me your daily priorities are constantly changing and you need to maybe make other team members aware of what things are being worked on in which environments then I have found this as a quick and easy fix.

It can of course be used for many other things like shopping lists. I’ve taken my mobile phone shopping before and when my wife gets home she jumps on the PC and just updates my TADAlist with any items that she needs that I may have missed off.

I then get an email on my mobile phone and bingo I now have an updated list to walk around the shop with. Yes she could ring me but I’d have to write it down. I just find this just easier.

Maybe on that note in the future I should make a post about the perils of using technology just because its there.

Anyway enough of the digressing I hope you find the tool as useful as I and the people I work with have.

Martin H

Playing with Search Engines Part 1 = Bing

Playing with Search engines.

As most of you know I spend virtually all of my working day testing search engines. I thought that today I would take a small look one of the new big kids on the block Bing which is the new search engine from Microsoft.

As I’m a Test Manager I won’t be be comparing basic searches but I’ll be looking for weird results and also looking for possible defects.

One of the great things about Bing is that it’s very similar to Google in that they share the same search structure, so if I type into Bing that I want to look for The Test Manager the URL will look a little something like http://www.bing.com/search?q=The+Test+Manager.com&go=&form=QBRE&filt=all&qs=n . Now if I want the exact same search in google all I need to do is to change the domain name from bing.com to google.com keeping the rest of the URL so the query now reads.  http://www.google.com/search?q=The+Test+Manager.com&go=&form=QBRE&filt=all&qs=n .

So lets start looking for interesting data. Read more…

Evaluating Risk

The one thing a tester has to be able to do is to correctly evaluate risk. This can be done when choosing the priority or severity of a defect or to a Test Manager having to decide how to correctly decide what defects are going to be added or removed from a deployment during the triage stage.

The reason for the picture on the left is that Pigs kill people each year than sharks do. An interesting fact that is not very widely known.

So it’s strange that more people fear sharks. Its this fear that messes with our ability to correctly evaluate risk.

I had a conversation about the shark/pig statistics above with a work colleague and their reply was that they ” had never heard of a pig killing on the news yet they had heard of shark kills on the news”.

This sort of proved my point. News is exactly that a rare event that happens. We don’t hear that over 60 million people go about their daily lives each day in the UK without any major events happening,  however when a stabbing or a shooting happens then it makes the news because its a very rare event.  We also on average spend more time of our lives  in waters where sharks frequent than we do on farms.

People should realise that if something happens that makes the news then usually, they don’t need to worry about it. By definition, ‘news’ means that it hardly ever happens. If a risk is in the news, then it’s probably not worth worrying about. When something is no longer reported—automobile deaths, domestic violence—when it’s so common that it’s not news, then you should start worrying.

Lets Break Something

Lets Break some code

The title is a little misleading as the one thing I think that testers do not do, is to break developers code.

Instead we should working with them to help find as many potential issues before our customers do.

(think of it as a department that carries out a specialised peer review)

However as a tester you need to have a few tricks up your sleeve which enable you to quickly punish an application.

The following strings will usually cause most web-enabled applications to perform strange functions or just plain fall over in a heap.

Each separate line is a separate test.

I have created a bespoke parameter fuzzer which I load my list into and 99% of the time I get a fail in a web-application.

You can also use my URL Encoder / Decoder to look a little deeper into the char-sets being used.

Read more…