Posted by admin on Feb 24, 2009 in Today's News
Sir Alan Stanford who is believed to be involved in one of the biggest banking frauds has been found by FBI Agents in America.
It was originally thought that he was hiding out in the Caribbean.
The fraud has global issues for not only the main Stanford Bank but also all of his other corporations and those who have invested in him. There has been a “Run” on the bank in the past couple of days as investors have sought toattempt to get at their cash.
BBC News Link
Site = SIB DIRECT
Defect Found = Open Directory Browsing
Time Taken to find from arriving at homepage = about 10 minutes.
As always Site Admins notified.
Now as this is an online bank I decided to hold the post back a few days. Its now 00:40am 20th Feb 2009 and I’ll keep the post on hold for 5 days for them to fix the issue.
It should just be a quick 5 minute fix, but as we all know even a 5 minute code fix still can take a day or two to test. For me its the deploys to the Test, Staging and then Production environments and not the actual Testing of code that takes the time in issues like this.
Even after the 5 days, which is the length of time the post was delayed for the issue is not resolved. I’ve also not heard back from anyone at Stanford.
***************EDIT N02 - 25th Feb 2008 ***************
The Receivers have been called in and the links are no longer working
which is a good thing for security of the users but a bad thing, as they
have most likely lost their deposits.
Posted by admin on Feb 17, 2009 in Interviews
I spoke with one of my previous employees last week who had attended an interview.
The manager of the company in question put a pencil on the table and said “Test That”. Stewart played along and said “where is the Spec”, what is it? what is it’s function.
Now Stewart is no dummy he knew it was a trick question and infact when he told me of the interview we both laughed for about 5-10 minutes saying we need to get some pencils made up with the words Test That along the side of them for conferences etc. Needless to say he did not accept the job offer and he classed it as a bad interview. Managers must know that such a basic and 1970′s type question is not going to catch anyone out. Infact its only going to make you and your company look dated. We’ve all heard that question many many times before and it doesn’t get any funnier or more interesting.
My point is that a job interview is a two way process. Yes I’m looking for the right candidate, someone who I think will be an asset not only to my testing team but also to the company as a whole. A person who will come on board and give their experience gained in other workplaces willingly, and one who also will be willing to learn a thing or two from the staff members whom are already on the team. (Personal Development is a great thing).
I also know however that its not only me wanting them that counts but its also them wanting us. This brings me full circle to the post title “We Know What Good Looks Like”. Those were the words used by a previous manger of mine in an interview with me, This statement made me think that things there were not perfect, however they wanted to change and that if I worked hard I could help them affect this change.
I was infused and accepted the job offer. If that same manager had put a pencil in front of me and said “Test That” I would have just gone through the motions of “what’s its purpose – is there a spec for the pencil”. Playing along with the game. Lets excite people when they walk through our door and not play games.
Posted by admin on Feb 13, 2009 in Today's News
Not a nice guy.
(Even so I’ve still notified the Site Admin in question)
He’s a right-wing Dutch MP who has made a very one sided mockumentary about Muslims and how he thinks that the Qur’an only preaches death and killing. I’m not religious at all, however I do know that virtually any person can take the text from any religious doctrine and use that text to prove any point they may wish to make.
He was invited to the UK by some other right-wing MPs (UKIP Party) and he was thankfully turned down by our government on the grounds that they deemed him to a person who spreads race hate.
This lead to a welcome debate of the validity of freedom of speech.
BBC New Link
Site = http://www.geertwilders.nl
Defect Found = Open Log and Stats File
Time Taken to find from arriving at homepage = about 32 minutes.
This was a hard one due to his site using off the shelf secure software (Mambo I think) and also using Google for all searching which meant I knew XSS was a no go from the start. I then looked for subdomains and although I found many all were 401′s. I tried a few other things and then just when I thought that this site would beat me I gave a quick check of common directories and came up with “TMP” I then looked for common file names and came up with “log.txt” and hence the site error.
Remember that the reason for the “Today’s News” section is to attempt to prove that virtually all sites out there have some error in them of some kind that affects either the websites security, usability or maybe a business logic flaw.
some people may think that this is low hanging fruit type stuff and they may be correct, however as these sites in question will be all over the TV today and front page on tomorrows papers they are easy targets for potential hackers and Seo BalackHats alike.
Posted by admin on Feb 12, 2009 in code
In this post I want to give people a nice heads up to some of the tools I use in my daily role.
I use these with firefox although IE and Opera should also fine fine for them also. In Firefox just add them to the bookmark toolbar and you’ll have them at your fingertips.
Zap Cookies! This will clear out any stored cookies for the current page/site
Edit Cookies! This will allow you to edit and stored cookies for the current page/site
View Cookies! This does exactly what it states, it allows you to view and stored cookies for the current page/site
Allows you to edit any page you use this on. All changes are temporary of course and only visible to you. (will you ever trust a web page screen shot again?). Not yet sure how this fits into the testing arena, however I though I would include it as someone may make decent use out of it.
Find Redirects! This should list any redirects for the current page, however its currently a tiny bit hit and miss and is does not work 100% of the time, it should however suffice for now and I’ll most likely have to rewrite this at some point in the near future.
remove redirects Lets see what happens if we now remove those redirects we just found using the above Bookmarklet.
Wikipedia lookup This allows you to select any text on a page and once clicked it will lookup that text on Wikipedia
Yahoo site search This allows you to select any text on a page and once clicked it will search on Yahoo for more links from that domain with the same text.
Alexa This will carry out a search at Alexa for the domain you were on when you clicked this bookmarklet.
MSN IP Search Firstly I should thank Robert Hansen (RSnake) for this one. Once clicked it will carry out an IP search which can help you detect a wider network for your testing.
numbered list One of my favourites this one. It allows you to make a nice numbered list of all parameters on the page which contain numbers.
show hiddens This and Zap Cookies are my most used Bookmarklets. this one will display all hidden fields on a webpage and also allow you to edit them.
remove maxlength This will remove all the max lenghts from all input fields (think buffer overflows and code boundary issues)
undisable Who says you can’t click that button . This Bookmarklet will enable any disabled objects on the page.
up This will take you up one directory level in the site structure
top This will take you to the top of the domain.
decrement If your URL ends in a number it will reduce it by one every click
increment As above but the opposite
check images This will check the current page for broken images.
view variables This will list all variable types found on the page. This is more for Developers than testers however its still a useful one to have.
view scripts Like above however it will list all scripts what can be called on the current page.
zap images This should clear all of the images from the page. Works about 98% of the time. This script may need a little tweaking if I ever get the time.
full urls as link text Very useful if you want to see where a link is pointing to.
Posted by admin on Feb 11, 2009 in Testing
, Today's News
I’ve decided to do a new piece called Today’s News,
What I’ll do is take a quick look on the Television news stations to work out what is the top news story and then I’ll give the website of the company or organisation a quick test. I’ll also state how long it too me to find the issue.
The site will be notified of course and I’ll update the blog post with any updates and responses from the site admin.
This will most likely be based on a Web Application Security (WebAppSec) test. I’ll leave out all of the 404′s and orphaned links etc.
Today’s major story was that the head of the FSA and a close advisor to Gordon Brown resigned.
Site = http://www.fsa.gov.uk/
Defect Found =XSS
Time Taken to find from arriving at homepage = 3minutes and 12 seconds.
Now some people may think that this is low hanging fruit type stuff and you may be correct, however as these sites in question will be all over the TV today and front page on tomorrows papers they are easy targets for potential hackers and Seo BalackHats alike.
Posted by admin on Feb 5, 2009 in productivity
Here are a couple of tools to help you become more productive while at work.
These are great especially if you are having a conference call with other team members and want to show them an idea visually.
Neither of the above require a loging to use or share.