A BlackHat Puppet Master who wants nothing from his puppets.

Posted by admin on Sep 13, 2010 in Uncategorized
The Black Hat Puppet Master

The Black Hat Puppet Master

Enter your password to view comments.

Protected: XSS Issue in every Ebay Listing

Posted by admin on Sep 6, 2010 in Uncategorized

This post is password protected. To view it please enter your password below:


Corelab – MYSql and XML = “oh my” via strange HTML encodes (Unicode)

Posted by admin on Mar 1, 2010 in Uncategorized

How to Break XML & .Net AppsThe title of this blog post is a bit strange and its a play on “Lions – Tigers and Bears oh my”

Anyway back on track , I really like strange encodings for HTML and the way in which some characters (chars) will get interpreted by a web-app as something else.

It makes my job as a tester much more interesting. Once you know what you are doing and you have a grasp of the basics you can will find that you can detect  defects where other testers would have passed an Application as ready for production.

This issue is undocumented elsewhere on the net as far as I can see and it can easily bring down a large majority of websites. (Major ones). By bring down I mean a Dos on the home page due to non display of content.

Feel free to investigate further in to it if you wish. However please only test it on sites which you have permission to run tests against.

anyway onto the details.

The issue is caused by characters that cannot be displayed in XML. As XML is unable to render the characters it will just error and display a blank screen to all users. (so now imagine if a site allowed users to input comments which were displayed on the front page).

The character in question is  and for this defect to take place a few things are needed. As the title states the site must have a MySQL back-end (millions of those about). It must also be coded in .Net (C# tested but may also affect VB.Net and other .Net languages) and lastly it must save data from a webform or textbox into the DB using CoreLab data connectors, and then display the data to be webpage via XML.

Now usually you won’t be able to enter  into the webapp but don’t worry as you enter it as valid text. (more on that coming up)

To see an example of this happening open NotePad + Microsoft Word, and the HTML Encoder page on my site.  Now in notepad type in I’ve visited the test Managers Page and do the same in Microsoft word.

now paste them into the decoder and see the difference.

Notepad will give you %27 and microsoft word will have changed your apostrophe to a curly apostrophe %_u2019 (the underscore needs to be removed but I can’t stop wordpress from encoding without it). I and most likely you may know of this as a simple %19 = .

Now Corelab, .Net – XML and MySql can all handle curly apostrophe’s however if you carriage return and some text on the next line after the curly apostrophe then CoreLab will add in a an “r/n – carriage return”. It seems that in the default installation of Corelab it doesn’t encode chars as UTF8 but as something else. Then in the DB you then get the encoded  which XML cannot cope with as its an invalid HTML char. So when that text which now has an invalid HTML char attempts to get rendered back in XML the XML stream fails and the page will fail to display.


Quick Tip – Finding (*) Stars in Excel

Posted by admin on Jan 8, 2010 in Uncategorized

Excel ImageThis is a really quick post.

Today I was looking to see if I could find a star “*” in excel and everytime I pressed search excel treated it as a wildcard and highlighted every cell in turn one by one.

To find the star I had to use the excel escape character of tilda “~”

so in the end in the search box I typed ~* and it found the star just fine.

Like I said just a quick tip in case its useful to anyone else.



Playing with Search Engines Part 1 = Bing

Posted by admin on Jul 7, 2009 in Testing, Uncategorized
Playing with Search engines.

Playing with Search engines.

As most of you know I spend virtually all of my working day testing search engines. I thought that today I would take a small look one of the new big kids on the block Bing which is the new search engine from Microsoft.

As I’m a Test Manager I won’t be be comparing basic searches but I’ll be looking for weird results and also looking for possible defects.

One of the great things about Bing is that it’s very similar to Google in that they share the same search structure, so if I type into Bing that I want to look for The Test Manager the URL will look a little something like http://www.bing.com/search?q=The+Test+Manager.com&go=&form=QBRE&filt=all&qs=n . Now if I want the exact same search in google all I need to do is to change the domain name from bing.com to google.com keeping the rest of the URL so the query now reads.  http://www.google.com/search?q=The+Test+Manager.com&go=&form=QBRE&filt=all&qs=n .

So lets start looking for interesting data. Read more…


All your BotNets are belong to US(of A)

Posted by admin on Apr 19, 2009 in Uncategorized

And thats the US Govt.

Generalising most people would state that virtually all botnets are bad. By this I mean that usually they are not used by their owners to attempt to look for a cure for cancer etc.

They are however used to launch mass denial of service attacks against .com websites and large corporate networks, even Governments.

They are not the kind of thing I would like shady Gov’t agencies to be involved in.

However it seems that Darpa/Arda are looking to create a tool to remotely take over existing botnets and become their new bot master.

Information below.




Hello world!

Posted by admin on Jan 20, 2009 in Uncategorized

10 – print “Hello World”

20 – goto 10

30 -  run

Welcome to the new Test Manager Blog.

The above Hello World code was the first program I ever wrote back in the early 80′s on a ZX spectrum 81. It was just hello world in a constant loop.

I would have been about 7 or 8 years old at the time.

Copyright © 2012 The Test Manager Blog All rights reserved. Theme by Laptop Geek.