Posted by admin on Apr 19, 2009 in
Uncategorized And thats the US Govt.
Generalising most people would state that virtually all botnets are bad. By this I mean that usually they are not used by their owners to attempt to look for a cure for cancer etc.
They are however used to launch mass denial of service attacks against .com websites and large corporate networks, even Governments.
They are not the kind of thing I would like shady Gov’t agencies to be involved in.
However it seems that Darpa/Arda are looking to create a tool to remotely take over existing botnets and become their new bot master.
Information below.
http://cryptome.info/traceback.htm
https://www.fbo.gov/
Posted by admin on Mar 30, 2009 in
Testing 
Load Test Clocks Movement
I was running a Load / Stability test on the weekend and noticed something strange with my results.
I kicked off my test at around 19:15 and after about 29 hours and 45 mins the webservers stopped responding.
At first I thought it was a network outage or something of the like, then I looked at the packets that my machine had sent to the server to check if it was a request or response issue. It seemed that my machine had stopped sending packets also. This ruled out a network issue as that would only stop responses and not request. So while I was scratching my head I remembered that the clocks in the UK had moved forward an hour on Saturday Night/Sunday Morning.
That was my answer. British Summer Time messing with my test results.
So clocks moving froward are one thing as you miss an hour so it looks like at no results on your test for this period (this is the non-existent hour of the movement of the clocks)
thinking about I thought what would happen for Winter when the clocks move backward. Would the Load Test send the page requests through twice for the same period. So that I get two sets of results for the hour 29-30 in my load test?.
Just a minor anomaly I noticed.
Larger Load Test Image Here
Posted by admin on Mar 13, 2009 in
Testing,
productivity 
Software is Rarely Good, Cheap and Fast
This post will be about the topic I like to call the Universal Constants of testing.
What I find really important in my job is to get the business to buy into these constants and once achieved I find that everyone is happier with the end product when it is delivered.
Look at the triangle on the left to get an idea of what I mean by the Universal Constants.
I’ll also give some examples as I find that an example always to explain a new concept.
The basics of the Constant is that
- You can have it Fast and Cheap however it won’t be Good
-
- You can have it Fast and Good however it won’t be Cheap
-
- You can have it Good and Cheap however it won’t be Fast.
Read more…
Posted by admin on Feb 24, 2009 in
Today's News 
Directory Browsing
Background Story
Sir Alan Stanford who is believed to be involved in one of the biggest banking frauds has been found by FBI Agents in America.
It was originally thought that he was hiding out in the Caribbean.
The fraud has global issues for not only the main Stanford Bank but also all of his other corporations and those who have invested in him. There has been a “Run” on the bank in the past couple of days as investors have sought toattempt to get at their cash.
BBC News Link
Site = SIB DIRECT
Defect Found = Open Directory Browsing
Time Taken to find from arriving at homepage = about 10 minutes.
As always Site Admins notified.
Now as this is an online bank I decided to hold the post back a few days. Its now 00:40am 20th Feb 2009 and I’ll keep the post on hold for 5 days for them to fix the issue.
It should just be a quick 5 minute fix, but as we all know even a 5 minute code fix still can take a day or two to test. For me its the deploys to the Test, Staging and then Production environments and not the actual Testing of code that takes the time in issues like this.
***************EDIT***************
Even after the 5 days, which is the length of time the post was delayed for the issue is not resolved. I’ve also not heard back from anyone at Stanford.
***************EDIT N02 - 25th Feb 2008 ***************
The Receivers have been called in and the links are no longer working
which is a good thing for security of the users but a bad thing, as they
have most likely lost their deposits.
Posted by admin on Feb 17, 2009 in
Interviews 
Test This
I spoke with one of my previous employees last week who had attended an interview.
The manager of the company in question put a pencil on the table and said “Test That”. Stewart played along and said “where is the Spec”, what is it? what is it’s function.
Now Stewart is no dummy he knew it was a trick question and infact when he told me of the interview we both laughed for about 5-10 minutes saying we need to get some pencils made up with the words Test That along the side of them for conferences etc. Needless to say he did not accept the job offer and he classed it as a bad interview. Managers must know that such a basic and 1970’s type question is not going to catch anyone out. Infact its only going to make you and your company look dated. We’ve all heard that question many many times before and it doesn’t get any funnier or more interesting.
My point is that a job interview is a two way process. Yes I’m looking for the right candidate, someone who I think will be an asset not only to my testing team but also to the company as a whole. A person who will come on board and give their experience gained in other workplaces willingly, and one who also will be willing to learn a thing or two from the staff members whom are already on the team. (Personal Development is a great thing).
I also know however that its not only me wanting them that counts but its also them wanting us. This brings me full circle to the post title “We Know What Good Looks Like”. Those were the words used by a previous manger of mine in an interview with me, This statement made me think that things there were not perfect, however they wanted to change and that if I worked hard I could help them affect this change.
I was infused and accepted the job offer. If that same manager had put a pencil in front of me and said “Test That” I would have just gone through the motions of “what’s its purpose – is there a spec for the pencil”. Playing along with the game. Lets excite people when they walk through our door and not play games.
Read more…
Tags: Interviews, Testing
Posted by admin on Feb 13, 2009 in
Today's News 
Nasty Man
Not a nice guy.
(Even so I’ve still notified the Site Admin in question)
Background story.
He’s a right-wing Dutch MP who has made a very one sided mockumentary about Muslims and how he thinks that the Qur’an only preaches death and killing. I’m not religious at all, however I do know that virtually any person can take the text from any religious doctrine and use that text to prove any point they may wish to make.
He was invited to the UK by some other right-wing MPs (UKIP Party) and he was thankfully turned down by our government on the grounds that they deemed him to a person who spreads race hate.
This lead to a welcome debate of the validity of freedom of speech.
BBC New Link
Site = http://www.geertwilders.nl
Defect Found = Open Log and Stats File
Time Taken to find from arriving at homepage = about 32 minutes.
This was a hard one due to his site using off the shelf secure software (Mambo I think) and also using Google for all searching which meant I knew XSS was a no go from the start. I then looked for subdomains and although I found many all were 401’s. I tried a few other things and then just when I thought that this site would beat me I gave a quick check of common directories and came up with “TMP” I then looked for common file names and came up with “log.txt” and hence the site error.
Remember that the reason for the “Today’s News” section is to attempt to prove that virtually all sites out there have some error in them of some kind that affects either the websites security, usability or maybe a business logic flaw.
some people may think that this is low hanging fruit type stuff and they may be correct, however as these sites in question will be all over the TV today and front page on tomorrows papers they are easy targets for potential hackers and Seo BalackHats alike.
Posted by admin on Feb 12, 2009 in
Testing,
code,
productivity,
tools 
Code
In this post I want to give people a nice heads up to some of the tools I use in my daily role.
These are bookmarklets which is just another word for bookmarks which contain javascript.
I use these with firefox although IE and Opera should also fine fine for them also. In Firefox just add them to the bookmark toolbar and you’ll have them at your fingertips.
Zap Cookies! This will clear out any stored cookies for the current page/site
Edit Cookies! This will allow you to edit and stored cookies for the current page/site
View Cookies! This does exactly what it states, it allows you to view and stored cookies for the current page/site
Edit Page
Allows you to edit any page you use this on. All changes are temporary of course and only visible to you. (will you ever trust a web page screen shot again?). Not yet sure how this fits into the testing arena, however I though I would include it as someone may make decnet use out of it.
Find Redirects! This should list any redirects for the current page, however its currently a tiny bit hit and miss and is does not work 100% of the time, it should however suffice for now and I’ll most likely have to rewrite this at some point in the near future.
remove redirects Lets see what happens if we now remove those redirects we just found using the above Bookmarklet.
Wikipedia lookup This allows you to select any text on a page and once clicked it will lookup that text on Wikipedia
Yahoo site search This allows you to select any text on a page and once clicked it will search on Yahoo for more links from that domain with the same text.
MSN IP Search Firstly I should thank Robert Hansen (RSnake) for this one. Once clicked it will carry out an IP search which can help you detect a wider network for your testing.
numbered list One of my favourites this one. It allows you to make a nice numbered list of all parameters on the page which contain numbers.
show hiddens This and Zap Cookies are my most used Bookmarklets. this one will display all hidden fileds on a webpage and also allow you to edit them.
remove maxlength This will remove all the max lenghts from all input fields (think buffer overflows and code boundry issues)
undisable Who says you can’t click that button 
. This Bookmarklet will enable any disabled objects on the page.
up This will take you up one directory level in the site structure
top This will take you to the top of the domain.
decrement If your URL ends in a number it will reduce it by one every click
increment As above but the opposite
check images This will check the current page for broken images.
view variables This will list all variable types found on the page. This is more for Developers than testers however its still a useful one to have.
view scripts Like above however it will list all scripts what can be called on the current page.
zap images This should clear all of the images from the page. Works about 98% of the time. This script may need a little tweaking if I ever get the time.
full urls as link text Very useful if you want to see where a link is pointing to.
Enjoy
Martin H
Tags: code, productivity, Testing, tools
Posted by admin on Feb 11, 2009 in
Testing,
Today's News,
WebAppSec,
XSS I’ve decided to do a new piece called Today’s News,
What I’ll do is take a quick look on the Television news stations to work out what is the top news story and then I’ll give the website of the company or organisation a quick test. I’ll also state how long it too me to find the issue.
The site will be notified of course and I’ll update the blog post with any updates and responses from the site admin.
This will most likely be based on a Web Application Security (WebAppSec) test. I’ll leave out all of the 404’s and orphaned links etc.
Today’s major story was that the head of the FSA and a close advisor to Gordon Brown resigned.
FSA
http://news.bbc.co.uk/1/hi/business/7883409.stm
Site = http://www.fsa.gov.uk/
Defect Found =XSS
Time Taken to find from arriving at homepage = 3minutes and 12 seconds.
Now some people may think that this is low hanging fruit type stuff and you may be correct, however as these sites in question will be all over the TV today and front page on tomorrows papers they are easy targets for potential hackers and Seo BalackHats alike.
Tags: Testing, Today's News, WebAppSec, XSS
Posted by admin on Feb 5, 2009 in
productivity Here are a couple of tools to help you become more productive while at work.
These are great especially if you are having a conference call with other team members and want to show them an idea visually.
http://www.dabbleboard.com/draw
Neither of the above require a loging to use or share.
Tags: productivity, white boards
Posted by admin on Jan 20, 2009 in
Uncategorized 10 – print “Hello World”
20 – goto 10
30 - run
Welcome to the new Test Manager Blog.
The above Hello World code was the first program I ever wrote back in the early 80’s on a ZX spectrum 81. It was just hello world in a constant loop.
I would have been about 7 or 8 years old at the time.
