Archive for March, 2006

Paper on why Phishing works


Here’s an interesting paper written by Rachna Dhamija, J.D Tygar, and Marti Hearst on Why Phishing Works.

“This study illustrates that even in the best case scenario, when users expect spoofs to be present and are motivated to discover them, many users can’t distinguish legitimate websites from a spoofed website. In our study, the best phishing site was able to fool more than 90% of participants”

Office Space the online game


The movie Office Space has been made into a fun little online Flash game. In the game you act as Peter Gibbons trying to complete the mission: “It’s Friday afternoon and you just know that Lumbergh is gonna ask you to come in on Saturday. Finish all you TPS reports and sneak out the side door before Lambergh catches up with you!”.

Play for Milton’s honor.

Milton: “And I said, I don’t care if they lay me off either, because I told, I told Bill that if they move my desk one more time, then, then I’m, I’m quitting, I’m going to quit. And, and I told Don too, because they’ve moved my desk four times already this year, and I used to be over by the window, and I could see the squirrels, and they were married, but then, they switched from the Swingline to the Boston stapler, but I kept my Swingline stapler because it didn’t bind up as much, and I kept the staples for the Swingline stapler and it’s not okay because if they take my stapler then I’ll set the building on fire…”

Ebonics for developers: Ruby on Rails


Dion Hinchcliffe wrote an interesting article about Ruby on Rails here. Between the article, and the embedded links the following quotes bug the crap out of me:

  • Ruby on rails is: “a stack that contains components for most Web applications.”

Most. Heh. Wow, that’s really gonna suck when a team is fully invested/committed to Ruby on Rails and they come up with a need for something that’s not in the “stack”. Now, not only does the team need to figure out how to use the new/needed technology but they must also figure out how to integrate the technology into the Ruby on Rails stack. Fun! More work in a project with doesn’t have enough hours already.

  • Ruby makes: “what most people do most of the time extremely easy”

Most…Heh. Ditto

  • 37signals not only built their 5 world-class online applications purely with Ruby on Rails, but they support almost 400,000 users on just 13 servers.”

How vague is that? 400,000 what? Concurrent users with sessions? Doing what? Do you mean 400,000 enrolled users in the database? That’s a sad, “world-class” hardware hog (13 servers). Let me see here, the development is faster with Ruby on Rails (saving money) but they bought 10 more servers than the typical 400,000 enrolled user database needs.

When I put it all together in my head my summary is this: Ruby on Rails is like Ebonics for developers.

Hey, have you heard about the new language taking Web 2.1 by storm? Oh yeah, by storm! It’s called LAZY. What’s really cool about LAZY is that you don’t have to learn Ruby or JavaScript to use AJAX. The LAZY framework wraps Ruby, which wraps JavaScript which makes your AJAX programming a no-brainer. A wrapper, for a wrapper. Truly LAZY!

Ruby on Rails may be easier for development of most Web applications (a quoted 80% by David Heinemeier Hannson) but seriously, the same thing can be done with existing languages. Yes, Ruby on Rails/Ebonics has come to market faster than the other languages and because of that the other languages will be forced to get Web 2.0 savvy quickly. But Ruby on Rails has a lot of work to do on their “stack”. Take .NET for example, let’s say it takes Microsoft 2 years to Ebonicize so that you can do things like program AJAX quickly and easily. Once those Ebonics are in place you have access to a deep and extensive set of libraries that are baked. Ruby on Rails will building their “stack” for many years to come.

Testing regular expression with RegexDesigner.NET


We have a new content contributor today! Friend and fellow QA Engineer Rohit Mathur writes:

I was going through Scott Hanselman’s blog and he mentions (in his Ultimate Tool list) the RegEx tool RegexDesigner.NET by Chris Sells.

I found the tool very useful trying to evaluate the RegEx used in our Corillian online banking implementations. In our implementations the list of regular expressions are contained in a .config file. 

You can extract ‘the Date’ RegEx out of the .config file:

<add key=”Date” value=”^([0]?[1-9]|[1][0-2])[/-]([0]?[1-9]|[1|2]\d|[3][0|1])[/-](\d{4})$”/>

and then, using the RegexDesigner tool, you can test the Regular Expression to see what format/characters are allowed/disallowed: 

Phishing, the IRS puts prevention in your hands


IRS cracks down on phishers:

“The Internal Revenue Service has set up an e-mail address for taxpayers to forward suspicious e-mail messages that claim to come from the IRS.”

Nice approach, not. This isn’t preventative it’s reactive. Once the phish email is sent it’s already too late. The IRS should think about being preventative with an application like Corillian FDS.

Testing with mock credit card numbers


My coworker Milind Pandit sent me the following link the other day:

It appears that phishers have resorted to honesty by just simply telling you truth about what they want from you. Pure genius!

I’m not sure if this is real or not because when I put in a Visa card number I get the following error AND success message:

Warning: fopen(/var/guaym/creditcards.txt): failed to open stream: No such file or directory in /var/www/ on line 9
error taking your money.

Thank you, Brent Strange ,for giving us all your money!

No, I wasn’t stupid enough to put in my Visa card number… I used my wife’s instead. Okay, okay, I didn’t use hers either. Give me a little credit. You can create test credit card numbers on your own using MOD 10. How do I know this? No, I’m not an evil hacker. I once was part of a payments solution group at Intel (TranSync) and I had to test various card types. Graham King has a great little article on credit card test number generation here.

Recent updates to SWEA (SWExplorerAutomation)


Our good ol’ Mr. Alex Furman continues to add features and fixes to SWEA. SWEA is now up to version Here is a list of his recent changes:

V1.7.7.1 (published 03-26-2006)
Improvement: Added script recording for Multi-select list boxes.
Improvement:  Improved scene identification for pages with script and frames.
Fixed: Various small bug fixes.

V1.7.6.1 (published 03-18-2006)
Improvement: Added Create Control/Record Control sequence. After creation the control will be focused in the project view and the control editor will be activated to allow script recording.
Improvement:  Added IE restart button/menu.
Improvement:  Save of a new script will pre-fill the script file name using the current project file name.
Improvement:  Added Invoke tab for all controls to record  Set/Get/Method/Script calls.
Improvement:  Added support for Multi-Monitor systems.
Improvement:  Added Drag&Drop support to the Script Recorder View.
Fixed: Various small bug fixes.

Password harvesting with AutoComplete and JavaScript


The password textbox in a Web form is pretty much a joke. Sure the password is masked, but only visually. You can easily view the password with a small amount of JavaScript. For example, if you paste the following JavaScript into the browser URL bar when a password textbox is present you can see the password in clear text:

javascript:var x=document.getElementsByTagName(‘input’); myVals=”;for (var i=0;i<x.length;i++){z=x[i].getAttribute(‘type’); if(z==’password’)myVals=myVals+’The password value is: ‘+x.item(i).value+(‘\n\n’)};alert(myVals)

Here is the script in action:

Because passwords can be harvested in this manner the AutoComplete feature (the ability to save passwords) is very dangerous. If you were to use a computer in a kiosk environment or if your computer is compromised it would be possible for the attacker to review your browser history, navigate to the logon pages of those sites and extract your credentials through the AutoComplete feature and the above JavaScript.

How can you avoid this issue?

From a development point of view the AutoComplete attribute should be set to “off”. This can be done at the form or input level. This looks something like this at the FORM level:

<FORM autocomplete = “off”>

and like this at the INPUT level:

<INPUT type=”password” autocomplete=”off”>

From a testing perspective it is important to make sure you have AutoComplete enabled in the browser so that you can visually catch the risk if it occurs:

Internet Explorer 6 (Tools > Internet Options > Content tab > AutoComplete button):

FireFox (Tools > Options > Privacy > Passwords):

Don’t rely on your browser settings though, somehow they magically change once in a while. Do a manual review of the HTML source to validate the attribute is set. Or use the following JavaScript in the URL bar to extract it out:

Look for AutoComplete in INPUT tags:
javascript:var x=document.getElementsByTagName(‘input’); myVals=”;for (var i=0;i<x.length;i++){z=x[i].getAttribute(‘type’);if(z==’text’ || z==’password’)myVals=myVals+’ID attribute: ‘+x.item(i).id+’\n’+’Name attribute: ‘+x.item(i).name+’\n’+’AutoComplete: ‘+x[i].getAttribute(‘autocomplete’)+(‘\n\n’)};alert(myVals);

Look for AutoComplete in FORM tags:
javascript: myVals2=”;y=document.getElementsByTagName(‘form’); for (var n=0;n<y.length;n++){if (y.length!=null) myVals2=myVals2+’Form AutoComplete is: ‘+y[n].getAttribute(‘autocomplete’)+ (‘\n\n’)};alert(myVals2);


To protect yourself as a user you should UNCHECK the “form” checkbox in IE6 or in FireFox you should UNCHECK the “Remember Passwords” checkbox or use the Master Password feature (which will prompt a master password to be entered before the autocomplete occurs).

Don’t forget, as described in previous posts, you can add the above JavaScript as browser shortcuts so you can quickly access/run the scripts. Do this by right clicking the above JavaScript/link and select the “bookmark this link” or “add to favorites”.

Extend WATIR with WET


WET (Watir Extension Toolkit) is an add-on to the Watir Framework to provide some enhanced features and functions. I haven’t used WET myself since I’ve invested in SWEA instead, but the WET extension definitely offers some nice testing additions. Here is the description of WET from the WET site:

WET sits on top of Watir. WET classes inherit from Watir and therefore adds features without removing support for any of the existing feature. The marquee of the enhanced features is the availability of support for the XML Object repository. The XML Object repository, is a way of representing objects on a DOM page in a XML based hierarchy. Besides the Object Repository WET offers many other features like:

  • Object identification using multiple parameters
  • Improved result logging
  • Checkpoints
  • Reliable handling of Popup dialogs
  • Rudimentary datatable support
  • Control of test execution using test definitions

How to automate Web site authentication that uses Microsoft InfoCard?


Microsoft’s up and coming InfoCard technology seems pretty cool. What is InfoCard? I can’t sum it up better than Microsoft:

“InfoCard” is the code name for a WinFX component that provides the consistent user experience required by the identity metasystem. It is specifically hardened against tampering and spoofing to protect the end user’s digital identities and maintain end-user control.

InfoCard will be supported from the browser which leads me to the question: How am I going to automate InfoCard when my site uses it for authentication?

If you haven’t seen InfoCard work then you probably are wondering what the big deal is. Well, what appears to be the big deal to me is that InfoCard exists in a different “space” than the Window’s desktop. What I mean by “space” is that InfoCard loads and then the desktop along with all Windows applications are grayed out (like when you shut down Windows XP). I’m pretty sure your current browser automation tool is not going to know what to do with this when the browser calls InfoCard for Website authentication (e.g. click a button on the Web page that says something like “Logon using InfoCard”).

I’m sure we’ll find a way to automate this little gem but it may require a little work and re-factoring of your automation tool. I’m kind of concerned with the statement of “It is specifically hardened against tampering and spoofing“. I’m worried that this really means: “Impossible to automate“. You might want to ask your automation tool vendor what their plan is for support of InfoCard.

Ahh, the power of Microsoft BETA software! As a QA Engineer you should not only be test driving, you should also be thinking about compatibility and integration with the software you are currently testing to avoid possible issues in the future.

Post navigation