Brent Strange's thoughts on Software Quality Assurance and technology

Saturday, 19 August 2006

WatiN: Web application testing using .NET languages (inspired by Watir)


Coworker Scott discovered an up and coming alternative to Watir called WatiN. What is WatiN?

"Inspired by Watir, I started developing WatiN in December 2005 to make a similar kind of Web Application Testing possible for the .Net languages. Since then WatiN is grown to a feature rich and stable framework. It consists of about 50 classes, wrapping all major HTML elements. It can manipulate elements in the IE HTML window, and in modal and modeless HTML dialogs. It handles alert windows and supports a basic but extensible logging mechanism. A great deal of the code is covered by unit tests but there’s room for improvement in that area. WatiN is developed in C# and aims to bring you an easy way to automate tests with Internet Explorer."

Further details can be found at:

As Scott said, this is something to keep your eye on. But since there is no recorder functionality (yet?) I will definately be sticking with SWEA.

  # Comments [0]    
Saturday, 19 August 2006

Video cards consume more power than new CPUs


A while ago I subscribed to and regularly read Jeff Attwood's blog where he spends a lot of time talking about the horror of bad design and code. Once in a while Jeff talks about hardware and throws out some interesting ditties. In his recent hardware related post Jeff says: "With the release of Intel's Core Duo and Core Duo 2 chips, it's finally happened-- mainstream video card GPUs are about to overtake CPUs as the largest consumers of power inside your PC". The post is chalked full of statistics and pretty graphs showing you power consumption of mainstream video cards and CPUs.

It will be interesting to see how the video card market responds to their power consumption issues. What magic does AMD have up their sleeve with the purchase of ATI? They were quick to say they will have CPU and GPU integration and lower power consumption. Will Intel get back into the video card game? An insider's theory says "Yes". What will Intel do though? With their new CPUs and motherboards, will they too merge the GPU and CPU or will they make lower power consumption graphic cards using Core 2 Duo technologies?

  # Comments [0]    

Friday, 04 August 2006

Beta feedback declares the official IE7 name "Internet Explorer 7”


A while back Microsoft declared Internet Explorer 7 to be referenced two different ways depending on what OS it was on. If on Vista it would have a trailing +.

Well, the people spoke up during the beta evaluation (they hated it), Microsoft listened, and now it's back to the simple "Internet Explorer 7”. Read more here.

If only Nintendo would listen to the people and rename the stupid Wii back to Revolution.

  # Comments [0]    
Friday, 04 August 2006

Testing Web forms with foreign language characters


How do you insert foreign language characters into a Web form textbox? For example, what if you have a localized site for Spanish and the text box that is supposed to accept characters áÁéÉíÍóÓúÚñÑüÜ«»`¿¡— but you don't have a Spanish keyboard. I've found and used three different techniques to obtain these types of characters so that I could put them into a Web form for testing.

  1. Find the character or character set on the Web, copy them and paste them into the textbox. Good references for character sets are: Unicode, official Unicode charts, Unicode transformation charts, HTML entities, ISO Latin-1, ASCII set and HEX values, Spanish punctuation.
  2. Use Microsoft Office (Word is easiest) to create the characters. If you know the Unicode value, you can type that value into the document (e.g. 2014) highlight it and press ALT+X. The number will then be converted to the character. This also works in reverse (convert the character back to the Unicode number, great for creating a regular expression using Unicode numbers).
  3. For ASCII characters, use ALT + the ASCII number on the numeric pad (e.g. ALT+0191 creates the ¿ character). You can do this directly in the browser/textbox.
  # Comments [0]    

Thursday, 03 August 2006

Which is more secure IE7 or FireFox2


Ed Bott over at ZDNet revisits the infamous question: Which is more secure IE or FireFox? But this time Ed compares the betas of Interent Explorer 7 and FireFox 2. Long story short, after boiling it all down Ed decides that:

"Come this fall, when both browsers are officially released, the playing field will essentially be level."

Read Ed's review here.

  # Comments [0]    
Wednesday, 02 August 2006

Defect of the day


Can you spot the defect of the day?

Today's defect is brought to you by

  # Comments [0]    

Wednesday, 02 August 2006

How to view javascript errors in Internet Explorer 7


I habitually peruse the search queries report for to see what keywords bring users to the site. Occasionaly the keywords aren't things that I've specifically talked about but are good ideas for future posts. A recent search phrase was "viewing javascript errors in IE 7". It's something I take for granted since I've been doing it for so long with IE 5-6, but there are peeps out there who want to know. So here is how to view javascript errors in Internet Explorer 7:

First off, with default IE7 settings, you just have to pay attention to the bottom-left corner of the browser. Keep your eyes peeled for the yellow yield icon:

Once you see the icon, double click it and a script error window will display itself:

Click the "Show Details" button and the script error window will expand showing you the loathed script error.

However, you don't always happen to see that little icon in the bottom-left corner but you can make sure you don't miss these script errors (really important as a tester) by enabling the Internet Options setting in IE (Tools > Internet Options > Advanced) labeled "Display a notification about every script error". This setting is not enabled by default.

There you have it. Simple, but obviously some don't know how simple.

  # Comments [0]    

Tuesday, 01 August 2006

Six reasons why Robert Scoble is Mini-Microsoft


Robert Scoble I'm onto you. I know you are Mr. Mini-Microsoft. Now, now before you roll your eyes and move on thinking this is just another half-hearted accusation lets go over my evidence. You see, I've been doing some Scobleizer and Mini-Microsoft blog forensics and have found some small facts that create some decent theories which lead me to believe that you are the person responsible for Mini-Microsoft. It's all good, I'm a fan and a reader of both but you challenged us Scoble... You wanted to be anonymous. Being anonymous begged us to find who was responsible. That person is you. I know you know! But now the world must know. This is what I know:

It's easiest to explain by walking through a timeline. So I'll start from the beginning:

Theory #1
Scoble was hired by Microsoft in 05/2003 and started blogging shortly after in 09/2003. Mini-Microsoft was started in 07/2004.

In theory, after blogging for nearly a year with fear of losing his job for saying too much Scoble decided to find a better way to say what he wanted without that fear. Thus, Mini-Microsoft was born.

Theory #2
Wordpress vs. Blogger. Wordpress for Scobleizer,  Blogger for Mini-Microsoft. They aren't the same. Switching it up so that we see no similarities. Subtle Scoble, subtle. You almost had me there!

Theory #3
This is my favorite piece of evidence. It was right there in front of us but we were too lazy to put the pieces together! We all know that Robert's Mom grew sick and passed away in 05/2006 (I'm sorry Robert, my thoughts and prayers are with your family). During this time of support for his Mom Robert left work to be with her and if you follow his posts you'll know that he wrote some occasional heart-wrenching posts about his Mom and his feelings as he went through this tough time. Mini-Microsoft went dry during this time. Here are the ever-so-convincing post timelines:

May 7th
Scobleizer: Last Microsoft/tech related post
Mini-Microsoft: Microsoft related post

May 8th
Scobleizer: Does a personal post about Mom's condition and how he's heading to Montana the next day

May 9th-18th
Scobleizer: No Microsoft/tech related posts. Only posts about the current Mom situation.
Mini-Microsoft: Absolutely no posts. Nothing. Nada. Why would he? He's preoccupied!

May 19th
Scobleizer: He posts Back in the land of bandwidth and cell phones
Mini-Microsoft: He posts Still here

Theory #4
The post times don't overlap. For example take this sampling of post times (as received by NewsGator):

Scobleizer Mini-Microsoft
Thu 7/20/2006 8:50 PM  
Thu 7/20/2006 8:32 PM  
Thu 7/20/2006 8:11 PM  
Thu 7/20/2006 5:50 PM  
Thu 7/20/2006 3:25 PM  
Thu 7/20/2006 3:23 PM  
Thu 7/20/2006 3:20 PM  
Thu 7/20/2006 2:49 PM  
Thu 7/20/2006 11:13 AM  
Thu 7/20/2006 10:58 AM  
  Thu 7/20/2006 8:22 AM
  Thu 7/20/2006 8:16 PM
  Thu 7/20/2006 6:05 AM
  Thu 7/20/2006 2:52 AM
  Wed 7/19/2006 8:14 PM
  Wed 7/19/2006 11:30 AM
Wed 7/19/2006 3:57 AM  
Wed 7/19/2006 3:33 AM  
Wed 7/19/2006 3:15 AM  
Wed 7/19/2006 3:15 AM  
Wed 7/19/2006 3:01 AM  
Tue 7/18/2006 5:20 PM  
Tue 7/18/2006 4:37 PM  
Tue 7/18/2006 3:28 PM  
Tue 7/18/2006 3:19 PM  
  Tue 7/18/2006 3:18 PM
Tue 7/18/2006 12:57 PM  
  Tue 7/18/2006 11:21 AM
  Tue 7/18/2006 11:10 AM

Theory #5
Duplicate coverage of news between the 2 blogs didn't happen often. For example when Bill Gates decided to leave Microsoft Mini-Microsoft mentioned it but Scobleizer didn't. Odd, why wouldn't the Scobleizer mention somebody he respected and worked for?

Theory #6
Since Scoble quite Microsoft on 07/01/2006 there has been no juicy inside info on Mini-Microsoft. The posts are thoughts on information we all were already privy to.

So there you have it... I think Scoble wanted to be exposed though. He got sloppy, but he's too smart to be sloppy! He didn't care anymore. 

Now that you have the monkey off your back Robert you can now breathe a sigh of relief. The calm will eventually come but not too soon. Yes, you will be overwhelmed with questions, yes your integrity may be challenged, but this is nothing new for you and you perform well under the pressure. I believe that what you did is right and was in Microsoft's best interest. Thank you for making Microsoft better Mr. Robert Scoble a.k.a. Mini Microsoft.

Readers, is it a load of BS?! You be the judge. The data is the data. The theories are... well theories. Time will tell. Either Scoble confesses or we decide with further evidence (e.g. Mini-Microsoft gives us no more juicy inside info since Scoble is no longer on the inside).

  # Comments [6]    

Sunday, 30 July 2006

Scoble sightings


So I was visiting friends in Redmond this week and happened to run across Robert Scoble on a street off of highway 908 in Redmond:

I took this picture with my wife's camera phone as we were passing. Seeing him in Redding surprised me because I thought he left for California? So what is the REAL story Scoble? Were you "Laid off"? Are you still working at Microsoft? Are you staying in Redmond to maintain the low-profile Mini-Microsoft blog from local internet cafés? He seems to be in high spirits so he must not be too bad off. It's nice to see that he is maintaining his positive attitude during his time of change.

Has anybody else had a Scoble sighting in Redmond?

  # Comments [0]    

Thursday, 27 July 2006

WatirMaker is now WatirRecorder++ and is going open source


Coworker Scott Hanselman and Rutger Smit have given WatirMaker an overhaul and renamed it WatirRecorder++. Read more and download it here.

At this time this appears to be the only recorder for Watir, there was a Watir WebRecorder but for some reason it has been deemed "unavailable until further notice".

If you just started looking into Web browser automation make sure and give SWEA, C#, and NUnit a try; I think you'll be more impressed with this solution if you're in a .NET environment.

  # Comments [2]    
Thursday, 27 July 2006

FireFox trojan extension


The bad guys are using the FireFox extensions as a means of piggybacking FireFox to steal sensitve user data.

Once FormSpy is executed, it installs itself as a component of the Firefox Web browser.
The FormSpy spyware then gleans sensitive information, such as credit card and bank account numbers, from the user's browser and forwards it to a malicious Web site. But this Trojan is capable of other tricks, as well, McAfee noted.

Read more here.

  # Comments [0]    
Thursday, 27 July 2006

Internet Explorer 7's No Add-ons Mode


The IE team has posted about a new Internet Explorer 7 feature that allows you to enable or disable IE add-ons (toolbars). The feature seems to have been created with the purpose of troubleshooting add-on and IE integration issues. More on No Add-on mode can be found here.

  # Comments [0]    

Monday, 24 July 2006

XSS cheat sheet


My coworker Alex Ginos sent a link the other day to an XSS (cross site scripting) cheat sheet at This cheat sheet is amazing; it has a LOT of XSS examples and also lists the browsers that the attack is "supported" by. I thought my XSS attack list was pretty good until I saw this list. To say the least, I'll be adding a ton more XSS attacks to my current test case repository. is also a blog with some really great posts about hacking and security. Another interesting post that I enjoyed was Attacking Applications Via XSS Proxies. Subscribe to this blog, these guys are freakin' smart.


  # Comments [0]    

Thursday, 20 July 2006

Vista build 5472 screenshots has published a pretty good set of screenshots for the Windows Vista build 5472. Get a preview of the good, bad, and ugly here.

  # Comments [0]    
Thursday, 20 July 2006

A fully patched XP VPC at 641 MB?!


Jeff Attwood over at Coding Horror has managed to shrink a fully patched Windows XP Virtual PC down to 641 megabytes.  He gives you full details here. Good stuff. Thanks Jeff!

  # Comments [0]    

Monday, 17 July 2006

Choosing Performance Testing with Scott Barber


In the latest eLetter (Tool Look) Scott Barber talks about how he got into performance testing and gives some simple advice on how to select the appropriate performance testing tool for your application. Read the Tool Look article here.

  # Comments [0]    

Wednesday, 12 July 2006

Back to blogging after writing my first magazine article!


I've been semi-quiet on the blogosphere lately due to the evenings being filled up with the season end of my boys' baseball and writing my first magazine article! :-)

Yep! Too cool, I've been asked to submit an article to Better Software magazine for their Tool Look column. If all goes well you should see it later in the year. Wish me luck!

  # Comments [2]    
Wednesday, 12 July 2006

Software Quality Management paper from Borland


Borland sent out a pointer to another SQA paper, this time the paper is entitled Software Quality Management and gives an overview of:

  • How to define application quality goals and metrics that match your objectives
  • How to measure quality status and progress
  • How to manage software quality to keep up with changing situations, emerging technologies and new regulatory requirements
  • How to improve software development and incorporate quality into every step of the process

As always, the paper is written to lead up to the use of one of their tools; for this paper the tool is Borland SilkCentral Test Manager. I find their lead ins, which are usually more than 3/4 of the paper, are very well written and speak well to real problems we have with software development and quality assurance. It's a great informational read that can be downloaded here.

  # Comments [0]    

Saturday, 08 July 2006

FireFox cheat sheet


Using keyboard shortcuts makes you a faster tester (well, at least it does me...). However remembering shortcuts for your favorite applications is not so easy. Leslie Franke over at has created a nice little cheat sheet of FireFox keyboard shortcuts and Tips/Tricks. It's available in HTML and PDF format and can be downloaded here, Get faster in FireFox, print it out and hang it on your cube wall!

  # Comments [1]    

Friday, 30 June 2006

Identity and fraud link round-up


Here is my identity and fraud link round-up for the week:

Does ID theft really cost $48 billion a year?

Stolen VA laptop recovered

Study: Most Technology Companies Have Data Losses

U.S. Navy: Data Breach Affects 28,000

  # Comments [0]    
Friday, 30 June 2006

STARWEST 2006 Program Announced


The StarWest 2006 program has been announced and it looks great! Lots and lots of stuff with the same ol' and brand new speakers:


How to Build Your Own Robot Army;Harry Robinson, Google, Inc.

Software Security Testing: It's Not Just for Functions Anymore; Gary McGraw, Cigital, Inc.

Dispelling Testing's Top Ten Illusions; Lloyd Roden, Grove Consultants

What Every Tester Needs to Know to Succeed in the Agile World Jean Tabaka, Rally Software Development

Say Yes-or Say No? What to Do When You're Faced with the Impossible; Johanna Rothman, Rothman Consulting Group, Inc.

Session-Based Exploratory Testing: A Large Project; Adventure Bliss, Captaris, Inc.


Essential Test Management and Planning; Rick Craig, Software Quality Engineering

Introduction to Systematic Testing; Dale Perry, Software Quality Engineering

How to Break Software; Joe Basirico, Security Innovation, Inc.

Managing Test Outsourcing; Martin Pol, POLTEQ IT Services BV

Becoming an Influential Test Team Leader; Randall Rice, Rice Consulting Services Inc.

Key Test Design Techniques; Lee Copeland, Software Quality Engineering

Implementing a Test Automation Framework; Linda Hayes, Worksoft, Inc.

Agile Software Product Testing Using Fit and FitNesse; Rob Myers, Net Objectives

How to Build, Support, and Add Value to Your Test Team; Lloyd Roden, Grove Consultants

Microsoft Visual Studio 2005 Team System for Testers; Chris Menegay, Notion Solutions, Inc.

Performance Testing Secrets in Context; Scott Barber, PerfTestPlus, Inc.

Model-Based Testing: The Dynamic Answer to Test Automation; Harry Robinson, Google, Inc.

Measurement and Metrics for Test Managers; Rick Craig, Software Quality Engineering

How to Break Software Security; Aditya Kakrania, Security Innovation, Inc.

Just In Time Testing; Robert Sabourin,, Inc.

Test Process Improvement; Martin Pol, POLTEQ IT Services BV

Establishing a Fully-Integrated Test Automation Architecture; Edward Kit, Software Development Technologies

Test Estimation Using Test Point Analysis; Ruud Teunissen, POLTEQ IT Services BV

Requirements Based Testing;Richard Bender, Bender RBT, Inc.

Behind Closed Doors: Secrets of Great Test Management;Johanna Rothman, Rothman Consulting Group, Inc., and Esther Derby, Esther Derby Associates, Inc.

Risk Based Testing; Julie Gardiner, QST Consultants Ltd.



The Nine "Forgettings"
-Quantifying the Value of Your Testing to Management -Step Away From the Tests: Take a Quality Break -Management Networking -Skill Diversity: The Key to Building the Ideal Test Team -Building a Testing Factory -Keeping it Between the Ditches: A Dashboard to Guide Your Testing -Improving the Skills of Software Testers

  # Comments [0]    
Friday, 30 June 2006

Internet Explorer Beta 3 released


Internet Explorer beta 3 has been released and can be found here. The IE team and Dave Massy are boast of its new features:

  • New icons
  • Tab reordering
  • Authenticated FTP
  • Easy access to email (put it back)
  • Small details (for example, image resizing changes)

See some screenshots on the IEBlog.

What's really cool is that the IE team has made, and still is making, EXTRA effort to listen to what users are saying about IE 7 and adding features and improvements based on feedback. If you like, dislike or have an idea about IE7 you can submit your feedback in 3 ways:

  • Internet Explorer External Feedback

    This is the best way to submit Internet Explorer 7 Beta 3 bugs to the Internet Explorer team.

    You will need to have a Microsoft Passport account in order to use this site. Go to the Passport site to create an account.

    In order to submit feedback, go to Microsoft Connect, then select "Available Connections," which will take you through a license agreement. You will see "Internet Explorer Feedback" as one of the list of programs available. Select "Apply" to enroll in the program.

    There is a best practices document included on the site outlining how to open a "good" bug.

  • Microsoft Beta Client Tool

    Report issues directly to us through the Microsoft Beta Client Tool (you will need to install this tool before you can use it).

    Although this tool may look like it was designed for feedback on Windows Vista, you can use it to send us Internet Explorer 7 bugs. On the first page of the tool, just make sure you choose "This install is an Internet Explorer 7 update on Windows XP'" and set the Area to "Internet Explorer."

  • Newsgroups

    Post any questions or problems you have to the microsoft.public.internetexplorer.general newsgroup, either through a newsgroup reader or on the Microsoft Discussion Groups site.

      # Comments [0]    

    Monday, 26 June 2006

    Why do I have to press #1 for English? Bad usability.


    Today my wife sent me one of those "I'm American hear me roar" emails that was simply a picture of an American flag with text stating: Why the hell should I have to press '1' for ENGLISH?!

    You're right dear wife, and whoever created the political statement over the top of a pixelated American flag. Why should you have to press 1 for English? But since the statement is politically charged by the powerful American flag I'm pretty sure the question is nothing but a derogatory statement rather than a jab at the real issue... You see, if you ask me, the reason you have to press "1 for English" is because of bad design and usability:

    The way I see it is that we have two use cases when a system is designed for two languages and the majority is English:

    1. English caller
    2. Caller speaking other language (we'll use Spanish as an example)

    Seems simple, in most cases the English speaking caller is going to be a higher percentage than the Spanish right? So why inconvenience the majority? That'd be like having all IE 6 users click an extra button to view content...Dumb. So why don't we just do something like the following:

    You: Ring... Ring... Ring....

    Big Corp: Hello, welcome to Big Corporation! Hola, recepción al Big Corporation! Presione el número uno para el español (translated, I think: Hello, welcome to Big Corp, press number one for Spanish)

    You: Wait patiently for a second (note, no phone fumbling here!)

    Big Corp: Press 2 to get yourself into a loop, press 3 if you want to talk to somebody (even though you can't).....

    Makes sense doesn't it? I know nothing about phone systems but it can't be that terribly difficult in this day and age. Can it?

      # Comments [0]    

    Friday, 23 June 2006

    Is $1000 enough for your stolen identity pain?


    Larry Dignan over at asks us how much our personal data is worth. He proposes "Stiffer fines, Safter Data". I agree and disagree; stiffer fines will eventually lead to safer data, but it won't happen right away. Enterprises need maintainable solutions and process that work first. In my opinion, identity theft lawsuits and media frenzy will drive this "solution".

    How much is your stolen, used, and abused identity worth to you? Is $1000 enough? Has your identity been stolen? How much did it end up costing you money and time-wise?

      # Comments [0]    

    Thursday, 22 June 2006

    The importance of component integration testing


    What evil things could happen when you have lack of component integration testing? For example, when a team delivers A and B you naturally test A+B and then hopefully you test B+A.  Sometimes it's not as easy as A and B though. Sometimes it's as complex as H & I & T & S. A little exploratory testing goes a long way if you're having trouble with the orthogonal array.

    Thanks Matt for sending this to me. The image comes from

      # Comments [1]    

    Tuesday, 20 June 2006

    Opera 9 released


    Opera 9 was realeased today. Opera continues to hang with the big dogs with new features such as:

    • BitTorrent
    • Content blocker
    • Add your favorite search engines
    • Tab Thumbnail preview
    • Site preferences
    • Widgets
    • Improved rich text editing

    Download Opera 9 here.

      # Comments [0]    
    Tuesday, 20 June 2006

    Data stolen Two-sday


    And here we are on a glorious data stolen Two-sday:

    Laptop with D.C. workers’ personal data stolen
    Equifax laptop containing employees' SSNs stolen
    A coworker and risk manager, Simon points out: "Equifax is a BS7799-2 certified company.  They/we are not immune…."

    On the bright side, we have employers rushing to stem data theft tide

      # Comments [0]    

    Monday, 19 June 2006

    Free load testing strategy white paper from Borland


    Borland has released a free load testing white paper entitled "Choosing a Load Testing Strategy" to help market their product Borland SilkPerformer (formerly Segue). The paper is a good read and gets really interesting when they talk about home-grown testing applications, open source load-testing tools, testing with Mega-IDEs, Web only load testing tools, hosted load-testing services and of course Enterprise class load-testing solutions.

    Download "Choosing a Load Testing Strategy" here.

      # Comments [0]    

    Sunday, 18 June 2006

    Screen capture for FireFox: ScreenGrab


    A while ago wrote about the screen capture utility ScreenGrab by Andy. ScreenGrab is an extension for FireFox that allows you to capture a FireFox browser screen and save it as a PNG file in 3 different ways:

    • The entire FireFox window (same as the PC ALT+PrtScr)
    • The entire content of the site (scrolling content)
    • The content that is viewable in the FireFox window (ViewPort)

    Andy says he is working on adding the following features:

    • Being able to select a region to grab (using something similar to MeasureIt).
    • Removing my dependence on Java (much like the folks over at Pearl Crescent did with their PageSaver, based - like I said one would be eventually, on the Canvas widget).
    • All those configuration options people keep whining about (default save to location, default naming, different file types, different menu locations).
    • Making a shortcut key to do the grab.

    SnagIt vs. ScreenGrab + Kleptomania

    When making a choice on which to use for Web application testing here are some things to think about:

    • SnagIt won't give you the OCR/text capture feature that Kleptomania has.
    • ScreenGrab won't work in Internet Explorer.
    • ScreenGrab doesn't have drawing tools.

    For Web application testing ScreenGrab fills a hole in one of my favorite tools Kleptomania because it captures content that requires scrolling. Putting the two together is about the same price as SnagIt. Neither are magic bullets for Web application screen and text capturing. TechSmith, if you add OCR/text capture to SnagIt I'm sold. Until then I'm sticking with ScreenGrab and Kleptomania.

    ScreenGrab 0.8 is free, download it here.

      # Comments [0]    

    Thursday, 15 June 2006

    Stolen data. Lost data. Either way you're screwed


    Stolen or "Lost" data reports sure seem a bit overwhelming lately don't they?

    Stolen file contained unclassified information on 1,500 contract workers

    Nearly 1 million prospective AIG customers could be at risk

      # Comments [0]    

    Wednesday, 14 June 2006

    Testing WS-I compliance is a breeze with SOATest


    How do you make sure that the Web Service you are testing complies with the Web Services Interoperability Organization standards? I use ParaSoft SOATest. It's really a no brainer because the tests are there by default when you create a project in SOATest (as seen in the image). The WS-I tests ensure that your Web Services are compliant with the WS-I Organization's Basic Profile version 1.1. When you look at the list of test assertions that SOATest conducts you can feel at ease that your service is definitely compliant.

      # Comments [0]    
    Wednesday, 14 June 2006

    Possible identity theft for 1300 Oregon tax payers


    This security breach hits a little to close to home:

    Porn-surfing hits taxpayer IDs
    Security breach - More than 1,300 people face identity theft after a state employee let in data-stealing spyware

    Last night the 10 o'clock news said that the Oregon Department of Revenue would be sending letters to the individuals at risk.  I'm an Oregonian and I'm hoping I didn't make the list. It was rather amusing when the news station asked random Portland citizens their thoughts on the matter and they were more aghast with the fact that a Department of Revenue employee was surfing porn at work! Amazing... what is it going to take to wake up the public so they see the root of this identity theft problem?

      # Comments [0]    

    Tuesday, 13 June 2006

    Invirtus VM Optimizer and clean VPCs


    My coworker Scott Hanselman recently blogged about his use and experience with the tool Invirtus VM Optimizer. The tool worked well for Scott and his dynamic disk MS Virtual PC images so I looked at how it could improve my fixed disk images. The site didn't reveal anything on improvment for fixed disks so I emailed support at Invirtus to ask about it:

    I’m trying to understand how your product would work with a MS VPC that is utilizing the “Fixed Disk” feature. Since the VPC size is fixed will Optimizer shrink it to the smallest size and leave the image unusable (since it won’t don’t dynamically grow)? Or will Optimizer allow me to specify a buffer beyond the optimized size to ensure the VPC doesn’t run out of space?

    The reply was:

    Optimizer will work with a fixed disk in that it will increase the available free space to the maximum available. But, you cannot shrink the disk itself.

    While writing test cases, on the side I converted a fixed disk image to a dynamic disk to see if Optimizer could decrease the 6.3 GB size. The attempt resulted in a slightly LARGER VPC size (6.4 GB). After scratching my head for a while I then emailed support to ask why:

    I used your tool with a MS VPC that was a dynamic disk of 6.3 GB. After running the tool the disk ended up being a little over 6.4 GB. The VPC image was VERY clean prior to running of the tool (fresh Server 2003 OS install, SQL 2000, installed two Web Services and a few web sites). Am I missing something or is the tool primarily used for MS VPC bloat that is caused over time VPC? Why did the size go up?

    The reply was:

    In VM Optimizer we include a tool called Freespace.exe. Freespace.exe goes sector by sector and cleans the whitespace. This means that every sector on your disk is touched and when that happens on a virtual disk the size of the disk expands. However, in a dynamically expanding scenario the size will reduce quite substantially and in your fixed disk scenario the disk will remain approx. the same or grow just slightly.

    So, no special magic here for me and my situation. It makes sense; you can't squeeze blood out of a turnip. For performance reasons, I converted a  6.3 GB virtual disk image to a 10.1 GB fixed disk image but the caveat is that copying and network transfer a bit painful. I'm assuming that the 3.8 GB difference is free space. My test environment doesn't need this much free space, 1 GB would be enough. At this point I think the only way to get my fixed disk smaller is to specify the free space when converting from dynamic to virtual. Does anybody know a trick for this? Am I looking at a feature request?

    Update 6/19: I contacted Ben the Virtual PC Guy to see if he had any tricks up his sleeve for downsizing the free space in a fixed disk and he responded with: "We do not provide a way to change the maximum size of a virtual hard disk today.  If you want to do this you will need to create a new virtual hard disk - at your desired size - and then use a tool like Symantec Ghost to transfer the data to the new virtual hard disk."

      # Comments [0]    

    Thursday, 08 June 2006

    Government helps solve identity theft with reactive measures


    Today Greg sent me a link and after clicking it the title of the article had me thinking that the identity theft pendulum had begun to swing the other way (in our favor). The article title was: Veterans Affairs chief calls for stronger data laws

    The article is a reactive statement to the 26.5 million veterans information that was stolen a while ago and starts out hopeful with a great inspirational quote:

    "It's an emergency at the VA, and it should be an emergency in our society,"

    but then starts to take a roll down hill with:

    Rep. Tom Davis, the Virginia Republican who heads the committee, said the incident had prompted him to weigh changes to a law called the Federal Information Security Management Act of 2002, which outlines procedures federal agencies must undertake in order to protect their data and systems.

    I wonder, is it the actual incident that prompted Tom OR WAS IT THE FACT THAT THE VETS ARE SUING? Hope spirals back into the vast wasteland of stolen identity when the article goes on to say:

    That law requires agencies to notify law enforcement and internal inspectors general when a breach occurs, but it does not require notification of potential victims or the public. It must be updated to include penalties, incentives and "proactive notification requirements," Davis said, adding that he is "troubled as the number and scope of losses continues to expand."

    So if I understand right, once you let my data get stolen you'll find it in the goodness of your heart to tell me (instead of me finding out after my bank account is drained). That's proactive? I think not. Proactive is encrypting my data and being certified to manage my data. Ugh..This is pathetic.

      # Comments [0]    

    Wednesday, 07 June 2006

    Software Quality Assurance for Dummies


    I just did an Internet search for "Software Quality Assurance for Dummies" and found nothing. I can hardly believe it! The luck is equal to finding a dot com domain name that isn't taken.

    If you're looking to get into Software Quality Assurance, or are green in SQA look forward to the up and coming publication: Software Quality Assurance for Dummies by Brent Strange:

    John Wiley & Sons, Inc. please contact me to get this underway. :)

      # Comments [3]    
    Wednesday, 07 June 2006

    Stolen data fiesta


    Is it the fact that I work in a security group and this stuff naturally flows through my inbox or has the last week been a stolen data fiesta? customers data is stolen and Greg is MAD (WARNING! Don't make Greg mad, it's not pretty. Well, sometimes it's humorous to watch... If you have the opportunity to rib him a little bit someday in person just bring up how slow Microsoft Virtual Server is and you'll see traces of the mad Greg. Mad level 3 out of 10). Anywhooo, Greg not only rants about how pathetic security is in the industry but offers some practical advice on knowing how secure a company is by their certifications. Good stuff.

    Data lost on all 2.2 million (nearly all) active duty, reserve and guard members.

    Veterans fight back and sue for data lost/stolen (this is what we need to wake the industry up).

    Alex Scoble sent an article stating that cleaning up data breach costs 15x more than encryption. No joke? Go figure. But why do that? That's pro-active and not re-active. Fire-fight mode is sooo much more fun though.

      # Comments [1]    

    Sunday, 04 June 2006

    "Ruby In Steel" to aid your Ruby debugging pains


    Saphire In Steel has written a Ruby IDE for Visual Studio 2005 called Ruby In Steel. This definitely will give a big boost to all the Ruby/Watir browser automation going on right now.

    Back at the beginning of 2006 when I was shopping for an automation solution, I gave Ruby and Watir whole-hearted try and was extremely frustrated that I was spending so much time debugging in a JavaScript like world. Can you say "Pain-in-the-ass" and "Inefficient"? Since then I've moved on to SWEA (SW Explorer Automation) and have been EXTREMELY happy debugging in Visual Studio.

    For those of you working in the Ruby and Watir world you can download the beta version of Ruby In Steel here. If you want to see it in action you watch a debugging video demo here.

      # Comments [0]    

    Friday, 02 June 2006

    Geek T-shirt - Feed Me (RSS)


    Are you a blogger or blog reader? Are you a fan of syndication? Let me present the latest in geek t-shirts for RSS. I had this one on the back burner since I started this blog in December of 2005 and finally sat down to create it tonight. This master-piece is titled "Feed Me" (I won't be offended if you consider it a master-POS). The image below requires ShockWave-Flash. If you can't see it, just go to where this little beauty resides. Do you hate black t-shirts or would rather a sweat-shirt or tank top? Zazzle has a huge product line-up that you can place this advertising gem on. Gem you say? Yes, this is THE official RSS icon to be recognized by a cajillion internet users by 2007. TRUST ME. Don't be a "wanna-be" by displaying your syndication spirit in 2008. Get this frickin' thing on your chest now!

      # Comments [0]    

    Thursday, 01 June 2006

    1.3 million Social Security numbers stolen


    Ho-hum, more user data stolen, yawn... This time only 1.3 million borrowers Social Security numbers from the Texas Guaranteed Student Loan Corp. Interestingly enough, this time it was encrypted for transport but then decrypted by the data management company Hummingbird Ltd. After decryption the hardware that it was on was "lost". Lost? <Insert snide comment here>.

    Read more here.

      # Comments [0]    

    Wednesday, 31 May 2006

    Determine browser and system settings with


    Whenever I question my browser type and version, or specific browser and system settings I always hit to get ALL the exact details. Once you hit the home page just click on the "more" link in the header to get a full list of all your browser/system features and settings. comes in handy for real world development, test and release scenarios like:

    • Determining your exact user-agent string when testing browser detection code
    • Determining your exact user-agent string when spoofing browser user-agents
    • Ensuring your browser version is correct when you are skeptical about running multiple instances of FireFox or Netscape on one machine
    • Quickly determining your JavaScript version to help troubleshoot script errors
    • Troubleshooting release/customer issues by getting all browser and system details by sending customers to

    It's quick, easy, and FREE.

      # Comments [0]    

    Tuesday, 30 May 2006

    IE7 in Windows Vista is “Internet Explorer 7+”


    To distinguish between IE7 in Vista vs. XP Microsoft has declared that they will be adding a "+" to IE7 for Vista. The difference can also be seen with the following user-agent strings:

  • IE7+ running on Windows Vista:
    Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
  • IE7 running on Windows XP:
    Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)

    Read more here.

      # Comments [0]    
    Tuesday, 30 May 2006

    Portland man catches his own identity thieves


    A Portland man gets pissed, turns sleuth, tracks down and catches identity thieves while they are using his identity and credit card. Read his story here. Pretty darn cool. Thanks for the link Matt.

      # Comments [0]    

    Thursday, 25 May 2006

    Web Service and SOAP security papers


    This week I spent time testing a new Web Service feature in our product IA that utilized SOAP headers. Testing started with scripting my typical functional, use, and boundary tests in SOATest and then wrapping up with my basic security tests (URL encoding, SQL Injection, Cross Site Scripting, etc). Before moving on I spent a bit of time perusing the Web for SOAP header security exploits to see if I could expand my security test suite for this particular feature. The search didn't yield anything significant but I was re-reminded in my search of a few great papers on Web Service and SOAP security:

      # Comments [0]    

    Wednesday, 24 May 2006

    2006 Pacific NW Software Quality Conference (PNSQC)


    I got wind of the 2006 Pacific NW Software Quality Conference (PNSQC) today.

    2006 Workshops are:

    • Karl Wiegers: Writing Quality Requirements
    • Cem Kaner: Developing Software Testing Courses for Your Staff
    • Rex Black: Assessing Your Test Team Effectiveness, Efficiency, and More
    • Michael Bolton: A Rapid Introduction to Rapid Testing
    • Jean Tabaka: Scrum and the Art of Quality Maintenance

    Keynotes are:

    • Karl Wiegers: Cosmic Truths About Software Quality
    • Andy Hunt: Maintaining Your Competitive Advantage: Strategies to Improve Cognition, and Learning

    The conference is October 9-11 in Portland, Oregon. Sign up early and save some cash. Get more information here.

      # Comments [0]    
    Wednesday, 24 May 2006

    Mulitple tabs/Home pages in FireFox


    You can have multiple home pages display in different tabs when clicking the home button in Firefox. Thanks for the tip Scott!

    In FireFox from Tools|Options|General, enter in the homepages you want, separated by pipes "|".

      # Comments [0]    
    Wednesday, 24 May 2006

    Google Analytics has become available to me


    Last year I wrote about how I tried to get on the Google Analytics band-wagon but was denied. After sitting at my PC and clicking the Send/Receive button every 10 seconds for the last 6 months the invite finally showed up. Good thing, I was getting discouraged (and my click finger was severely cramped). So, today I finally received an email from Google stating:

    "We are ready for you to create your Google Analytics account! Please follow the instructions below to redeem your invitation code."

    Sweet! Now I can see where you folks are from. I already know that I have readers in China. For some odd reason they are only interested in the hacking errr.. I mean "testing" posts.

      # Comments [0]    

    Monday, 22 May 2006

    Personal information for 26.5 million veterans is stolen


    Yet more personal information is stolen, this time from our Veterans. Don't act so surprised. This one seems to be getting some pretty good press though. Will it change anything? Doubt it. It's just another instance to add the simmering pot. Someday the pot will start to boil, and then eventually boil over. Who will make them stop and listen? Maybe Brad Pitt and Angela Jolie? Save us Brangela, save us from this wretched mess.

    Read more here.

      # Comments [0]    

    Sunday, 21 May 2006

    Virtual PC 2004 Differencing, Undo and Fixed Disks


    Last week I spent a bit of time to better understand the different disk options that are available in Microsoft Virtual PC 2004. I was particularly interested in finding the best performance and the best option for having multiple environments that had subtle changes between them (OS and SQL Service Packs, and test app versions). Before I tell you my findings, let me point out a few simple facts about Virtual PC (from my experience):

    • The "Fixed Disk" option is faster than a "Dynamic Disk". Dynamic grows the file which is slow but Fixed doesn't.
    • Enabling the "Undo Disk" for any disk type will create a temporary Dynamic Disk that contains all the changes for that session. When you close the Virtual PC down you then have the option to merge the changes from your temporary disk back to the main Physical or Dynamic Disk. Undo disks are slow since the temporary disk is dynamic.

    Remember these facts, its important going forward :)

    The hope of Differencing Disks
    In my little mission, I first looked into the details of what a "Differencing Disk" was. In summary a Differencing Disk gives you the option of having a 2nd Dynamic Disk attached to a main Physical or Dynamic Disk. This 2nd Dynamic Disk holds only the differences from the main disk. This is the ticket I needed to have multiple environments that had subtle changes between them. An image from the VPC help file shows the power of this, the Windows 2000 disk represents the main disk while the others are Differencing Disks with different IE browsers installed:

    I found that the disadvantages of a Differencing Disk are:

    • The Differencing Disk size can grow larger than the main disks size over time so you don't really save space
    • Differencing Disks are dynamic and can not be fixed, thus slower.
    • Adding an Undo Disk to a Differencing Disk only adds to the slowness

    Here is a step by step on how to create a Differencing Disk at Matt's blog.

    Making an Undo Disk into a Differencing Disk
    After realizing the good and bad of Differencing Disk I found an article at that explained how to make an Undo Disk into a more efficient Differencing Disk. I tried this out and the file size stayed smaller but the VPC was still slow. Adding the Undo Disk only made slowness worse (about the same as a plain ol' Differencing Disk).

    Fixed Disks
    Since Fixed Disks are fixed in size the pain of a dynamically resizing file is gone so this is the speediest option. The downfall to a Fixed Disk is that the VPC sizes are large, so if you have as many images as you saw in the picture above at about 10 GBs a piece then you can eat up drive space pretty quickly.

    When needing multiple environments if you want speed use a Fixed Disk. If you are worried about disk space use Matt's technique for making an Undo Disk into a Differencing Disk. If you want to keep an environment clean you can either use an Undo Disk and deal with the slowness or you can sacrifice disk space by instead keeping backup copies and copying over the dirty image when you are done with it (doubling your disk space usage).

      # Comments [2]    

    Thursday, 18 May 2006

    Windows Vista requirements released


    Finally, Microsoft has released some serious requirements for their new OS in the works: Windows Vista. Requirments are broken down into two categories:

    A Windows Vista Capable PC includes at least:

        * A modern processor (at least 800MHz1).
        * 512 MB of system memory.
        * A graphics processor that is DirectX 9 capable.

    A Windows Vista Premium Ready PC includes at least:

        * 1 GHz 32-bit (x86) or 64-bit (x64) processor1.
        * 1 GB of system memory.
        * A graphics processor that runs Windows Aero2.
        * 128 MB of graphics memory.
        * 40 GB of hard drive capacity with 15 GB free space.
        * DVD-ROM Drive3.
        * Audio output capability.
        * Internet access capability.

    Want more info? Visit the Windows Vista Get Ready site here.

      # Comments [0]    
    Thursday, 18 May 2006

    Are "bug bounties" cost effective?


    Recently Microsoft, Mozilla, and VeriSign have offered "bug bounties" to help squash critical defects before release. Brilliant I say! Using money to motivate testers during development is a win-win situation. Testers win since they can get some serious cash if they put their nose to the grind-stone and the software/company wins because:

    • Defects that are found and fixed early are cheaper than post-release defects (post-release cost can be 100 times development cost, e.g $50 vs $5000).
    • There will be less embarrassing critical and security defects found at post-release.
    • Quality Assurance (ad-hoc) is marketed, which screams "We care about quality".
    • The company only pays for severe defects but will still get a valuable set of less severe defects for free.

    Are there hidden costs though? I can think of a few:

    • The time and effort wading through crappy and duplicate defect reports.
    • Larger scale efforts to manage the plethora of testers and defects.

    The benefits obviously out-weigh the hidden costs. What other positive and negatives can you think of? Talk to me fellow engineers!

      # Comments [0]    

    Wednesday, 17 May 2006

    Microsoft Virtual PC 2004 documentation


    Today I sat down and started to configure my new test environments which are hosted on Microsoft Virtual PCs. I wanted to refresh myself on some of the advanced features and hit Google, Microsoft and MSDN in search of the VPC user documentation that I had found about a year ago and then proceeded to lose. Long story short, don't go looking on the Web for the official user manual for Microsoft Virtual PC 2004, it's under your nose. A MS kb article reminded me of the painful unobvious that I learned once before:

    "In a default installation of Microsoft Virtual PC 2004, the documentation that is included with Virtual PC is located in the following folder on the hard disk of the host PC: Drive:\Program Files\Microsoft Virtual PC\Documentation"

    Painfully unobvious because there are no shortcuts from Start menu to this documentation (which is where I started my search).

    In my quest for documenation I ran into the following useful MS VPC 2004 links too:

    The Official Microsoft Virtual PC 2004 site is here.

    A MSDN VPC Blog is here.

    VPC Overview Presentations are here.

      # Comments [0]    

    Tuesday, 16 May 2006

    The Code Room: Breaking Into Vegas


    A while back MSDN TV posted a great video titled "The Code Room: Breaking Into Vegas". If you have an extra half hour it's a cool, informational watch about security and hacking with some real world scenarios and examples. The acting is pathetic and cheesy but the actors are real life experts and geeks so I guess that's expected! Here is a summary from the site:

    "In this episode of The Code Room watch the White Hats and Black Hats battle for the security of Las Vegas. Jessi Knapp and Microsoft Security Guru Joe Stagner narrate as the Hackers try to gain control of The Plaza's online money management system and our Security Team tries to stay one step ahead."

      # Comments [0]    

    Monday, 15 May 2006

    Test cookie poisoning


    Web site cookie poisoning came up twice in the last week while testing so I guess now is great time to talk about how to test the for the vulnerability of cookie poisoning. I'm not going to get into the details of how a cookie works but rather how to poison them. If you want details of how they work from a testing point of view read this respectable paper.

    Web sites use cookies (a lot of them), cookies can be permanent (on disk) or temporary (in memory), and cookies contain variables; variables that the site cares about, and can be messed with or "poisoned" to get results that the Web site didn't intend to give you. Use the following test page as an example, The test pages are simple, if you have the right cookie content then you will receive a 50% discount; if the content isn't right then you will not receive the 50% discount. The first page sets the cookie with the content of "SpecialOffer=No" indicating that you are not eligible by default. The cookie setting code on this page is simple and looks like this:

    document.cookie = "SpecialOffer=No";

    Now, if you click the link "Click here to see if you are eligible for 50% discount" you'll see that you are not eligible for the discount. The check on the 2nd page is pretty simple too and looks like this:

    var pos = document.cookie.indexOf( "SpecialOffer=Yes" );
    if( pos == -1 ) {
    document.write("I'm sorry you are NOT eligible for the 50% discount");
    else {
    document.write("You are eligible for the 50% discount");

    In the above script I look for the value of "SpecialOffer=Yes" in the cookie content and then react accordingly. If I don't see "SpecialOffer=Yes" then you aren't eligible for the discount. Now, on to the fun stuff! How do you make yourself eligible for the discount? To do this we need to change the default cookie content value from "SpecialOffer=No" to "SpecialOffer=Yes". How does one change cookie values? There are quite a few ways but I'll share with you my 3 favorites:

    1. Add N Edit Cookies FireFox extension
    2. Paros Proxy
    3. Paste the following JavaScript in the URL bar to view the cookies:

      and the following to modify it:

      javascript:alert(window.c=function a(n,v,nv) {c=document.cookie;c=c.substring(c.indexOf(n) +n.length,c.length);c=c.substring(1,((c.indexOf(";")>-1) ?   c.indexOf(";") : c.length));nc=unescape(c).replace  (v,nv);document.cookie=n+"="+escape(nc);return unescape  (document.cookie);});alert(c(prompt("cookie name:",""), prompt("replace this value:",""),prompt("with::","")));

    How to poison cookies with Add N Edit Cookies

    1. Navigate to in FireFox
    2. Click the cookie icon in your FireFox toolbar
    3. Find the cookie for and double click it or highlight it and press the edit button
    4. Change the content form field from "No" to "Yes" (case sensitive)
    5. Go back to the browser and click the link "Click here to see if you are eligible for 50% discount"
    6. KaaaaPOW.... You now have the 50% discount! You're a freakin' evil, bad to the bone tester!

    How to poison cookies with Paros Proxy
    Typically I wouldn't use Paros in this situation because the cookie is being set on the client side (you won't see this too much in the real world). The following example isn't what I consider cookie poisoning but more JavaScript manipulation. The following assumes you have cleared your cache:

    1. Turn on Paros and set you IE connection options to use the address of with a port of 8080
    2. In Paros click the "Trap" tab and check the "Trap Request" and "Trap Response" checkboxes
    3. Navigate to in IE
    4. Go back to Paros (Trap tab) and press the "continue" button until you see the following text in the bottom pane:
      document.cookie = "SpecialOffer=No";
    5. Change the "No" to "Yes" in the above line
    6. Click the "Continue" button.
    7. Go back to IE and click the link "Click here to see if you are eligible for 50% discount"
    8. Whoot! You now have the 50% discount! You're one sexy cool tester with a severity 1 defect that needs to be submitted.

      There are situations where you will want to change the cookie value in the header (the top pane in the trap tab) on the response or the request, this is when you would use Paros over Add n Edit Cookies. Situations where you would need to manipulate the cookie before the response is rendered or before the request is sent due to the server or client side code manipulating the cookie.

    How to poison cookies with JavaScript

    1. Navigate to in IE
    2. To view the set cookie, type the following in the URL bar:
    3. You will see "SpecialOffer=No". Click Ok
    4. Copy and paste the following JavaScript in the browser URL bar:
      javascript:alert(window.c=function a(n,v,nv) {c=document.cookie;c=c.substring(c.indexOf(n) +n.length,c.length);c= c.substring(1,((c.indexOf(";")>-1) ?  c.indexOf(";") : c.length)); nc=unescape(c).replace(v,nv); document.cookie= n+"="+escape(nc);return unescape(document.cookie);}); alert(c(prompt("cookie name:",""), prompt("replace this value:",""), prompt("with::","")));
    5. Hit the enter key
    6. Click the Ok button at the JavaScript Alert
    7. Type the cookie name of SpecialOffer in the Alert box and click the Ok button
    8. At the "replace this value" script prompt type No and press the Ok button
    9. At the "with:" script prompt type Yes (case sensitive) and press the Ok button
    10. The next alert will show you the replaced cookie. You should see: SpecialOffer=Yes
    11. Click the Ok button
    12. In IE click the link "Click here to see if you are eligible for 50% discount"
    13. DingDingDingDing.... You're a winner! You now have the 50% discount! You're quite the bad-ass tester aren't you? You're like the wicked witch in Snow White but instead of poisoning apples you poison cookies.

    And that's how I conduct cookie poisoning when testing. Not too awful tough eh? Oh...if I ever get confused about the state of cookies before and after poisoning I use HTTPWatch to get a better idea of what is going on. I can usually get the gist of it by looking through the cookie and header tabs.

    When do you test for the cookie poisoning vulnerability you ask? Whenever there is a cookie being used! Is it a defect if you can manipulate the cookie? Not necessarily. They typically are defects when a cookie is being placed that impacts or restricts the site's behavior and you can exploit that feature. If you manipulate a cookie and it doesn't gain you anything or exploit a feature then it's not of much value, thus not a defect.'s important that you know what the cookie you are poisoning does, without knowing what the cookie does you may be poisoning something and may not be seeing that exploit. To prevent guess-work it's easiest if you work with your developer to understand what he/she is doing with cookies on the site so you can go straight for the kill.

    Happy poisoning!

      # Comments [1]    

    Saturday, 13 May 2006

    The credit card system is a joke


    The credit card system is a joke. Yeah, I know you know. I just wanted to remind you with my latest mockery of the system.

    So, I receive a new MBNA Visa card about 3 months ago and have been using it pretty consistently since then. During the last few weeks while away on business I used it at least twice a day every day for food at various restaurants in Seattle, Bellevue, and Issaquah. Needless to say, a lot of activity. The night before I came back from my trip, after a delightful dinner of seared Tuna encrusted with soy and black pepper, the waitress handed me my card with a receipt after paying my bill. She unintentionally handed it to me backwards (no she wasn't backwards, the card was, stay with me here) and I noticed that I never signed it.

    So about now you are thinking "Wow, what an idiot. How can you be so stupid?". Funny thing though, I don't feel stupid, not even the least bit. I find it rather amazing and pathetic that I could conduct 50+ transactions on this card and not one merchant ever asked me about it or probably looked at the back of the card for that matter. Should I feel stupid for not being "safer" with card? If you think so, then think about the following:

    1. Let's say that somebody steals my credit card and signs it for me. Now when merchants do the signature comparisons the fraudsters receipt signatures will match the credit card signature. OH WAIT, MERCHANTS DIDN'T COMPARE SIGNATURES FOR 50+ TRANSACTIONS.
    2. On the back of my card in small text below the signature strip it says "Not valid unless signed". SEEMS TO BE VALID TO ME, IT WORKED WITH 50+ TRANSACTIONS.
    3. On the back of my card in small text below the signature strip it says "Authorize Signature ". I BET MERCHANTS READ THIS REMINDER RIGHT AFTER THEY LOOK AT THE SIGNATURE (EXCEPT ALL 50+ TIMES).
    4. CitiBank says to prevent identity theft "Sign your credit card or write that the merchant must 'check id' on the back of your card". SEEMS FEASIBLE, IF THE MERCHANT EVER LOOKED AT THE BACK OF THE CARD (ALL 50+ TIMES).

    See any trends in those examples?

    Well...I've signed the card. I'm not sure why, but everybody else does so I might as well do it too. Everybody seems to think it's a good idea for some reason. I mean, I would hate to have the merchant get a wild hair and happen to CHECK THE SIGNATURE ON THE BACK OF THE CARD, and call me out on it. I can hear it now.

    Merchant: Mr. Strange you didn't sign the back of your card.
    Brent: Dagnabbit! I totally spaced it. I feel so stupid. Here let me sign it.
    Merchant: Oh, no problem don't worry about it.
    Brent: (the sound of chicken scratch as I create my humble cipher)
    Merchant: Thanks Mr. Strange, I'll be right back with your receipt.

    Heh, and that's the end of this sad sad joke.

    Hmmm.. I may have found a good reason to sign it. I read somewhere: "By law, you are only liable for $50 of any fraudulent transactions on your card. Most credit card banks like AMEX, Citibank, MBNA, etc actually offer zero-liability on their cards, which means that you are not liable for any fraudulent activity at all! If you don't sign the card -- you are actually not eligible for those benefits!"

    That's assuming you get caught. How many stolen cards do you think are recovered? When they recover them do you think they check to see if you signed it?

      # Comments [0]    

    Thursday, 11 May 2006

    Three blog posts per week...Riiiiiight.


    Dear faithful readers (the 4 of you, the other 395 hits a day are search engine hits for "Windows Vista keys" and "play Mrs. Pacman online"),

    I'm back. The last 3 weeks have been crazy busy with work and home. I spent 2 weeks testing up at the Microsoft Scalability Labs, and after returning home I've spent the last week: trying to make it up to my wife for being gone 2 weeks, getting the garden ready for the season, getting the yard under control, going to my boys' baseball games, getting food poisoning from a local restaurant, putting Reedville Baseball back in order, and then finally... soaking in the fun-ness of our littlest one walking now (really cool and in the nick of time because crawling through wood chips at the baseball field equals slivers).

    So yeah, I'm back but being baseball season its the busiest time of the year at our house (we have 2 boys playing). I'm going to try to stick to my goal of 3 posts per week (which I failed horribly in the last 3 weeks).

    Wish me luck. :)

      # Comments [0]    

    Tuesday, 02 May 2006

    Call for papers on automated testing


    Google is asking for automated testing papers to be submitted for their Conference on Test Automation. Deadline is June 1st.

      # Comments [0]    

    Thursday, 27 April 2006

    Working with hidden elements in SWEA


    The other day while automating a test case for our Web application I found that SWEA was recognizing that an element existed on the page even though I couldn't see it. This wasn't good because that element was a client side error message for a form and nothing was being done with the form to throw the error. A closer look at the HTML revealed a <SPAN> tag with the style property visibility set to "hidden". It looked like this:

    <span style='visibility:hidden' class='VAMErrorText' id='valInactiveDays'><span id='valInactiveDays_Txt'>Must enter a numeric value.</span>

    A test case that actually caused the error to visually appear on the page resulted in the following change to the HTML:

    <span style='visibility:visible class='VAMErrorText' id='valInactiveDays'><span id='valInactiveDays_Txt'>Must enter a numeric value.</span>

    So, in the top example the element existed in SWEA's eyes because it existed on the page but it was "hidden". My problem to solve was how to make my test acknowledge that the error message wasn't really thrown and that it was still "hidden". At the time I figured it would be best to extract the HTML out of the SWEA control and search for the text "Visibility:hidden". My resolution looked like this:

    case TestGoal.SuccessfulResponse:
    ((HtmlInputText)(myBrowser.Scene["txtInactiveDays"])).Value = txtValue;
    //Hidden elements can still be seen by SWEA so make sure it's hidden
    //Text we're searching for
    txtHidden = "VISIBILITY: hidden";
    //Return a boolean for/when txtHidden is part the controls OuterHTML
    isHidden = ((HtmlContent)(myBrowser.Scene["HiddenVAMLbl"])) .OuterHtml.IndexOf(txtHidden) > -1;
    //Validate control is hidden

    When talking to Alex after the fact, he reminded me that I could also pull out the Style information by doing the following:

    ((HtmlContent)(myBrowser.Scene["HiddenVAMLbl"])).Invoke ("Get_Style").ToString().IndexOf(txtHidden) > -1;

    A little less elegant but either way solves my problem.

      # Comments [0]    

    Wednesday, 26 April 2006

    Browser Wars - A New (ie) Hope


    Hehe...this is awesome: Browser Wars - A New (ie) Hope

      # Comments [0]    

    Tuesday, 25 April 2006


    You can now get your Internet Explorer 6 and 7 add-ons through the new IE add-on web site According to the IEBlog:

    "Products on the site either work directly with Internet Explorer 6 or 7, or use the IE platform, and have to meet the CNET Software Submission Requirements and Adware and Spyware Policy before being posted. We also welcome users, editors and industry specialists to write and post reviews for each add-on, and report problem software."

    A quick perusal of the initial list of add-ons sparked no interest for my QA mind. After about 2 minutes of looking around I realized that the new IE Developer Toolbar was not to be found on the site. Seems odd... I know it's in beta but that shouldn't keep it off the site! Maybe it didn't meet the "Software Submission Requirements"?

    Once the word is out and the add-ons are submitted, this should be a nice little portal (hopefully as nice as the FireFox extensions site).

      # Comments [0]    

    Thursday, 20 April 2006

    SQL 2000 to 2005 upgrade resulted in 10% more CPU usage


    Over the last 2 days I had the opportunity to remove the SQL 2000 database out from underneath our Web Service and replace it with SQL 2005. The team was hoping to see an instant gain in SQL performance but that's not what happened. Performance tests that put the SQL 2000 server at a comfy 69% CPU usage were now using 81% with SQL 2005. Bummer. Where's the magic Microsoft? Keep in mind we made ZERO changes to the Web Service or SProcs for the test.

    We're not going to give up hope on gaining performance with SQL 2005, the move is just going to be slower for us now since we obviously need to uncover the magic and finding that magic is going to take some work. During this SQL upgrade test I learned a few interesting things that I suppose I should share with you...

    • I couldn't successfully restore a SQL 2000 database backup to my database in SQL 2005. I had a few errors thrown at me but this is one that I documented: "Restore failed for Server 'TEST-SQL1'. (Microsoft.SqlServer.Smo), Additional information: System.Data.SqlClient.SqlError: The backup set holds a backup of a database other than the existing "TEST" database. (Microsoft.SqlServer.Smo)"
    • The SQL2000 database couldn't be attached in SQL2005 and used successfully. For some reason, when I attached my 1 million+ entry database my largest table was empty?!
    • Does attaching to a 2000 .MDF in 2005 migrate the data? According to a forum post by an engineer on the MS SQL 2005 development team, it does migrate the system tables but he says nothing about the custom tables. I couldn't find any other info on the web on how to migrate data other than using the attach feature as described by Microsoft has an upgrade advisor tool but it doesn't upgrade anything it just does analysis.
      # Comments [0]    

    Wednesday, 19 April 2006

    More unencrypted user data stolen


    And yet again more personal financial user data was stolen. This time it was from a company named Regulus Integrated Solutions that was hired to take care of Wells Fargo monthly statements. Customers sued but since the user data has not been exploited (yet) they lost. Hmmm... I wonder if the customers "fear, anxiety and worry" could have been alleviated with use of encryption by Regulus?

      # Comments [0]    

    Driven by newtelligence dasBlog 1.8.5223.2