Tuesday, June 22, 2010

Web Application Security Test

Web Application Security Test

Definition: Application security is the use of software, hardware, and procedural methods to protect applications from external threats. Security measures built into applications and a sound application security routine minimize the likelihood that hackers will be able to manipulate applications and access, steal, modify, or delete sensitive data. Once an afterthought in software design, security is becoming an integral part of the design process.

Following are different tests to check the application security.

Data injection and manipulation attacks.
1. Reflected cross site scripting. (XSS).
2. Persistent XSS.
3. Cross site request forgery.
4. SQL Injection.
5. Blind SQL injection.
6. Buffer overflows.
7. Integer overflows.
8. Log injection.
9. Remote file include (RFI) injection.
10. Server side include (SSI) injection.
11. Operating command injection.
12. Local file include (LFI)
13. Parameter Redirection.
14. Auditing of redirect chains.

Sessions and authentications
1. Session strength.
2. Authentication attack.
3. Insufficient authentication.
4. Insufficient session expiration.

Server and general HTTP
1. AJAX auditing.
2. FLASH analysis.
3. HTTP header auditing.
4. Detection of client side technologies.
5. Secure sockets layer (SSL) certificate issues.
6. SSL protocol supported.
7. SSL ciphers supported.
8. Server misconfiguration.
9. Directory indexing and enumeration.
10. Denial of service.
11. HTTP response splitting.
12. Windows 8.3 file name.
13. DOS device handle DoS.
14. Canonicalization attacks.
15. URL redirection attack.
16. Password auto complete.
17. Custom fuzzing.
18. Path Manipulation - traversal.
19. Path truncation.
20. WebDEV auditing.
21. Web services auditing.
22. File enumeration.
23. Information disclosure.
24. Directory and path traversal.
25. Spam gateway detection.
26. Brute force authentication attack.
27. Known application and platform vulnerabilities.
Source: HP WebInspect.

One of the best site for understanding different threats, select this link.

List of tools available in the market.
OWASP Security Testing Tools Listing
HP WebInspect
IBM Rational AppScan
SecPoint Penetrator 
Fortify 360
OWASP Security Testing Tools 
Retina Web Security Scanner 
Nikto Scanner
Acunetix Web Vulnerability Scanner 
Defensics Core Internet Test Suite
Perimeter Check
Core Impact Pro
C5 Compliance Platform 
SecurityMetrics Appliance
Security Center
Qualys Free Security Scans
Qualys Guard 
PatchLink Scan 
NMap Network Mapper -
NetIQ Security Analyzer
CERIAS Security Archive
StopBadware Vulnerability Scanner list


Friday, June 18, 2010

Performance Testing Configuration or Setup

Performance Testing Configuration or Setup.

Every organization has different configuration setup for conducting load tests, it is based on tool selected, hardware requirements, number of virtual users required etc.

I have classified the configurations into 7 types, I will explain those details below.

(1)In-House mean, you are hosting the server in your premises or through external dedicated servers, where physical hardware is in you control (Datacenter).
(2) Real or Remote users mean, actual users accessing the application through internet(Firewall) after deploying into production environment.
(3) Configuration or setup mean, conducting the tests based on the design and publishing the results.
(4) Standard server setup will have load balancer, web server(s), application server, DB server, Firewall.
(5) Cloud mean, Cloud computing.

I would like you to read following links, before reading the remaining presentation.

Performance Testing - On LAN and over the Internet (WAN).

What is cloud load testing?

I want to basically explain if the path of IP packets during testing and production is not the same, then users experience different response time.

Configuration - A
We have load test and server setup in the premises.
When real (or remote) users start accessing the site, application performance will not be as expected, as we have not tested the firewall, bandwidth and IP packet effects.
For more information, read above mentioned links.

Configuration -B
We have load test and server setup in the premises.
It resembles very realistic scenario as WAN Emulation is being used. But we can't guarantee 100% expected response time, when real or remote users start accessing the application, as we have not tested the firewall and internet connection.

Configuration -C
We have load test setup on cloud and server setup in the premises.
It resembles 100% realistic scenario, we can guarantee remote users experience expected response, as we have tested the entire infrastructure.
Note: We do have issues accessing server counters, need to open ports in the firewall.

Configuration -D
We have load Generators on cloud and controller, server setup in the premises.
It resembles 100% realistic scenario, we can guarantee remote users experience expected response, as we have tested the entire infrastructure.

Configuration -E
We have load test setup in the premises and server hosted on the cloud.
As applications are hosted on the cloud, it is not a best practice to perform a load test from your premises. Sending huge number of IP packets through firewall is costly and difficult to capture server counters from the cloud.  

Configuration -F
We have controller in the premises and load generators and server hosted on the cloud.
You may have issues collecting the server counters data.

Configuration -G
We have load test setup and  server hosted on the cloud.
As applications are hosted on the cloud, it is a best practice to perform a load test. 


Monday, June 14, 2010

HP LoadRunner in the Cloud – Beta

HP LoadRunner software in the Cloud – Beta

HP announced HP LoadRunner in the Cloud, a new application performance testing offering designed to help IT organizations easily and affordably optimize their website performance for changing business demands.
HP LoadRunner, the industry’s best-selling load testing software, is now available via Amazon Elastic Compute Cloud (Amazon EC2), making performance testing accessible to businesses of all sizes. This on-demand software gives clients a flexible “pay as you go” approach for performance testing of mission-critical applications and websites.
“The rise of cloud computing has brought the promise of infinite scalability for applications, but it has also brought a new set of challenges for developers and performance testers,” said Theresa Lanowitz, founder of analyst firm voke inc. “With HP’s LoadRunner in the Cloud, businesses can test, tune, analyze and optimize applications for the cloud, enabling clients to take advantage of cloud economics with flexible, pay-as-you-go pricing.”

For more details select this link hp Performance Testing to the Cloud 

LoadRunner Cloud Beta

You need to send request to HP, beta participation is based on the approval.


Sunday, June 13, 2010

Cloud load testing

Cloud load testing.

Cloud computing is Internet-based computing, whereby shared resources, software and information, are provided to computers and other devices on-demand, like the electricity grid.

In other words implementing virtualization concept in massive scale.

1. You can easily access the cloud server using personal computer and put what ever the software you like.
2. Scalability - Increase or decrease the hardware based on the requirements. One or Two or Three or N servers available on demand.
3. Instant - You can immediately host the website.
4. Save Money - Pay for what you use.

Understanding cloud computing, cool video, worth watching it.

Some top cloud computing companies to watch.

1. Amazon Elastic Compute Cloud (Amazon EC2)
2. AT&T
3. Enomaly's Elastic Computing Platform (ECP)
4. Google
5. GoGrid
6. Microsoft
7. NetSuite
8. rackspace
9. Right Scale
10. salesforce
11. OpSource

For the past 16 years Mercury Interactive dominated the enterprise testing market with Loadrunner and QTP. Back in 1994, IT architecture was driven by client server model.

Now we are in the age of cloud computing, new generation architecture and technologies evolving faster than what we have imagined. In the testing space, after 16 years of domination, Mercury appears ready to relinquish its leadership position to a new breed of testing vendors.

What is cloud load testing? 

There are companies that can simulate load for any number of users from any part of the globe using cloud testing services.
(1) Not required to buy own internal resources (Hardware, internet connection, routers...).
(2) Realistic scenarios, load is generated from different parts of the globe, entire infrastructure get tested (gateways, firewalls, routers, servers...)
(3) There is no limit to the number of users, unlimited power. It depends on the vendor license agreement.
(4) More savings, pay for what you use, when really required.

Some of the cloud load testing service sites:
Load testing from cloud, video by Webperformance tool.
Platform Lab
Browser Mob
Load Impact
Load Strom
HP - Beta
sauce LABS

Performance Testing - On LAN and over the Internet (WAN).


Saturday, June 12, 2010

Typical performance problems.

Typical performance problems.

Source: dynaTrace


Thursday, June 3, 2010

How single Internet connection shared with multiple PCs ?

How single Internet connection shared with multiple PCs ?

Have you ever wondered how a single home or office broadband internet line connected to multiple computers. Corporate office have more than one internet connection, that acts as a backup if any of the ISP is down, it is called Multi-Homing.

It is through NAT(Network Address Translation) we are able to connect multiple PCs to a single internet connection. NAT is implemented at ISP, corperate offices, home network by using routers or Wi-Fi devices.

To understand NAT in simple way, NAT is like the receptionist in a large office managing and connecting extensions for the phone calls coming from the board number(Office telephone). Let's say you have left instructions with the receptionist not to forward any calls to you unless you request it. Later on, you call a potential client and leave a message for them to call you back. You tell the receptionist that you are expecting a call from this client and to put them through.

Internet has grown larger than every one has imagined, as per the recent estimate there are 100 million hosts and 350 million users activity on the internet.

So what does the size of the internet do with the NAT.

An IP address (IP stands for Internet Protocol) is a unique 32-bit number that identifies the location of your computer on a network. Basically it works just like your street address: a way to find out exactly where you are and deliver information to you. Theoretically IPv4 can have 4,294,967,296 unique addresses (2 ^ 32). The actual number of available addresses is smaller (somewhere between 3.2 and 3.3 billion) because of the way that the addresses are separated into Classes and the need to set aside some of the addresses for multicasting, testing or other specific uses. 

With the explosion of the Internet and the increase in home networks and business networks, the number of available IP addresses is simply not enough. The obvious solution is to redesign the address format to allow for more possible addresses. This is being developed IPv6 but will take several years to implement because it requires modification of the entire infrastructure of the Internet and support (2^128) unique address.

Advantages of NAT
1. Reduce the need of public addresses.
2. Extends the longevity of IPv4 by optimizing the current number of IP addresses.
3. Adds security by blanketing an entire network to appear as a single client.

Understand, Public and Private IP by selecting this.

In internet terminology all the communications are performed using Data Packets. Each packet consist of Destination IP, Sender IP, control information and data. 
As your computer is assigned Private IP, others can't reply your request by taking "Sender IP" from the data packet that you have sent.

The NAT router translates traffic coming into and leaving the private network by storing the data inside the routing table.It basically alters the "Sender IP" address inside the data packet, in the same way it memorize and changes the inbound data packet "Destination IP" to what it has changed earlier.

IP masquerading, also called as Network address and port translation (NAPT), port address translation (PAT). 

NAT - Flash Animation Demo. (Select GREEN and RED lights at the bottom of the video on both sides).

Understand, how data packets are sent through different hots to reach the destination server.

Probably your next question would be "Bharath why are you explaining network related stuff in your blog?".
Better having knowledge on networks and protocols for a performance test engineer, so that he can trouble shoot and create better test scenarios. It would be difficult to test, if you don't understand the underlying architecture.


Wednesday, June 2, 2010

QTP - Issue while executing scripts on locked system (Ctr+Alt+Del)

QTP - Issue while executing scripts on locked system (Ctr+Alt+Del)

HP explanation for the above issue.

You may be able to start a script running, then lock your machine. However, there is no guarantee that QuickTest Professional will be able to interact with a GUI application on a locked machine. The application under test may also not function as expected when a machine is locked.

When the machine is locked, the windows operating system disables windows messages, including mouse and the keyboard messages. Some QuickTest Professional methods use these system messages to communicate and interact with the application. On a locked system, these QuickTest Professional methods are unable to replay. This is a limitation of the O/S that is preventing the QuickTest Professional script to replay in a locked mode.

However, if the application supports using events that are not windows messages (such as web events), you may have some success with replay. If any of the methods use system messages internally (i.e., in the compiled code), they will fail. Checkpoints and functions to retrieve text or other properties are likely to fail also.

If you are concerned about security, the current options would be either to keep the machine in a locked room, or remove means of interacting with the machine, such as the keyboard, and/or mouse. QuickTest Professional should still be able to replay without these devices plugged into the machine. You can also lock the keyboard and mouse from within the script.

Following are some of the solutions:

1. I prefer using Caffeine. It is a small program that prevent your PC from activating a screen saver or locking up. You can place it in the "All Programs - Start-up" so that it get activated once you start your PC.
It is light weight(11K) and free to download, attaching the link.
Download Caffeine

Double-click the downloaded file (caffeine.exe), you will notice a "Coffee Mug" icon in the Icon tray.

If you don't want Caffieine, double-click on the icon, "Coffee Mug get emptied" and deactivated.

2. If you edit the follow in the windows registry, it becomes possible for QTP to initialize a test, even though the PC is locked.
HKEY_CURRENT_USER\Software\Mercury Interactive\QuickTest Professional\MicTest and locate the key "SkipEnvironmentChecks"
SkipEnvironmentChecks must be changed from 0 to 1.
This will make QTP ignore that the pc running the test is locked.

3. Execute the following script by saving as .vbs file.

set objUser = GetObject("WinNT://" & strDomain & "/" & strUsername)
if objUser.IsAccountLocked = TRUE then
  objUser.IsAccountLocked = FALSE
  WScript.Echo "Account unlocked"
  WScript.Echo "Account not locked"
end if
4. Execute the following script by saving as .vbs file through windows scheduler.

Set WSHShell = WScript.CreateObject("WScript.Shell")
WSHShell.SendKeys "^%{F1}"
5. Setting up a virtual machine using VMWare or VirtualBox (without a screensaver or lock password) and
install QTP within that virtual machine.
Then you can lock your workstation (maintaining any security) and
still run tests.

6. Installing Admin Pack installed for Windows XP. Admin pack basically enables the OS activites to operate independently of the ongoing process.
Thus the execution process still continues to have focus even if the system gets locked.
Microsoft Download Center Link.
(I have not tested this method)

7. Using Mouse Jiggler


PUBLIC vs PRIVATE IP and Server Details

PUBLIC vs PRIVATE IP and Server Details

To know your PUBLIC IP select the below link. Every organization has one or few public IPs, these IPs are used to connect to the internet. When you perform airline reservation or credit card transaction..., this is the IP that is recorded in their servers to trace fraudulent transactions. 
PUBLIC IP Details.

To know your PRIVATE IP type "ipconfig" in the command prompt. This IP is used to connect between the computers in the private network, it can't be used to communicate over the internet.

If your broadband IP address starts with 192.168 or 10. and you are connected directly to the broadband modem - your service provider has you behind a firewall. This is also known as having a private IP address instead of a public IP address. Most of the home broadband connections have private IP.
What The ISP is Doing ?
The ISP has probably set up a NAT router for it’s customers. This router will act as a firewall between you and the Internet. In the service provider's eyes, this keeps hackers from reaching your computer directly - a security measure. 

Generally, private networks use addresses from the following experimental address ranges (non-routable addresses): – – –

To know a server location(place) visit this site.
IP or Server Details
Attaching the screen shot for "google.com" server location details.


Tuesday, June 1, 2010

Traceroute in Windows.

What is Traceroute in Windows ?

The traceroute utility checks how many "hops" (transfers through other computers on a network) it takes for your computer to contact another computer. You can use traceroute if you know the other computer's IP address, web site address, or name (e.g.,, www.citibank.co.in).

Traceroute works by increasing the "time-to-live" value of each successive batch of packets sent. The first three packets sent have a time-to-live (TTL) value of one (implying that they are not forwarded by the next router and make only a single hop). The next three packets have a TTL value of 2, and so on. When a packet passes through a host, normally the host decrements the TTL value by one, and forwards the packet to the next host. When a packet with a TTL of one reaches a host, the host discards the packet and sends an ICMP time exceeded (type 11) packet to the sender, or an echo reply (type 0) if its IP address matches the IP address that the packet was originally sent to. The traceroute utility uses these returning packets to produce a list of hosts that the packets have traversed in transit to the destination. The three timestamp values returned for each host along the path are the delay (aka latency) values typically in milliseconds (ms) for each packet in the batch.

If a packet does not return within the expected timeout window, a star (asterisk) is traditionally printed. Traceroute may not list the real hosts. It indicates that the first host is at one hop, the second host at two hops, etc. IP does not guarantee that all the packets take the same route. Also note that if the host at hop number N does not reply, the hop will be skipped in the output.

At the command prompt, if you enter tracert www.citibank.co.in , you should see something similar to the following screenshot.

To reach "www.citibank.co.in" packet took  17 hops(routers).

The first column, the hop count, represents the number of stops your information has made along the route to attempt to contact the other computer. The next three columns are the round-trip times in milliseconds for three different attempts to reach the destination. The last column is the name of the host that responded to the request.

Hop 1 - - My wireless router IP.
Hop 2 - - My ISP(Airtel Broadband) local IP.
Hop 3 to 6 - My ISP(Airtel Broadband) IP.
Hop 17 - Citigroup IP.

You can also use pathping -n www.citibank.co.in

For better understanding of host details look into following sites
IP or Server Details.


Performance Testing - Three Tips.

Performance Testing - Three Tips.

Testing database-backed applications for performance can be a daunting task. The worst-case scenario: Performance testing efforts drain engineering resources and yet somehow nasty surprises still manage to pop up in production.
These three tips can help you get the most out of your application performance testing efforts.
  1. Set clear performance metrics and targets with input from business stakeholders. Ideally this should be part of the system requirements and user acceptance testing. Otherwise, without obvious targets to hit, performance testing becomes an open-ended slog that may still leave end users dissatisfied with system performance if their expectations have not been accounted for. 
  2. Don't forget the database. For Web-based transactional systems, in particular, the most common metrics are number of concurrent user sessions and response time. Applications also are frequently load-tested to check the impact of ramping up the number of concurrent sessions. However, a single user with the entire system to himself can still experience vastly different performance, depending on the amount of data already in the database. One single user transaction can be lightning fast if it's inserting into an empty table, but it degrades as the table grows to thousands or millions of records. So, performance requirements should also include metrics for expected data sizing, and this sizing should be incorporated in the test environment.  
  3. Don't over design for performance. Some consideration needs to be given to scalability when sizing the initial architecture and making hardware purchases, of course, but there's only so much you can optimize on a system that hasn't been built yet. Get feedback from real users to figure out which parts of the system are most frequently used so you don't waste time optimizing rarely used features. Also, performance tweaks often carry some tradeoffs, such as readability and maintainability, so you need some baseline performance metrics to make good decisions. Don't make big design sacrifices for small optimizations.  

Performance Testing ?

What is performance testing ?

Performance testing is the process of determining the speed or effectiveness of a computer, network, software program or device. This process can involve quantitative tests done in a lab, such as measuring the response time or the number of MIPS (millions of instructions per second) at which a system functions. Qualitative attributes such as reliability, scalability and interoperability may also be evaluated. Performance testing is often done in conjunction with stress testing.
Performance testing can verify that a system meets the specifications claimed by its manufacturer or vendor. The process can compare two or more devices or programs in terms of parameters such as speed, data transfer rate, bandwidth, throughput, efficiency or reliability.
Performance testing can also be used as a diagnostic aid in locating communications bottlenecks. Often a system will work much better if a problem is resolved at a single point or in a single component. For example, even the fastest computer will function poorly on today's Web if the connection occurs at only 40 to 50 Kbps (kilobits per second).
Slow data transfer rate may be inherent in hardware but can also result from software-related problems, such as:
Effective performance testing can quickly identify the nature or location of a software-related performance problem.

Performance Testing - On LAN and over the Internet (WAN).

What is cloud load testing?