• Games Testing Solutions

    We offer Game QA Testing services on most platforms which include iPhone, iPad, Android based Tablets/Mobile devices, PC, MAC etc

  • Automation Testing

    Automation testing is primarily used for performing regression testing of a product. Regression testing requires execution of Test Cases with every build.

  • Affordable Testing Solutions

    Precise Testing Solution are fully committed to deliver organize, systematic and best-in-class quality assurance, adopting latest authentic mythologies of industry..

Thursday, 30 October 2014

You can use the Create Application Entry Point wizard in the “CUSTOMER INFORMATION CONTROL SYSTEM” (CICS) Explorer to develop an application entry point. An applications entry points can apply to whole application & a specific application operations. Each application’s entry point is declared on a resource or names of an operation. You can define the application entry points only on a sub set of CICS resources.

CICS
Customer Information Control System (CICS) is a transaction’s server that executes the primarily on IBM mainframe system under z/OS or z/VSE. CICS is middleware designed to support rapid, high volume online transactions processing.
The resources for the application entry point do not have to be defined in the same CICS truss project as the applications entry point. CICS adds the application operation to the specified resource when the application set up is installed.
When an action that does not have an applications context call of resources that has an application entry point, CICS creates application contexts that becomes linked with the task, & with any sub-sequent programs that it calls or tasks that it initiates. The applications context identifies the platform, application, application’s version, or the operation. You can use the application context information for the following purposes:
Ø  Monitoring or measuring, how much resource an application and a specific application operation are using across CICS regions or multiple tasks.
Ø  Applying policy to the tasks that are a part of an application, to define antechamber conditions to control the behavior of the task.
Ø  Using the information’s with the transactions tracking CICS Explorer to speedily identify or diagnose application related to the problems.

Procedure to create application entry point
1.       Expand the CICS truss project or META-INF folder.
2.       Open Customer Information Control System.xml file to view the CICS sheaf manifest editor.
3.       Clicks on the Entry Points tab to open the list of applications entry points for the sheaf.
4.       Clicks on Add to define an applications entry point for the application. And the Create Application Entry Point wizard open.
·         Enter name of the application’s operation.
·         Verify resource type.
·         Enter name of the CICS resources.

5.       Clicks on OK to save the application’s entry point.

Wednesday, 29 October 2014

Administrator’s interfaces may be present in the application and on the application servers to allow few users to start privileged activities on the site. Tests should be start work to reveal if or how this privileged functionality that can be accessed through an un-authorized and standard user.
Applications may need an administrator interface to enables a privileged user to access functionality that may develop changes to, how the site functions? Such changes may involve:

1.       User account purveying
2.       Site design or layout
3.       Data fetch
4.       Configuration changes

Admin Interface completes any of the following tasks:

1.       Create or configure groups.
2.       Handle basic software configurations.
3.       Create or manage new forest.
4.       Create or manage databases.
5.       Backup or restore forest content.
6.       Create & manage security configurations.
7.       Configure namespaces & schemas.
8.       Tune system execution.
9.       Check the status of resources on your systems.

Accessing Admin Interface:

Only authorized administrator can log in the Admin Interface. An authorized administrator is a user who has the play admin role. Official administrators have the access to all administrative actions in Mark Logic Server; therefore official administrators are trusted on personnel & are assumed to be no hostile, appropriately trained, or follow proper administrative mechanics.

How to Test:

Gray Box Testing:

More detailed examinations of the server or application components should be undertaken to ensure hardening or where applicable, verification that each constituents do not use default credentials and configurations.
Source codes should be re-viewed to ensure that the authorization or authentication model insures clear separation of responsibilities between normal users & site administrators.
Users interface functions shared between normal & administrator users should be re-viewed to insure clear separation between the drawing of such elements & information drip from the shared functionality.

Black Box Testing:

The following sections describe vectors that may be used to test for the impendence of administrative interfaces.
1.       There are several tools available to perform beast forcing of server contents.
2.       Comments or links in source code. Many web sites use common code i.e. loaded for every site users.
3.       Directory & file enumeration. An administrative interface may be current but not visibly existent to the tester.
4.       Publicly available data. Many of applications such as word press have default admin interfaces.

5.       A GET & POST parameter and a cookie variable may be expected to enables the administrator’s functionality.

Tuesday, 28 October 2014

Meaning of RIA

The meaning of RIA “Register Investment Advisor”, an advisor and firm engaged with the investment advisory business or registered either with the Securities or Exchange Commission and state securities authorities’.

What is cross-domain policy?

The cross-domain policy are the files, and these files specifies the permissions of that a web client such as Adobe Flash, Java, etc. use to access information across the different domains. For Microsoft, Silverlight adopted a sub set of the Adobe's cross-domain.xml, or additionally created its own cross-domain policy file.
Whenever web client find out that resource has to be requested from another domain, it will first see for a policy file in the target of domain to determine, if performing cross domain requests, involving headers, & socket-based connections are allowed.
Master policy files are displayed at the domain's root. Client might be in-structed to loads another policy file but it will continuously checks the master policy file first to ensure that the master policy file allows the requested policy file.

To use clientaccesspolicy.xml file to allow cross-domain access
1.       Develop a service that enables access through a Silverlight client.
2.       Make a clientaccesspolicy.xml file that allows the access to the service.
3.       Saves the clientaccesspolicy.xml file to root of domain where the services are hosted.
4.       Test that the approach is enabled through invoking the services from the other domains.
                                                                                                                                                                    To use crossdomain.xml file to allow cross-domain access

1.       Make a service that enables access by a Silverlight client.
2.       Build a crossdomain.xml file that holds the following configuration. The file must be assembled to allow the access to service from any other domains, and it’s not recognized through Silverlight 4.
3.       Saves crossdomain.xml file to the root of the domain where services hosted.
4.       Test that the services is enabled through invoking the service from the other domains.

How to test:

Testing for RIA policy files:
To test RIA policy file acratia the tester should try to get the policy files “crossdomain.xml” or “clientaccesspolicy.xml” from the application's root, & from every folder found.

After retrieving each of the policy files, the permits allowed should be checked under least pre-requisite principles. Requests should only be come from the ports, domains, and protocols that are essential. Overly permissive policy should be neglected. Policies with asterisk mark"*" in them should be closely examined.

Wednesday, 22 October 2014

This is a web security policy cracy where by a web server declares that the complying of users’ agents is to interact with it using only secure HTTPS connections.
HSTS Policy is communicated through the server to the user’s agent through a HTTP response headers fields named "Strict-Transport-Security". HSTS Policy specifies the period of time during which the user’s agent shall approach the server in a secure only manner.
HSTS mechanisms:
Servers implement an HSTS policy through supplying the header over HTTPS connections.
1.       An automatically turn any in-secure links referencing the web application into secure links.
2.       If the security of the connections can’t be ensured, show an error message or do not allow the user’s to access the web application.

Limitations:

The first request remains un-protected from active attacks, if it uses an in-secure protocol such as plain HTTP and if the URL for the starting request was obtained over an in-secure channel. The same as applies to the initial request after the process period specified in advertised the HSTS Policy max-age. Google Chrome or Mozilla Firefox addresses this limitation through implementing a "STS pre-loaded list", which is a list of that contains known sites supporting to the HSTS.  A probable solution might be achieved through using Data Name Source (DNS) record to declare the HSTS Policy, & accessing them securely by DNSSEC, optionally with certificate of finger prints to ensure legality.

What is DNSSEC?

The full form of the “Domain Name System Security Extensions “and it is a page, and it is about the various possible meanings of abbreviation, acronym, short hand and slang term: “DNSSEC”.

To test by manually, access the web site through typing of any web site URL
http://abc.com” in URL bar of the browser. If you are capable to access the web site over http then “HSTS” is not enabled. When this feature is enabled in browser always communicate with server over HTTPS.

This can be tested using CURL.

1.       Download from internet and  installs the CURL in you PC.
2.       Open the “Run command” prompt window as administrator.
3.       Executes the command.

“Strict-Transport-Security: max-age=xxxxxx” header will be present if HSTS is enabled.

Tuesday, 21 October 2014

HTTP refers to Hyper Text Transfer Protocol; its motion the number of method’s that can be used to performs activity on the web server. Several of these methods are developed to help of developers in deploying or testing of the HTTP applications. These HTTP methods can be used for un-trustful purposes, if the web server is misconfigured. Additionally, Cross Site Tracing, a form of cross site scripting writing using the server's HTTP TRACE methods, is examined.
When GET & POST are through away the most common methods that used to retrieve information provided through a web server, the HTTP allows several other methods. 
The following methods of the HTTP such as:
  • Ø  HEAD
  • Ø  GET
  • Ø  POST
  • Ø  TRACE
  • Ø  PUT
  • Ø  DELETE
  • Ø  OPTIONS
  • Ø CONNECT
Some methods can potentially pretense a security risk for the web application, as they allow an attacker’s to modify the files and stored on the web server or, in some scenario’s, thieve the login information of lawful users. More particularly, the methods that should be disabling are the following:

1.       PUT:
In this method, it allows a client’s to upload the new files on web server. An attacker can avail it through uploading malicious files.

2.       DELETE:
This method allows; a customer to delete files on the web server. An attacker’s can exploits as a very simple & direct way to de-face a web site and to fell a DoS (Denial of service) attack.

3.       CONNECT:
 This method allows to a client to use of web server as a proxy.

4.       TRACE:
This method, really assumed harm less, which can be used to hill an attacks known as  “Cross Site Tracing”.

How to test?

To perform testing, the tester required some way to point out which HTTP methods are supported through the web server i.e. being examined. The “OPTIONS HTTP” methods endow the tester with the most direct & effective path to do that.

Test to XST probable

The TRACE method, while obviously harmless, can be triumphantly leveraged in some scenario’s to steal lawful users' credentials. This attack technique was discovered in 2003, in this attempt to bypass the HTTP Only tag that Microsoft proposed in Internet Explorer to save cookies from being accessed through JavaScript.

Testing for arbitrary HTTP methods

Find page and to visit that has a security constraints such that it would redirect to log in page and forces to a log in straightly.
If the tester feels that system is permeable to this issue, attacks to exploits the issue more:
·         JEFF /admin/changePw.php?member=myAdmin&passwd=foo123&confirm=foo123
·         FOOBAR /admin/createUser.php?member=myAdmin
·         CATS /admin/groupEdit.php?group=Admins&member=myAdmin&action=add

Testing for HEAD access control bypass
Finds a page and to visit that has a security constraints such that redirects the login page and forces a login straightly.
If the testers think that the system is permeable to this issue, attacks to exploits the issues more:
·         HEAD /admin/changePw.php?member=myAdmin&passwd=foo123&confirm=foo123
·         HEAD /admin/createUser.php?member=myAdmin
·         HEAD /admin/groupEdit.php?group=Admins&member=myAdmin&action=add

Monday, 20 October 2014

This following point helps to get the information about the performance of your Web server using Load Runner’s Web Resource monitor.
About Web Resource Monitoring on page
Hits per Second Graph on page
Throughput Graph on page
HTTP Responses per Second Graph on page
Pages Downloaded per Second Graph on page
Retries per Second Graph on page
Connections Graph on page
Connections per Second Graph on page
SSLs per Second Graph on page

What is Web Resource Monitoring?
The Web Resource monitor to provide the power of  you, to analyze the output on the web server,  and the number of push (hits) per second that occurred during the scenarios, or the number of HTTPs reactions per second, and the HTTP’s status codes returned from Web server, & the number of downloaded pages per second, or the number of server re-tries per second, the number of opens TCP/IP connection’s, the number of new TCP/IP connection’s per second, and the number of SSLs Connection per second.

Hit per Second Graphs
The Hits of per Second graph displays the number of hits to the Web server as the function of passed time in the scenarios. This graph can show the full step, & the last 60, 180, 600, and 3600 seconds. You can proportion this graph to the (Transaction Response Time) graph to look how the number of hits affects to the transaction performance.

Throughput of the Graph
The capacity of the graph shows the amount of throughput on the Web server during every second of the scenarios executes. Throughput is also measured in bytes or represents the amount of information’s that user’s received from the server at any given second. You can proportion this graph to Transaction Response Time graph to view, how the throughput affects to the transaction performance.

Re-tries per Second Graph
Retries per Second graph displays the number of the attempted Web server connections as a function of the passed time in the scenarios. A server connection is re-tried when the starting connection was un-authorized, and when proxy authentication is needed, when the starting connection was closed through the server, when the opening connection to the server could not be made, and when the server was initially incapable to resolve the load generators’ IP addresses.

Connections to the Graph
Connections graph displays the number of opens TCP/IP connections at all points in the time of scenarios. One the HTML page may reason of the browser to opens the several connections, when links on the pages go to the different Web addresses. The two connections are opened for all Web servers. This graph is very useful in pointing, when additional connections are required.

Connection per Second Graph
A Connection per Second graph displays the number of new TCP/IP connections opened & the number of connection’s that are shut down every second of the scenarios. This number should be in small fractions of the number of hits per second, because the new TCP/IP connection is very expensive in terms of servers, router or network resource consumptions. Ideally, many of HTTP requests should use the common connections, instead of initially a new connection for all requests.

Secured Sockets Layer (SSL) connections per second
Number of SSL connections opened per second, after TCP/IP connections of SSL connection is opened. SSLs connection has bulky (heavy) resources consumptions. If we selects the, simulate a new user at every iteration then there should not be more than of one SSL connection per second.
 What is Map Network?
Network map is a visualization of device on networks, their inter relationships, & the transport layers providing a network services. Practically, a Network Map is a single tool to provide network users, managers or administrators, & IT personnel with a better understanding of the network performance, specifically concerning data bottle-necks & associated root cause analysis.

What is the Application Architecture?
In this information system, Applications Architecture is one of several architectures domain’s that forms of the pillars of enterprise architecture and solutions of architecture.
The different type’s elements that make up the infra-structure required to be determined to understand how they meet with a web application & how they affect security. In fact it takes only an ace vulnerability to undermine the security of the whole infra-structure, & even small & seemingly un-important problems may be evolve into harsh risks for another application on the same server.

How to test the network map or application architecture
The application architecture required to be mapped by some test to determine, what different components are used to create the web application. On more complicated setups, such as an online bank system and multiple servers might be included. These may be including a reverse proxy, a front end web server, an application’s server or a database servers and Light-weight Directory Access Protocol (LDAP) server. Then they will be retrieve the information from other tests or derives the different elements, question these assumptions & extend the architecture’s map.

This builds the different demilitarized zones (DMZs) so that access to the web server will not to give a remote user’s access to the authentication of mechanism itself, or so that compromises of the different components of the architecture can be isolated so that they will not agreement the entire architecture. Getting the knowledge of application architecture can be easy, if this data is provided to the testing team through the application’s developer in document form and through interviews, but can also prove to be very difficult.

Components of the application and map network

What is Component?
A component is the object that contains the code to manipulate the data from one to another, & which provides the access that code through a well specified set of publicly presents the services. The key characteristics of a component are that when it is built for use, the codes for the elements, as well as the data associated with the elements are packaged together.
  
CLB:
CLB means Component Load Balancing; it allows to multiple application’s server to provide the same COM+ objects for use in application. When that object’s required, the creation of request’s sent first to CLB Servers which then re-directs to the request an appropriate application’s server, based on specific criteria.

IMDB:
The means of IMDB is "In-Memory Database Support", it is a momentary transnational database style cache that re-sides in RAM memory or provides enormously fast access to information on the machine on which it is re-sides.

Queued Component’s:
It combines the features of COM to provide a path to invoke & execute the components asynchronously. Activities can occur without respect to the availability and accessibility either of the sender &receiver. When the client calls queue component, the calls made to the Queued Components Recorder (QCR), which packages it as a part of message to the server or puts it in a queue?

Object Pooling’s:
Object pooling’s is an automatic service provided through COM+ that enables you to have examples of a components kept process in a pool, ready to be used through any customer that requests to the components. At the time, application is executing, COM+ manages the pool, controlling the details of object’s activation or re-use according to the criteria of you have fixed.

Thursday, 16 October 2014

Posted by Sandeep kr | 02:13 | No comments
What is fingerprinting?

Fingerprint is the most common activity for attackers is to first footprint the objective’s web presence & enumerates as much of data as possible. With this data, the attacker might develop a right and accurate attack scenarios, which will efficaciously exploit vulnerability in the software type and version being utilized through the target host.

Fingerprinting Web Server:
A fingerprinting Web server is a critical work for the entrance tester. Knowing the version or type of an executing web server allows to the testers to determine known vulnerabilities & the appropriate feats to use during testing. Today's there are many different vendors or versions of web server in the market. Knowing the type of web server i.e. being tested significantly help in the testing activity & can also change the flow of test. This data can be derived through sending the web server’s specific commands or analyzing the results, as every version of web server’s software may respond differently of these commands.

Objective of the test web server:
Find out the version or type of a running web server to determine known of vulnerabilities &the suitable exploits to use at the time of testing. Find out the versions & different type of an executing web server to determine the known of vulnerabilities & appropriate feats to use of during testing.

How to perform test in fingertip web server:

Black Box testing:
The Black Box testing is a simplest & most basic form of identifying the web server is to see at server field in HTTP response.

Protocol’s Behavior:
More sophisticated techniques take in consideration many characteristics of several web servers present on the market.

How to use the Automated Testing in web server:
Rather than trust on manual banner grabbing or analysis of the web server headers, a tester can use tools to get the same outcome. There are various tests to carry out in order to correctly fingerprint a web server. There are some tools that automate these tests. "Http print" is one of such tool. “Hyper Text Transfer Protocol print” uses a signature of dictionary that allows it to identification the type or the version of web server in the use.

Fingerprinting Methodologies:
Some fingerprinting methodologies given below:
1.       Identifies the Web Server Versions.
2.       Identifies the Web Services Technologies’.
3.       Identifies the Backend Database Versions.
4.       Identifies the Web Application Software’s.
5.       Identifies the Web Architecture and Topology.

Identifying the Web Server Versions:
1.       Implementation the differences of Hyper Text Transfer Protocol.
2.       Reviewing Server banner Information’s.

3.       Error Page.

Wednesday, 15 October 2014

Definition of Security testing

A Security testing is the process of purposeful to reveal flaws in the security mechanisms of information’s system that protect information and maintain the functionality as intended. Due to logical restrictions of the security testing, passing security testing isn’t a pointing of that no flaws exist and that the system completely satisfies the security requirements.

Definition of Ethical hacking
Ethical hacker is a computer & network experts who attack a security system on the behalf of its owners and seeking vulnerabilities that a malicious hacker could exploit.

Definition of Un-ethical hacking:
People steal information for their own personal gain each of the time. This is a very dangerous and serious issue, because every user’s almost is facing this kind of trouble. It involves mostly, credit card information, ID theft, or the make perfect sense to me. It means that when people, steal some single information just for their own personal profit.

                  Difference between Ethical Hacking and unethical hacking

Ethical hacking:

An Ethical hacking, often performed through “white hats” or skilled computer experts, is the use of computer programming skills to determine vulnerabilities in the computer system. White hats can work in various varieties of manners. The work of ethical hacking is still believed hacking because it uses the knowledge of computer system’s in an attempt to in some manner penetrate them and crash them. In company and organization, to hack computer means vulnerability i.e. loop holes in a computer found through them they build through firewall.

Unethical hacking:

And the Un-ethical hacker and “black hat” exploits these vulnerabilities for mischief, personal profit and other reasons. If the black hat hacking was at a sufficiently criminal phase.  The argument on this issue hints to certain conclusion.

Classification of hackers:

In this phase, there are two types of hackers, which deal in ethical hacking or unethical hacking:

The White hat hacker:

This kind of hacker gives security of the cyber world. They are quite simply non evidence. Generally the normal user’s called ethical hacker.

The Black hat Hacker:
When we called a real hacker in the mean of un-ethical hacking then, it is the black hat hacker. The black hat hacker is a person who tries to find computer security vulnerabilities & exploit them for personal financial profit or compromising the security of major systems, or other malicious reasons, and shutting down & altering the functions of websites and networks.

Thursday, 9 October 2014

Boundary Value Analysis is a software testing technique which is used to create the test cases for required input field or we can say that BVA used for test cases design(between the valid boundary partition and invalid partition). BVA is also a part of stress and negative testing. Boundary value include the border value means minimum and maximum value for example an address text box which takes 500 character but if create the test cases for each character then it’s very difficult to design so here we will use the BVA technique means take the boundary values. Another example for this technique at office a very important tool which is used for take valid user name and password field in which minimum 8 characters and maximum 12 characters so here we can partition  valid range will be 8-12 and invalid range 7-13.Most important thing it is used for Black box testing. Many application errors create at the boundaries.  ‘Boundary value analysis’ testing technique is used to found errors at boundaries rather than finding those occur in middle of input given. Where a boundary value has taken the invalid partition the test case is designed to assure the software component hold the value in a managed manner. Boundary value analysis is also used for the testing cycle and is also similarly applicable for all testing phases. We cannot test all the possible input domain values, because if we try to complete all, then number of test cases becomes large. In this method, input data is partition into different part; each part gives the input range from the equivalence. Then select one input from each partition. So this technique is used to reduce large number of test cases to a minimum number, while assuring that the selected test cases are effective test cases which would be the whole scenarios.
Benefits of Boundary Value:
1.    It reduces the number of test cases for a tester.
2.    It is used for black box testing.
3.    It is use for find the bugs occur at boundaries rather than exist in the center.
4.    It is give the technique in which input domain divided into different class and select each class for testing so we can say that we can easily find the bugs.

Bookmark Us

Delicious Digg Facebook Favorites More Stumbleupon Twitter