I'm again stealing a tip from David Christiansen (he's on a roll lately). Checkout his post on using cross-site scripting to get out of a testing rut. From the post:

<script>alert("f")</script>

Paste it in every field.

If an alert pops up OR the field gets saved and then gets rendered without the script tags, you’ve found a cross-site scripting vulnerability.

As a side note, in a very funny turn of events, when I originally wrote this blog post I was rewarded with the following...

Heuristics, Security Testing, Web TestingMichael KellySeptember 20, 2009 Comments

Drop the 's' from HTTPS

Many websites have the requirement that transactions be SSL encrypted. When this is the case, you see HTTPS instead of HTTP in the address bar, and down at the bottom of your browser, you likely see a little padlock icon that you can click to pull up information on the security certificate being used. However, for whatever reason, sometimes websites choose to implement both secure and non-secure versions of their site. Other times, the web server can be misconfigured allowing HTTP transport when it should all be HTTPS.

A quick test you can do to see if both are available is to just try dropping the 's' from HTTPS in your address bar. For an example, check out https://www.getafreelancer.com/ - the site works under both HTTP and HTTPS. (I assume that's by design, but I'm using it as an example because there aren't many sites that support HTTPS and also support HTTP at the same time.) If you can access both HTTP and HTTPS, you might want to double check your security requirements for the site and/or your web server configurations. Also, some sites have portions of the site that are HTTP while others are HTTPS. In those cases you might want to come up with some listings of what should be only HTTPS and just check those areas of the site.

Security Testing, Web TestingMichael KellyAugust 31, 2009Comment

Small Screen Rendering XPI

Found an interesting post on a tool for testing small screen rendering in FireFox. The tool is Small Screen Rendering XPI by Disruptive Innovations. It's an extension to the Mozilla Application Suite which allows you to check if a web site renders well on mobile devices.

Free Tools, Testing mobile, Web TestingMichael KellyAugust 30, 2009Comment

Reading effectiveness tool

Many times, when testing websites, we forget about the static content of the site. Here is a simple tool that applies some simple heuristics to help gauge the effectiveness of the content on your site. Even if you don't end up using it, as you read through it you can get some ideas for how to make content more accessible.

Accessibility, Documentation, Free Tools, Heuristics, Web TestingMichael KellyAugust 29, 2009Comment

Testing web services

When I'm working on projects where we're testing web services, it often means comparing XML files to determine if our tests passed or failed. I've found that working with that much XML means you're going to have to get good at:

writing XSLTs to transform your actual response to mask out values you don't care about (server dates for example);

writing Xpath queries to check for specific values in an XML document;

learning all the command line options on your favorite diff-tool;

and ensuring you have at least one person on the team that knows the schema inside and out and can see the entire mapping document in their head when they look at the response files.

Web TestingMichael KellyAugust 20, 2009 Comment