large merchant organization that was into online business was in the process of developing an online e-commerce Web site. The organization was trying to facilitate its customers to transfer funds to merchant accounts.
The organization had outsourced the payment processing to a third-party firm. The third-party firm came out with payment software that was able to provide secured interfaces to facilitate funds transfer between the customers and the merchant organization.
The Web site was analyzed under a high-level security risk analysis. When the organization performed the risk analysis, it was identified that one of the risks was occurring during the processing of the transaction, that is, between the payments interface and the Web site. The fake transaction occurring was serious to both the customers and the merchant organization. Due to this, the customers could undergo financial loss, that is, the account balances could get depleted. The fake transaction could damage the credibility and the reputation of the merchant organization.
Using the payments interface, a systematic white box testing was performed on the modules. First, all the module interfaces were determined as interface diagrams. Then, the module interactions were represented with trust relationship boundaries. Finally, data flows among different modules were drawn. Based on this information, some test cases were developed. One of the test cases was to check whether an anonymous user could perform a transaction. The trust relationship mapping and data flow revealed the fact that the system was allowing anonymous users to perform transactions. A path where the system was not validating the user inputs was identified. Then, a test case was developed to test whether an invalid account transfer could take place from an external account to the merchant account. As a result of unauthorized transactions that were occurring through unauthenticated channel, the account transfer was completed successfully.
Risk analysis also noticed a weak authentication channel in the payment customer service component of the Web site. Hence case trust relationship boundaries and data-flow analysis similar to the above situation were drawn for this authenticated channel. After analyzing and testing, it was realized that an attacker could directly gain access to the merchant organization accounts. Using this access, the attacker could make transactions from a merchant account to another non-merchant account.
Because of the bugs, an attacker was funneling the customers’ payments to a non-merchant account.
The above explained bugs impacted the merchant organization with significant security issues.
From this case study we can conclude that performing white box testing for important modules helps to uncover design assumptions and implementation errors rapidly.
Questions
1. How was the merchant organization able to identify the first bug associated with their Web site?
2. Explain how an attacker was able to perform anonymous transactions.
Adapted from http://basicqafundamentals.blogspot.com/2011/01/case-study-for-white-box-testing.html
• Web sites are important for any business to represent itself to the world.
8.5 Summary
• Web site testing ensures proper functioning of a Web site.
• Home pages, links, and content are the fundamental components of a Web site.
• Links should be tested to ensure the correct functioning of a Web site.
A
• A Web site's text is tested to check whether the text is matching the audience level.
• While testing the hyperlinks, check whether the mouse pointer icon changes when placed on the hyperlink.
• To conduct black box testing for a Web site, the tester need not be aware of the internal design or code.
• To conduct white box testing for a Web site, the tester should have the knowledge of the internal working of the system being tested.
• In white box testing, a tester has to test dynamic content, database-driven Web pages, programmatically created Web pages, server performance and loading, and security.
• Gray box Web site testing identifies the defects due to bad design or bad implementation of the Web site.
• Configuration and compatibility testing is carried out to test the compatibility of the functional acceptance simple tests or a subset of the task-oriented functional tests on various combinations of software and hardware configurations.
8.6 Keywords
Address Bar: An address bar is a text field in a web browser, which displays the Web site address or the
Universal resource locator (URL) to the user.
Cascading Style Sheets (CSS): It is a simple mechanism for adding styles such as fonts, colors, and
spacing to Web pages.
Cookies: Cookies are a piece of text that is stored on a user’s computer by the web browser. There are
various reasons for storing them which includes authentication, storing site preferences or shopping cart contents.
Client/Server Applications: This type of architecture works with as a two-tier model where there are two computer programs -- one program, the client, makes a service request from another program, the server, which fulfills the request.
Firewall: It is a device that protects networks from unauthorized access by permitting legitimate communication networks.
SSL (Secure Sockets Layer): It is the standard security technology used to create an encrypted link
between a Web server and a browser.
1. State whether the following statements are true or false:
8.7 Self Assessment
(a) Intranet facilitates users to search worldwide for information on any Web site.
(b) Home pages include a header at the top which represents the type of the site.
(c) White box testing is a testing strategy which requires a tester to know the internal design or code.
(d) Dynamic content is nothing but graphics and text that varies depending on some conditions.
(e) While testing the Web compatibility, one needs to decide the main browser and OS for testing depending on the testing tools.
(f) A navigational map helps the user to go straight away to the information which they want.
2. Fill in the blanks:
(a) For efficiency, most dynamic content programming is placed on the __________________.
(b) Try resizing the ____________________ window to test if there is any incorrect wrapping around the graphic.
(c) Load on a server can be determined through the _______________________.
(d) The testing that can be performed in inter-operability conditions is __________________.
(e) If you use ____________________ for storing statistical data, verify that totals are being accounted properly.
3. Select a suitable choice for every question (a) Identify the applications that run in Web pages.
(i) Applets (ii) Java scripts (iii) Plug-ins (iv) CGI scripts (b) Identify the applications that run on the server side.
(i) Database interfaces (ii) Java scripts (iii) Dynamic page generators (iv) Logging applications (c) While testing for software compatibility configurations, one must test for:
(i) Input/output (I/O) devices (ii) Extension
(iii) Connections types (iv) RAM
(d) In a Web site, content can take the form of:
(i) Internet resources (ii) Graphic images (iii) Sounds (iv) Downloadable movie clips
(e) Name the testing strategy that is used to test that a Web site functions properly across different hardware and software environments.
(i) White box testing (ii) Black box testing (iii) Gray box testing (iv) Compatibility testing
1. “Once the Web site goals have been defined, it is important to have metrics and mechanisms to determine whether the site is providing the defined benefits or not.” Mention the metrics used to measure the Web site's performance.
8.8 Review Questions
2. “While testing a Web site we need to consider some points”. Discuss those points.
3. “A site map and/or navigational map help the user to go straight away to the information which they want”. Discuss how a site map can be tested.
4. “In a Web site, patterns and pictures take away the user”. Explain how this issue can be addressed.
5. Assume you are using cookies to store some statistical data in your Web site. Briefly explain how you will handle cookies safely.
6. Explain as to why a Web site tester should not depend on spell checkers for checking text.
7. “The graphic or text that varies depending on some conditions” is called as dynamic content.
Analyze how a developer can create dynamic content.
8. “Gray box testing is a mix of black box and white box testing”. Explain how gray box testing is different from other two testing strategies.
9. “While testing a Web site, the tester has to develop some test cases”. Explain the importance of test cases.
10. Even though a Web site is performing satisfactorily with Win XP, testing is recommended.
Discuss.
11. Target audience group should be considered while testing a Web site. Justify the statement.
12. Text, graphic, hyperlinks, and forms are the fundamental elements of a Web site. Explain black box testing for these fundamental elements.
1. (a) False (b) False (c) True (d) True (e) False
Answers: Self Assessment
(f) True 2. (a) Web site's server (b) Browser's (c) Number of hits per unit time
(d) Gray box testing (e) Cookies 3. (a) Applets, Java scripts, Plug-ins
(b) Database interfaces, Java scripts, Logging applications (c) Input/output (I/O) devices, Extension, RAM
(d) Graphic images, Sounds, Downloadable movie clips (e) Compatibility testing
8.9 Further Readings
Vasudevan V. (2008). Application Security in the ISO27001 Environment: IT Governance publishing.
Mendes.E, & Mosley.N. (2006) Web engineering. Germany: Springer- Verlag Berlin Heidelberg.
http://ezinearticles.com/?Importance-of-Web-Testing&id=2503273 http://www.softwaretestinggenius.com/articalDetails.php?qry=400
http://sqa.fyicenter.com/FAQ/Software-Testing methodolog/How_to_performance_Compatibility_and_Configurati.html https://buildsecurityin.us-cert.gov/bsi/articles/best-practices/white-box/259-BSI.html
CONTENTS
Objectives Introduction 9.1 Benefits of Automation Testing 9.1.1 Test Tools
9.1.2 Software Test Automation 9.2 Random Testing
9.2.1 Gorilla Testing 9.2.2 Monkey Testing 9.3 Bug Bashes and Beta Testing 9.3.1 Test Sharing
9.3.2 Beta Testing 9.3.3 Outsourcing Testing 9.4 Summary
9.5 Keywords 9.6 Self Assessment 9.7 Review Questions 9.8 Further Readings
Unit 9: Automation Testing
After studying this unit, you will be able to:
Objectives
• Discuss the benefits of automation testing
• Explain the importance of random testing
• Describe bug bashes and beta testing
Automation testing is a process carried out using software. Automation testing controls the execution of tests, compares the actual outcomes to predicted outcomes, sets up preconditions and other test controls, and creates test reporting functions. The automation test procedure involves automating a manual process by executing the tests without any manual intervention.