Meeting James Marcus Bach!

Yes, I really did meet him - James Marcus Bach. If I have to tell you how I felt like after meeting him in just one sentence - It was like meeting Master Shifu of the Kung Fu Warriors team.

Though I was sure to meet him in the test-ed conference, this meeting of mine was much un-expected.

At the Coffee Shop: 
The place was pretty much the same as where I had met my mentor Pradeep Soundararajan for the first time. It was Coffee day then & Costa Coffee today.
I was able to identify him from few meters right before actually heading to his table. Not because he is from west & has a fair complexion but from his hat having the brand image of Buccanner Scholar.
I got a chance to meet him with a small contingent of Moolya team ie with Dhanasekar S, Abilash & Dnyanesh.

Testing Activity:
Well the fun started right after 2 minutes of introduction. Even before we realized we were quickly grabbed in to a testing activity. The activity was so intense that I just couldn't pick up with the pace at first.
James quickly had identified was giving feedback on each one of us constantly during the session.
We got tips on questioning, observing, analysis & what more, even on consulting.
We did fairly well at the end for which James did appreciate. Learning quick & getting feedback from James was really a bliss that I got to experience.

Excited for the next meet:
The next meet with James is really going to be an exciting one. This meet will just not be with the team of Moolya but with more than hundreds of testers in the city of Bangalore & others.
That will be in the test-ed '12 conference. And yes you all are invited to this massive testing event that will be held on December 5th. Well, if you haven't registered yet, you still can.

Here are the details: http://test-ed.in/

Here is what you get:
1. You get with many rockstars of the testing industry.
2. If you are newbie in testing, you will get a chance to enhance your skills & learn about software testing from some of the people who have interacted with a millions of testers around the world.
3. You get to meet most energetic mentors who could guide you to be the 'PO' of the software testing field.
4. Hundreds of fellow testers with whom you could network.

Hope to see you all there!

Why & how did I start to learn about security testing!

This was during my initial days of realizing that there exist something called as 'Security Testing':

Spamming, hacking, online-frauds were the terms that I used to read in news tab of google or in newspapers.
Even today when I search the news section of google with keyword 'hacked' you get atleast 20 articles in the past 24 hours.
One way to get into the mood of knowing security testing is to think constructively on 'How to stop such things' the other way ie the way I learned about security testing is by watching people do it & see the energy levels gushing out of them after having achieved any task in it. The 'Cloud 9' feeling of having hacked & having found a loop-hole in any application is just insanely awesome.

The person whom I watched do it was Santhosh Tuppad. He is one of the coolest security testers that I have met. You may want to read his blog about how much of passion that he has into security testing. Most of the articles that he writes these days are more or less related to security testing.
The other great quality that I liked about him is about the enthusiasm that he has to teach or guide anyone who is interested to learn security testing.

He was the one who pointed me to an interesting site: http://hackthissite.org/ which has thrilling exercises with  lots of learning in the end. The other source of information that he had pointed me is 'Hacking for dummies by Kevin Beaver' which could be treated as a bible for someone who has just started to learn security testing.

I hope to make greater progress in learning more about security testing along with Santhosh.

May be my next post would be about how we paired up for testing an application & crucified its security vulnerabilities.

Security Testing - 1.0

Lately I have been learning & researching on the security testing for web-application.

Here is something that I would like to share about an interesting topic in that arena.

Directory Traversing:

If you are a newbie & want to get hands-on on something interesting in hacking/learning security testing, then directory traversing attack would be an ideal start.

I would like to co-relate this in real life situation similar to searching for the home where your girl whom you love the most lives in. What do you do?

• Look up her Facebook profile for details like phone number, address -> no clue? 
• Then get to know her dad's name & look-up in public directory-> no clue? 
• Buy her friend 'Bournville' chocolates daily hoping to get some clue on this girl -> her friend ate ate ate & dint reveal but asked for 'Snickers' this time?
• Bunk your lab session to steal info from the college records -> Have a Hulk like peon who doesn't allow you to enter the admin room of the college & you can neither bribe him or take him for granted as he is always angry ;)?

Well if nothing of the above seems to be working can we think of something simple, why we don’t just follow her back to home once the college bell rings - Bingo!!! But yes things could get complicated here too. She may change buses of different routes & then catch a tram and then walk in directions which are tough to remember. This is it. 

Web applications would either be built with a solid foundation keeping security testing in mind or may be as vulnerable as being able to crack in a single attempt for any hacker to access the confidential information. 

How do hackers gather clues?

1. Robots.txt: A text file that contains list of disallowed & allowed directories/files which could be accessed through web-crawling. 

Oh really!! So how will it help the hacker?

If you give a thought about why would someone want to disallow certain directories or files to be accessible to the web-crawlers then this leads us to clue that there could be some confidential data in them. Though using this txt file is not mandatory to build any website but if it is used, and then it has to be placed under the home directory like google.com/robots.txt and hence making it more easily accessible to the public.

2. File names: Maintaining easily guessable file names is the mistake that most of the site owners do. For example there is annual report of a large IT form which has the revenue details & dividend sharing information for the last year that is being shown on the site. Now, it would be foolish to store the file name as report_09122011_market.pdf & maintain the format every consecutive year. So how difficult it would be to guess the file name to hack & get the information on future dividends & confidential corporate decisions which may eventually kill the reputation of the firm.

Tools that could be used:

1. Crawlers: HTTrack is one such tool that crawls for all the publicly accessible files. This tool is very easy to use & depending on the size/complexity of the website it downloads the contents. Having a peek on each file will give more information on things that are utmost confidential or at least the clue to reach them.

2. Google: We know to use this tool inadvertently for any such things that our brain has lost hopes of - like the "Current petrol price in Bangalore" :).

And the smart guys use queries to get info that is worth million dollars:

Example searching with a queries like: "site:hostname keywords-to-look-for" keywords could be confidential, reports, revenue or client & so on.

The security aspects (except the love story part) that are listed above are from my learning through the book "Hacking for Dummies-Kevin Beaver". Though understanding & learning about directory traversing is important so is it to know the countermeasures required for making directory traversing not-so easily attackable area for any hacker. I shall come up with the same in my next blog.

Questions worth finding answers for, before you start to test.

I have drafted below the list of questions that are worth to ask before you start your testing tasks.
Answers to few questions can be got from the stakeholders & few by yourself. These are not focused on security or performance or any form of testing, they are generic to any project.

I hope to get few more from you once you skim through them.

Phase-1:

• What is the objective of the project?
• What is the scope of the project?
• What are the risks involved in the project?
• What is the objective & scope of testing this project?
• Who are the real users of the product that is under test?
• Which quality criteria must be the testing activity focused on?
• Will I get a demo or overview of the project?

Phase-2:

• Will I get access to the code?
• Is there any kind of documentation available, if not who are the stakeholders of the project?
• Will I get the contact details of them?
• What is the configuration of test environment?
• What is the configuration of production environment?
• Which features are more riskier than others?
• How often can I get the builds?
• Have I spoken to the audience of my test reports for what is expected?
• What is the expected frequency of status reports by the stakeholders?
• What are the deliverables expected from me?

As a tester learn to learn before you learn to teach.

This blog post is about how you could learn about a product or rather a project before you are confident of making a fresh mind understand the aspects of what you will be working or have worked upon.

Once you are into any project, its either your project lead/ team lead does the honor of making you understand what the product/project is about. Yes, I understand the frustration few would have gone through while getting trained in a class room based training for days together & sometimes months together. It would be quick run of a slideshow or a senior most person blabbering about only achievements that they have made in the project. And hence trying to put on the onus on the young minds as if a war is about be fought with situation being - "Crititcal critical critical....." until the project halts. I myself have undergone such situations in organisations that I had worked earlier, that those words (critical...) being used atleast thrice daily throughout the year.

• Below is the extract of what I & Yagnesh have prepared after being inspired by Dhanasekar on using the mindmap tool.
• The view of this can ascertain the level of understanding one has before starting the project.
• This mindmap covers most of the aspects that one has to learn about the project before anyone steps into it.
• This can be used even as a training material for any fresh mind coming into the project. 
• This shall also tell us about the aspects that are missed which can be covered to test the product better.
• This could well be expanded into more minute details based on contexts.

Test ideas for Video Player V1.0

How do you plan to test any given feature/ page element? Do you sit alone & start testing OR do you start writing the the test cases based on the requirements OR do you copy paste the plan done by your erstwhile colleagues?

Well, this is how we did: Me, Santhosh Tuppad & Yagnesh H Shah decided to list the ideas that we would get to test any online video player in general. We then based on the context modified few for the specific player that we were testing. Later we did what we do best (strictly not kidding :D), TEST! Below is the gist of ideas that we came up with during our brainstorming session.

Functionality 

1. Video should starts automatically without clicking on “Play” button initially
2. Video should pause when click on “Pause” button
3. “Resume” option must be shown in the video canvas when the mouse over event occurs
4. Check if the video is continues to play when clicked on “Resume” option from the video canvas
5. Pause the video and go to full screen, check if video is paused or not
6. Pause a video for a while (Let us say 30 minutes) and later resume the video
7. Total video length should be shown on the right hand side of the end-user at the end of progress bar
8. Time elapsed in watching the video should be shown on the left hand side of the end-user beside the progress bar
9. Time should be shown in MM:SS – Are you planning to have even the videos which last for hours? If yes, then would it be in HH:MM:SS or still MM:SS (Example: 90:30 which is 1 hour 30 minutes 30 seconds)
10. Elapsed time of the video must be same as the total time of video length

Usability and Accessibility 

1. Tooltips should exist for Play / Pause / Resume & other video controls
2. Check if any keyboard shortcuts exist for the video controls
   

Ads (If an Ad is being shown before the actual video)

1. Before starting the video the sponsor ad should be shown with Mute set to off.
2. Check if clicking on “Mute” mutes the audio.
3. Provide option to skip the Ad.
4. Does skip Ad option really skip the Ad when clicked.
5. Does the user has the option to look at the Ad again.
6. No video controls must be given during Ad is played (This could change based on the business context).
7. A countdown is present at the top which displays the time that the advertisement video will be completing
8. Once the Ad is completed, the video should start automatically
9. In any way end-user should not be able to bypass the Ad  nor the system should not bypass sponsor message due to some malfunctioning
10. Can the Ads repeat when played different videos? In our opinion yes they can
11. Zoom In / Zoom Out, Pause, Play, Resume controls should not be provided in the right-click controls
12. Right-click on the Ad video and go to full screen
    

Volume Controls 

1. When end-user chooses “Menu” option, the volume controls should be not disabled
2. Using mouse end-user should be able to use the slider to increase / decrease volume
   

Video Streaming / Buffering 

1. Check if the buffering is being done while the video is paused
2. While buffering, loading component in clockwise direction should be shown between elapsed time component and progress bar
3. Let us say the video has played till 01:30 and end-user drags it to 00:30 – Check if the video is again buffering or it is playing from the cache because it has been already buffered
4. What message is shown when internet connectivity breaks down during the middle of the video viewing
5. While watching the video disconnect the internet and again connect to the internet. Does the video again start playing the video from where it stopped?
   

Resolution and cross browser compatibility 

1. Change the resolution of browser to various sizes (Example: 100% which is default, less than 100%) and then see if anything affects the video player
2. All the controls should work seamlessly in all the major web browsers like Google Chrome, Apple Safari, Internet Explorer, Mozilla Firefox.

 Full Screen View & Exit Full screen

1. 'Go Full screen' button must have a tool tip as “Go Full Screen”.
2. Once the full screen view is active, the normal view space must not be left blank.
3. The video shouldn't hang once if we have clicked on full screen when the video is being played.
4. The video must occupy the entire screen, it shouldn't be cramped.
5. “Press Esc to exit Full screen mode” message must be shown once the full screen view is activated. The message should disappear after few seconds.
6. The video should continue playing from the point at which we click the full screen button during normal view.
7. The video should not start rendering from the start, once the full screen view is activated.
8. Quality of the video should not differ significantly from the normal view.
9. Video controls must be shown at the bottom of the screen.
10. Video controls must hide after few seconds once the full screen is activated.
11. Video controls must be shown once we mouse hover the video.
12. The video must play(resume)/pause when we left click anywhere on the screen.
13. Play(resume)/pause buttons should change while select the respective options.
14. Volume control must have '+' & '-' symbols to indicate increase or decrease volume.
15. The time elapsed time should change as you drag the progress bar accordingly.
16. All the video controls function must be in sync with the normal view. Eg: Volume controls, pause/resume must be same before or after returning to the normal view mode OR vice versa.
17. All the video controls must have a tool tip.
18. Title of the video must be shown completely.
19. Title of video must be shown in a single line.
20. Full screen view must exit either when we press 'Esc' key or click the 'Exit full screen' button or when right click & select 'Exit full screen'.
    

Video Ordering:

1. Check if the first video being played by the player is displayed as the first video in the list.
2. Once video is finished playing it should automatically start next video from the list.
3. Video being played currently should be highlighted in the list for user reference.
4. If a playlist is being shown, each slideshow of the list contains specific number of videos listed (Let us say 3 videos/slideshow). Now player finishes playing 3^rd video from the slideshow then it should start playing 4^th video from the list along with refreshing the slideshow of the list to next three videos.
   

Functionality – Video sharing options:

1. Social networking widgets. ( Eg Facebook, twitter, blogs).
2. Default video resolution in the when the video is shared & shown in any of the social networking sites.
3. Relevancy of the video being shared & the one that is being shown.
4. Should the video which is embedded in other users website/blog should also embed advertisement along with the video?
5. Let us say video number 2 is being played currently. Now on selecting any other related video from the menu option starts playing that video. Check if we can still play video number 2 on selecting it again or not.

Pre-thoughts of BBST 'two'dot'O'

It had been a while since I had planned to take up this course. Having heard, read, and met people who had done this course the eagerness to learn and attend this was way too high. The wait period of 2 months i.e from the time of registering to the actual start time of the course was like an year passed by.

The very reason I wanted to join this course is that it offers a chance to interact with like minded people around the globe and share your ideas & thoughts with them. And it surely has given me this opportunity even before 4 days of the scheduled start date.

BBST 2.0 Foundation course has been designed in such way that we will be learning about testing as well as improving the academic skills. Academic skills in this context refers to online collaboration, effective communication, better peer reviews and many other aspects which will help us to work smartly using different sources of information.
Under learning about testing we shall be made familiar with 5 different challenges, that being:

• Information objectives drive the testing mission and strategy
• Oracles are heuristic
• Coverage is multidimensional
• Complete testing is impossible
• Measurement is important, but hard

One of the testimonial at BBST.info says "Without question, the BBST Foundations 2.0 class is one of the most challenging Foundations level classes in software testing you will take..". Now, how challenging it would that be for me is something that I need to wait and watch. Having Michael Larsen as the instructor for our batch is something amazing by itself.

This being my first stint in an online course, I am really looking forward for a great time ahead.