Excel as a Test Management Tool

Because you're going to use it anyway...

Ruby-Selenium Webdriver

In under 10 Minutes

%w or %W? Secrets revealed!

Delimited Input discussed in depth.

Managing Knowledge Transfer Sessions

Read the article, grab the templates

Ask questions

If you don't ask, you won't learn. You won't teach either.

Tuesday, 30 August 2011

Security Testing Research, links galore

Over at the Software Testing Club I just added a list of resources for use by members of the Security Testing Group I set up. I thought I'd add the list here for reference and encourage readers to visit the STC group.

Websites and Forums

Dark Reading: http://www.darkreading.com/
Infosecurity: http://www.infosecurity-magazine.com/
Ethical Hacking Blog Site: http://www.ehacking.net/
The Ethical Hacker Network: http://www.ethicalhacker.net/


Podcasts and Video Series
Cigital Silver Bullet Security Podcast: http://www.cigital.com/silverbullet/


Security Testing Methodologies
OWASP: https://www.owasp.org/
OSSTM: http://www.isecom.org/osstmm/
ISSAF: http://www.oissg.org/issaf/


Threat & Incident Classification
WASC-TC: http://projects.webappsec.org/w/page/13246978/Threat%20Classification
WHID: http://projects.webappsec.org/w/page/13246995/Web-Hacking-Incident-Database
Taxonomy of Coding Errors: https://www.fortify.com/vulncat/en/vulncat/index.html


Tools

Backtrack: http://www.backtrack-linux.org/
NMap: http://nmap.org/
Nessus (Home Feed): http://www.tenable.com/products

Hack to learn, dont' learn to hack.

Tuesday, 9 August 2011

How to get started on SQL Injection

Firstly, you need a good working knowledge of SQL. That may seem obvious but you can't just rattle off a bunch of SQL strings and have no idea what they are meant to be doing, what they are testing for and expect to test well.

Head over to here and diligently complete each of the exercises:

http://www.sqlcourse.com/
http://www.sqlcourse2.com/


Secondly, get some pre-cooked SQL vectors to try out.

Go to http://ha.ckers.org/sqlinjection/ and try out the vectors MANUALLY


Do them manually to learn what they are, really read them and get familiar with SQL attack vectors. Try and construct some of your own given your knowledge of the app you're attacking.

Thirdly, Open Firefox and add 'SQL Inject Me'

https://addons.mozilla.org/en-US/firefox/addon/sql-inject-me/

Play with this add-on and see how it changes how you approach your testing. When you're done go to Firefox and click on "Tools > Add-Ons > Extensions > SQL Inject Me > Options > SQL Injection Strings" and add the bespoke vectors you created earlier.

Have fun!

Mark.

Principle Test Architect, Test Hats.