Archive for July 2018

Learning Something New: 20/07/2018

Allow nothing or no one to slow your pace or affect your energy; stay consistently flowing, forever growing.




Subject: Java Fundamentals


Topics:
  1. Arithmetic Operators
    • Basic Operators: + - * / %
    • Prefix/Post fix Operators:  ++  --
    • Compound/Assignment Operators:  +=  -=   /=   *=   %=
  2. Basic Operators Example:
 public class BasicOperators {  
      public static void main(String[] args) {  
           /**  
            * Floating Point Examples  
            */  
           //Addition of two variables  
           float valAddA = 1.0f;  
           float valAddB = 2.0f;  
           System.out.println("valAddA + valAddB: " + (valAddA + valAddB));  
           //Subtraction of two variables  
           float valSubA = 5.0f;  
           float valSubB = 4.0f;  
           System.out.println("valSubA - valSubB: " + (valSubA - valSubB));  
           //Multiplication of two variables  
           float valMulA = 4.0f;  
           float valMulB = 2.0f;  
           System.out.println("valMulA * valMulB: " + (valMulA * valMulB));  
           //Division of two variables  
           float valDivA = 13.0f;  
           float valDivB = 5.0f;  
           System.out.println("ValDivA / ValDivB: " + (valDivA / valDivB));  
           //Modulus of two variables  
           float valModA = 13.0f;  
           float valModB = 5.0f;  
           System.out.println("valModA % valModB: " + (valModA % valModB));  
           /**  
            * Integer Examples  
            */  
           //Addition of two variables  
           int valAddAB = 1;  
           int valAddBA = 2;  
           System.out.println("valAddAB + valAddBA: " + (valAddAB + valAddBA));  
           //Subtraction of two variables  
           float valSubAB = 5;  
           float valSubBA = 4;  
           System.out.println("valSubAB - valSubBA: " + (valSubAB - valSubBA));  
           //Multiplication of two variables  
           int valMulAB = 4;  
           int valMulBA = 2;  
           System.out.println("valMulAB * valMulBA: " + (valMulAB * valMulBA));  
           //Division of two variables  
           int valDivAB = 13;  
           int valDivBA = 5;  
           System.out.println("ValDivAB / ValDivBA: " + (valDivAB / valDivBA));  
           //Modulus of two variables  
           int valModAB = 13;  
           int valModBA = 5;  
           System.out.println("valModAB % valModBA: " + (valModAB % valModBA));  
      }  
 }  

Output:
valAddA + valAddB: 3.0
valSubA - valSubB: 1.0
valMulA * valMulB: 8.0
ValDivA / ValDivB: 2.6
valModA % valModB: 3.0
valAddAB + valAddBA: 3
valSubAB - valSubBA: 1.0
valMulAB * valMulBA: 8
ValDivAB / ValDivBA: 2
valModAB % valModBA: 3



Subject: Web Application Security

Topics:

  1. Owasp #6: Unvalidated forwards and Redirects
    • Example: When an attacker sends you a link, with malicious site embedded in URL to redirect.
    • www.mysite.com/login?page=www.hackersite.co.au
    • You might follow the link and use the web application after login, without looking at the URL and page redirecting to, where hackersite.co.au resembles the mysite.com
    • This is also referred as Open redirect vulnerabilities

Posted in , , | Leave a comment

Learning Something New: 19/07/2018


An investment in knowledge pays the best interest.




Subject: Web Testing 101 - How to test World Wide Web

Topics:
  1. HTML <input> readonly Attribute
The readonly attribute is a boolean attribute.

When present, it specifies that an input field is read-only.

A read-only input field cannot be modified (however, a user can tab to it, highlight it, and copy the text from it).

The readonly attribute can be set to keep a user from changing the value until some other conditions have been met (like selecting a checkbox, etc.). Then, a JavaScript can remove the readonly value, and make the input field editable.

 <!DOCTYPE html>  
 <html>  
 <body>  
 <form action="/action_page.php">  
  Email: <input type="text" name="email"><br>  
  Country: <input type="text" name="country" value="Norway" readonly="readönly"><br>  
  <input type="submit" value="Submit">  
 </form>  
 </body>  
 </html>  


When any application shows: read-only attribute field.

Perform below steps.

a. Open chrome web developer tools 
b. Right-click on the button you want to test, and click "Inspect".  
c. In the developer tools panel, you will now see the html for that field highlighted.
d. Right-click on that highlighted text and choose "Edit as HTML".  An editable text window will open up.  
e. If you see text such as readonly="readonly" delete the attribute.  
f. Click away from the editable field, and see if your button is now enabled. 
g. If it is, click on it, update the values and see what happens in the database.








A note on Security, It's important to remind that even using readonly attribute, you should never trust user input which includes form submissions. Because, it can still be modified with Firebug, DOM Inspector, etc, or they can just submit a HTTP request without using the browser at all. 
Validate to check if there are client Side and Server Side Validations.
Or Provide only the text value of email address.

Posted in , | Leave a comment

Learning Something New: 18/07/2018

“When we compare ourselves to others, we reject ourselves. In the moment, we’re defined by that breadth of comparison rather than the extraordinary uniqueness that makes us who we are.”.



Subject: Java Fundamentals


    Topics:
    1. Primitive Data Types for Variables
      • Integer
      • Floating
      • Character
      • Boolean
    2. Data Types - Size in Bits - Min Value - Max Value - Literal Format
    3. Integer Types:
      • long type: uses literal formal 'L'
    4. Floating Types:
      • float type: uses literal format 'f'
      • double type: uses literal format 'd'
    5. Character Types:
      • Literal values are stored in single quotes.
      • Also stores unicode characters.
    6. Boolean Types:
      • Stores either True or False
    7. Primitive Data Types are stored by Value.



    Subject: Web Testing 101 - How to test World Wide Web

    Topics:
    1. ID Elements on Web:
      • Most of the Web applications, I see there are errors in console. 
      • Typical ones are Same Element Id is used twice. I learnt myself, that there should be unique id's instead of duplicate element ids.

    [DOM] Found 2 elements with non-unique id #priceVal_1412: 
    <input type=​"hidden" id=​"priceVal_1412" value=​"20.7">​ 
    <input type=​"hidden" id=​"priceVal_1412" value=​"17.57"> 

    Albert Gareev mentions: That will also impact accessibility. Screen readers rely on id to describe relationships; for example, edit box and its label.


    Follow HTML guidelines

    Web browsers are designed with the HTML specification in mind, and going against it can lead to unexpected issues with your web page. This means:
    Element id attributes should be unique: no two elements should have the same id.


    References: https://www.chromium.org/developers/design-documents/create-amazing-password-forms

    Posted in , , | Leave a comment

    Learning Something New: 17/07/2018

    "It always seems impossible until it's done."




    Subject: Java Fundamentals


    Topics:
    1. Variables
    2. Declaration of Variables
    3. Assignment of Values to Variables
    4. Variables = Ability to store and manipulate values (Named Data Storage)
    5. Declaration and Assignment of Values in a single statement
    6. Naming Variables
      • Combination of Rules and Conventions.
      • Rules: Allows use of letters, numbers, $ and underscore
      • Convention: Only letters and numbers are used.
      • Rules: First character is not a number
      • Convention: First character is always a letter
      • Convention: Follow "Camel Casing"
        • First letter is lowerCase
        • Start of each word after first is UpperCase
        • All other letters are lower case.
    7. We can assign a value to variable and later modify it to other.
    8. Local Variables: 
      • Variables declared inside the main method
     public class Variables {  
          public static void main(String[] args) {  
               /**  
                * Declaring only the local variable and printing the variable.  
                *   
                * int myVar;  
                * System.out.println(myVar);  
                *   
                * Error during compilation:  
                * Exception in thread "main" java.lang.Error: Unresolved compilation problem:   
                * The local variable myVar may not have been initialized  
                * at Variables.main(Variables.java:8)  
                */  
               int myVar; //Declaring the local variable  
               myVar = 50; //Assigning the value to local variable  
               System.out.println("myVar=" + myVar);  
               int anotherVar = 100; //Declaring and assigning another local variable  
               System.out.println("anotherVar=" + anotherVar);  
               myVar = anotherVar ; //Assigning copy of value of anotherVar to myVar  
               System.out.println("myVar=" + myVar);  
               System.out.println("anotherVar=" + anotherVar);  
               anotherVar=200; //Assigning another value to anotherVar. As it is already declared earlier.  
               System.out.println("myVar=" + myVar);  
               System.out.println("anotherVar=" + anotherVar);  
          }  
     }  
    




      Subject: Web Application Security

      Topics:


      1. OWASP - #4: Insecure Cryptographic Storage
        • When you register a user, find out how the passwords are stored in application.
        • If it is Plain text, then it is leads to security vulnerability.
        • Passwords should never be stored in unencrypted format: plain text on server.
        • Better way is to store using one-way cryptographic hash of user's password.
        • While logging to the application, Password is computed with hash function and compares the hashed password with stored hash password. If both matches, Login is granted.
        • Benefits: Only one-way hash, cannot compute the string from hash.
        • Hash Functions: SHA-1 , SHA-512 etc.
        • More better way to secure is: Adding Salt (Random text) to the password, before computing the hash function. This maximizes the password cryptography.
        • Without Salt, when user creates a password as "Hello" and another user creates the same password as "Hello". When they are computed through Hash function. Both Hashed Passwords will be same.
        • Reference: Web Application Security - What Testers can do.
      2. OWASP - #5: Failure to Restrict URL Access
        • Keep unauthorized users out of access of modules from UI Navigation and By URL.

      Posted in , , | Leave a comment

      Learning Something New: 16/07/2018



      "Be more consistent than everyone around you and you will win



      Subject: Web Application Security

      Topics:
      1. OWASP - #1: Broken Authentication and Session Management
        • What is HTTP
        • How web server communicates with web application
        • What is meant by Stateless protocol.
        • What is Session Identifier (ID)
        • Why do web applications use Session ID
        • Identify the pattern of Session ID's in your application.
        • Is your session ID displaying in the URL of the web aplication?
          • Can anyone use the same URL and impersonate the session

      Subject: Accessibility Testing

      Topics:
      1. Tool used to evaluate the web application for Accessibility.
          • WAVE - http://wave.webaim.org/
      2. Understanding the tool, how it works.


      Exercise: Enter the URL of the website and Hit Enter.
      Summary will display errors, warnings, information etc.


          Posted in , , | Leave a comment

          Learning Something New: 12/07/2018

          "You learn more from losing than winning. You learn how to keep going. Think Beyond Winning and Losing" 




          Subject: Web Application Security

          Topics:
          1. OWASP - #1: Injection
            • What is Injection
            • How attacker injects the code into web application
            • Different types of Injection Attacks
              • SQL Injection
              • XPATH/XQuery Injection
              • LDAP Injection
              • Command Injection
          2. OWASP - #2: Cross - Site Scripting (XSS)
            • What is Cross-Site Scripting
            • How attacker injects the code into web application
            • What happens when attacker injects the code


          Subject: Accessibility Testing

          Topics:

          1. Learning about Diversity of Disabilities
          2. Different Disabilities:
            • Visual
            • Auditory
            • Physical
            • Cognitive
            • Learning
            • Emotional
          3. Definition: A disability is defined as a physical or mental impairment that substantially limits one or more major life activities. Specifically, a qualified individual with a disability is someone who can perform the essential functions of the job with or without reasonable accommodation.

          Posted in , , | Leave a comment

          Learning Something New: 11/07/2018

          "Move out of your comfort zone. You can only grow if you are willing to feel awkward and uncomfortable when you try something new."




          Subject: Java Fundamentals

          Topics:
          1. Statements Structure
            • Statements ends with semicolon.
          2. Comments 
            • Usage of Comments in code
            • Types of Comments
              • Line Comments
              • Block Comments
              • Java Doc Comments
          3. What is package
          4. Package Naming Conventions
            • Example: package com.strls.testing.learnjava
          5. Correlation between package names and Source file structure.
          6. Before adding package name to the java file. Structure of Folders in IDE.
            • src -> main.java
          7. After adding package name to java file. Structure of Folders in IDE.
            • src -> com -> strls -> testing -> learnjava -> HelloWorldOrganized -> main.java
           package com.strls.testing.learnjava;  
           public class HelloOrganized {  
           public static void main(String[] args) {  
                System.out.println("Hello Get Organized");  
           }  
           }  
          


          Subject: Web Application Security

          Topics:
          1. OWASP - Open Web Application Security Project (www.owasp.org) - open source project with goal of improving web application security.
          2. OWASP Top 10 is popular list, which ranks the most risks to the low risk.
          3. Download the List from below link.
          https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project  

          Do Not Think as an Attacker, When you are not an Attacker. Learn about security principles , that can help you as a Defender.

          Posted in , , | Leave a comment

          Learning Something New: 10/07/2018

          If you learn something new every day, you can teach something new every day.

          Image result for time machine

          Subject: Java Fundamentals

          Topics:

          • Verifying Java JDK installation is correct or not from command line.

          • Installation of Eclipse IDE
          • Creating a Simple Java Application. (Hello World Program)
          •  /**  
              * This class implements the HelloWorld program  
              * @author srinivas.kadiyala  
              * @version 1.0  
              *  
              */  
             public class HelloWorld {  
                  /*  
                   * Using comments in HelloWorld  
                   */  
                  public static void main(String[] args)   
                  {  
                       //Hello World Program  
                       System.out.println("Hello World Again");  
                       //Hello World Output - Spaces within the braces  
                       System.out.println( "Hello World before Space in braces");  
                       //Hello World Output - Spaces outside the spaces  
                       System.out.println("Hello world before space outside braces") ;  
                       //Hello World Output - New Line and Spaces within the braces  
                       System.out.println(  
                                 "Hello  World"  
                                 );  
                       //Commenting out the program.  
                       //System.out.println("Hello World Last Time");  
                  }  
             }  
            

          • Run the program from Eclipse

          • Run the Program from Command Line.

          Step 1: Compilation of Java Code. - Successful.
          Compiled without any errors.

          Step 2: Running the Program.
          Error: Could not find or load main class HelloWorld.

          Tried different ways to make it correct. But after few minutes, with help of stackoverflow. Performed Step 3.

          Step 3: Running the Program.
          D:> java -cp . HelloWorld

          -cp . means referring current classpath.

          Program ran successfully and displayed the Output.


          Subject:  Search Engine Optimization

          Topic:  SEO URL's (Mobile Site vs Desktop Site)

          If you have separate mobile site vs actual desktop site. To know, if mobile site hides any links.

          We have a website, which can traverse and displays results.






          If we do not have separate sites for mobile vs desktop. Even then you can search the Website URL to see the URL Links on the site.

          Testing Point of View: Understand and find out URL's which seems to be improper and does not comply with SEO Standards.

          Posted in , , | Leave a comment

          Learning Something New: 08/07/2018 - 09/07/2018

          Learn Something New Every Day (And Actually Do Something With It)




          Subject: Java Fundamentals

          Topics:

          1. What is Java
          2. JRE vs JDK 
          3. Installation of Java
          4. How Java code converts to Class File
          5. What is IDE
          6. Popular IDE's available
            • NetBeans
            • Eclipse
            • IntelliJ Idea


          Subject: Web Application Security

          Topics:

          1.  Different Security Attacks
            • Network Firewalls
            • Web Applications
          2. Popular Web Application Security Attacks
            1. SQL Injection
            2. Cross-Site Scripting
          3. What is Server Firewall
            1. Advantages of Firewall
            2. Can Firewall protect the web applications?
            3. Can we close with Firewall to access the web application.
              1. Does it impact end users?
          4. Can Network defenses like firewall, keep attackers out and make the web applications safe?

          Posted in , , | Leave a comment