Archive for February 2017

Daily Learning - Day 25

Date: 25th February 2017

Below are the topics i learnt today..

Follow Hashtag: #SKC100DaysofLearning

Topic 1: Security - Find the Technology Components used in Web Application.


Are you interested to know which websites use a certain technology

Wappalyzer is a browser extension that uncovers the technologies used on websites. It detects content management systems, eCommerce platforms, web servers, JavaScript frameworks, analytics tools and many more.

Install this on your web browser:  https://wappalyzer.com/download



Topic 2: Security - Massive Bug May Have Leaked User Data From Millions of Sites. So … Change Your Passwords

THE INTERNET INFRASTRUCTURE company Cloudflare, which provides a variety of performance and security services to millions of websites, revealed late Thursday that a bug had caused it to randomly leak potentially sensitive customer data across the internet.

And the Bug is called as - "CloudBleed"

Lessons Learnt:

  • It is necessity to know, the third-party components of code added to your application.           See Topic -1 : To find out the Third-Party Components and Server Details.


  • Check if there are any vulnerabilities recorded on the Third-Party Components and Server. It may not be their code is perfect
  • When you see any Bug, even not serious. Act quickly to address the Bug as a Preliminary Fix after learning about the Bug.
  • Permanently Patch the Bug on the systems.
  • To Mitigate the risk, Option is to Change the Password which ever sites linked to Cloudfare.
  • Other Options for Defense: 2-FA Security Authorization.




Tool: Find out which CDN Service, your website is using.


Change.Org uses Cloudfare as CDN Service.





Posted in | Leave a comment Location: Mysuru, Karnataka 570001, India

Daily Learning - Day 24

Date: 22nd February 2017

Below are the topics i learnt today..

Topic 1: Security - User Supplied Input-Data on URL 

If you are testing any website and see any URL and add some characters in the URL. Check what happens.

You may see errors from application or from web server.

Note: Receiving error from web server could share information about your server.





Topic 2: Security - User Supplied Input-Data for Login 

Consider a logon screen that asks for a username and password. If the application returns one error message for an incorrect username and another message for an incorrect password. This means, attacker has guessed either of them .

The danger is that the attacker now knows that he has correct username. Now his next step is to crack the password.



Topic 3: Non-Tech: Apology 

There are 6 kinds of Apologies.

  1. "It's Regretful that.." - It doesn't require you need to admit you did wrong. You're just sorry it happened..
  2. "It seems that errors occurred.." - Acknowledging that something bad happened, but you didn't have anything to do with it.
  3. "Apology directed at another issue or person.." - I'm sorry, you misunderstood my intent.
  4. "Apology used as emphasis to make a point.." - I'm sorry, the show is not good.
  5. "Apologies in Advance.." - I'm sorry, if this hurts to you.
  6. "Deflective Apologies.."  - "I am in search of my soul and peace"
Don't Apologise in expectation of receiving an apology from others.

Don't Apologise if your intentions where misinterpreted. 

Don't Apologise to blame someone else

And.. Don't Apologise for every day behaviours.



Posted in | Leave a comment Location: Mysuru, Karnataka 570001, India

Daily Learning - Day 23

Date: 21st February 2017

Below are the topics i learnt today..

Topic 1: HTTPS -- But NOT Completely

If you are testing any website and Chrome Browser says: Secured. Don't Assume, its completely secured.

Exercise: Visit the website : https://threatpost.com 

It is HTTPS and Secured Padlock in Chrome Browser.

But if you see the Icons below: Twitter, Facebook etc. are actually not  HTTPS URL's.

Note: Everything should be in HTTPS to be Secured completely.




Posted in | Leave a comment Location: Mysuru, Karnataka 570001, India

Daily Learning - Day 22

Date: 20th February 2017

Below are the topics i learnt today..

Topic 1:  Basics of testing

There are two kinds of Bugs, which i have never heard before.

Latent Bugs:  The bug that is not identified in the past versions of the software application.

Latent Bugs are dormant or unhidden.
These bugs are not found until one or more releases of the product.


Golden Bugs:  The bug that is occurred in every instances of the application with severity level high and with high priority.

Golden bugs may affect the critical functionality of the system.


Topic 2: Task Management 

Started using a Task Management Chrome Application "TickTick" to track my learning tasks.


Posted in | Leave a comment Location: Mysuru, Karnataka 570001, India

Daily Learning - Day 21

Date: 19th February 2017

Below are the topics i learnt today..

Topic 1: Did a Course on "Fiddler" Tool.

Course: https://www.pluralsight.com/courses/fiddler

Why did i do this course?


  • To Understand, what happens between a client browser and web server.
  • To Use the tool as base to capture the website and know about Request Headers, Response Headers, Status Codes, Source Code
  •  For Security Testing: Changing the Cookies and data and Executing, to see if the application allows it or not.
  • Finally, to learn one tool so that i can use it anytime.





Topic 2: Is Your Website Secured? - Line of Death in Browser

Even if the form submits over SSL, loading the form without SSL means it can be modified by somebody before it's submitted.


The "jetairways.com" website asks to provide sensitive info whilst the browser warns them about your security.




Topic 3:  Basics before testing

The learning about:

  • How World Wide Web Came in Picture
  • How client and server are connected
  • How data gets transmitted from Client to Server
  • Different Types of Protocols used to Transfer the Data 



Topic 4: Weekend Testing Europe 

Today, we had Weekend Testing Europe WTEU-73 Session.

Brainstorming session with attendees to build a university testing course, and home work tasks, book reading recommendations for students.


Posted in | Leave a comment Location: Mysuru, Karnataka 570001, India

Daily Learning - Day 20

Date: 18th February 2017

Below are the topics i learnt today..

Topic 1: How to Encode the Script using Notepad++

Enter the Script in the Notepad++ 



Then Navigate to Plugins -> MIME Tools 



Then Select FULL URL Encode or URL Encode.

This will Encode the Script.



Topic 2: Exploratory Testing with Test & Feedback Chrome Extension


Now everyone on the team can own quality. Capture findings, create issues, and collaborate with the team, directly from the browser on any platform: Windows, Mac, or Linux. Available for Google Chrome and Mozilla Firefox (required version 50.0 or above) 

I have used Chrome Extension, Although it takes time to understand. We can use it and export the Report and Attach the HTML File.

Topic 3: Line of Death in Browser

Learn about "Line of Death" in the Browser Window.


Topic 4: Security - State of the Net
Nordic Testing Days: https://youtu.be/k_uOdUYbIUA

In this video - Mikko Hypponen Advices , Not to Click on "Enable Content" even its from trusted person to avoid ransomware.



Posted in | Leave a comment Location: Mysuru, Karnataka 570001, India

Daily Learning - Day 19

Date: 16th February 2017

Below are the topics i learnt today..

Topic 1: Read about Yahoo's Another Security Breach 


This week, Yahoo sent another wave of emails to users warning their accounts may have been breached as recently as last year. A flaw in Yahoo's mail service could have allowed a hacker to use a forged "cookie" created by software stolen from within Yahoo's systems to access accounts without a password.

Read  more:  http://www.wired.co.uk/article/yahoo-verizon-deal


Topic 2: Fiddler Exercise on Composer Tab

Using Fiddler Composer Option to Drag and Drop the session from view panel 





  • Delete the Cookie and Execute the POST Method
-- Test:  Whether you can still access application or not.
Expected: It should send 302 Error and Session Expiry.



  • Copy the Cookie 1 to the Cookie 2 and Execute the GET Method
-- Test: whether you can still access application or not.
Expected: It should session expire and application should not be accessed via Cookie 1.

Posted in | Leave a comment Location: Mysuru, Karnataka 570001, India

Daily Learning - Day 18

Date: 15th February 2017

Below are the topics i learnt today..

Topic 1: Knowing about IP Address of Client Website.

We always try to know the ip address of our local machine.
But we can also get to know the IP Address of Client Website.

Two Options:
  • Using Ping from Command Line Interface
Navigation:  Windows + R = Run , Then type CMD and Enter for console , Type "ping google.com"
It displays:  Replying from IP Address of Website

  • Using Chrome Extension - Shodan

The Shodan plugin tells you where the website is hosted (country, city), who owns the IP and what other services/ ports are open.





Complete Host Details can be viewed from : https://www.shodan.io/host/208.80.153.224 


Topic 2: Knowing about Rise and Fall of Airlines Comapany - PEOPLExpress


Posted in | Leave a comment Location: Mysuru, Karnataka 570001, India

Daily Learning - Day 17

Date: 8th February 2017

Below are the topics i learnt today..

Topic: Examining web requests and responses 

I had three options for this topic.

1. Chrome / IE Web Developer Tools
2. Addons - Chris Pederick's Web Developer Tool , FireBug
3. Fiddler.


I am familiar with 1st and 2nd options earlier. Then...

Getting Started with Fiddler.






  • Fiddler tool is developed by Eric Lawrence.
  • What is HTTP and Status Codes
  • What is Fiddler and How to use Fiddler
Download:  http://www.telerik.com/download/fiddler

Installing the Fiddler: http://docs.telerik.com/fiddler/Configure-Fiddler/Tasks/InstallFiddler

Configuring Browser for Fiddler: http://docs.telerik.com/fiddler/Configure-Fiddler/Tasks/ConfigureBrowsers#ie-chrome-safari-and-opera

  • Basic exercises on examining the web requests and responses and Understanding them.



Observing the Web Requests and Responses:  http://docs.telerik.com/fiddler/Observe-Traffic/Tasks/CaptureWebTraffic

Posted in | Leave a comment Location: Mysuru, Karnataka 570001, India

Daily Learning - Day 16

Date: 7th February 2017

Below are the topics i learnt today..

Topic 1: Email Server Test

Today, I saw an interesting Email. It looks like:  support@tv&s.com

I was sure, it will not work. As i remember, I have read RFC 2822 Internet Message Format 3 years ago.

Reference: https://tools.ietf.org/html/rfc2822

Although, I thought to test the email server.

Used a Free Online Email Server Test. (There is no specific reason for choosing this tool - Google has provided it)

Reference:  https://www.ultratools.com/tools/emailTest 

Entered the email address and Sent for Checking.










And Tried another Valid Email Address and It looks like this.

















Note: If some one provides the SMTP Email Address. Make sure you test it without sending an email. 

Posted in | Leave a comment Location: Mysuru, Karnataka 570001, India

Daily Learning - Day 15

Date: 6th February 2017

Below are the topics i learnt today..

Topic 1: Inspecting the Web Page

There are free tools available without installing to inspect the webpage code, step through the code and view network traffic between Web server and Client (Browser)

By Installing the Browsers on your machine and accessing the Web Developer Tools via F12 - or Settings/Tools -> Developer Tools.

Exercise:

The below mail snippet is from Amazon.in and It is Promotion Email of Store-News.

For Amazon.in Company Logo, It shows Alt Text="Amazon.ca" 
And when Logo is selected, it will redirect to "amazon.in" website.




Like Wise, For Amazon.in Company Logo, It shows Alt Text = "Junglee.com"
And when Logo is selected, it will redirect to "amazon.in" website.

Lesson Learnt: Alt Texts should indicate the image correctly.



Topic 2: Analyse your Server HTTP Headers 

There is a web application developed by Scott Helme, "SecurityHeaders.io" 
Where we enter the Website Name and Scan it.

This Provides information of Security Headers used in the site with a Ranking and Details of Security Headers.

If you are considering to have security on your website. This is very important to test your site first.





Posted in | Leave a comment Location: Mysuru, Karnataka 570001, India