‘Hacking’ Rails session

Reading Time: 1 minute

One of important security attack vector in web applications is cookie session content. Rails security guide gives all relevant information which data could be stored in cookie session.
I will explain how you could obtain cookie session object content (I learned about that from this blog post). First, get the application cookie. Hit F12 in Chrome, switch to network tab, log in to application that you are testing and select POST authentication request. In response object find Set-Cookie header, and copy cookie value. Cookie ends with ‘;’ character.
Start irb, Ruby interpreter. First decode cookie string value, and then de-marshal it. Here is Ruby code:  

1: require ‘base64’
2: plain = Base64.decode64(cookie)
3: data = Marshal.load(plain)

Tip: if you get exception in third line, you need to include with require statement package that contains reported class.

data is Ruby hash object that represents Rails session.

Facebooktwittergoogle_plusredditpinterestlinkedinmailby feather

Report for Zagreb STC #9

Reading Time: 2 minutes

State of the art browser automation testing in action 

Yesterday seven software testers gathered at Zagreb STC #9. We welcomed two new comers, Irja and Matija. At the beginning there was traditional introduction/what have you tested from last meetup. Irja works for system integration company, in department that develops web applications. From here introduction I figured out that she really loves software testing, because she asked a lot of questions about how to learn/practice software testing craft. Matija  studies mathematics and he currently freelancing for Croatian national software security agency Cert. He gave valuable information about free Linux distributions with everything that you need in order to get started with learning about software security. Backtrack and Kali Linux are good starting points. Also, he talked about how he uses Fing, android network management application, in his work. We learned how Windows Mobile Phone application Traffic Manager was developed and tested in Manuels free time. Damir talked about testing automation challenges in testing Croatian national Cadastre system.
I gave brief presentation about Web app hack tutorial, free web application for learning and practicing about web application security. I demonstrated simple XSS attack  using latest Chrome and Firefox. On that particular example, Chrome showed as more secure solution. I also mentioned Google project for learning about web application security, named Gruyere.
In the end, Zeljko demonstrated his latest accomplishments in automated testing of  Wikimedia software. Here is list of used software/cloud services: Cucumber, Ruby, watir-webdriver, Page object pattern, CloudBees, SauceLabs. Pretty impressive to see all that in action! And guess what, testing code base is on public github repository!
If you want to get free tutoring about browser automation, fell free to contact Zeljko. What he gets in return is that you will help him in testing Wikimedia. Zeljko also mentioned how to cope with problem of automating various versions of IE browser. Good starting point is 
Modern.ie, place where you can download virtual machines with various Windows/IE versions combinations. Github ievms is place where you can download all popular combinations issuing just one curl command.   
Again great meetup, see you in one month on 22nd April in ZIP with our special guest, Gojko Adzic!

Facebooktwittergoogle_plusredditpinterestlinkedinmailby feather

Going independent

Reading Time: 1 minute

As of yesterday I am working for new company, Tentamen, small software testing shop, second one in Croatia. Oh, and I forgot to mention that I am the owner of the company. I would like to thank all testers from all around the world that I am following on Twitter because you helped me with your writing in making this important decision.
Some of them deserve special abstract: Željko Filipin, Michael Bolton, Gerald Weinberg, James Marcus Bach and Pradeep Soundararajan. Thank you!
My company goal is very simple: to spread importance of testing craft among Croatian and world wide IT community. From this starting point, software testing business is looking very promising!

Facebooktwittergoogle_plusredditpinterestlinkedinmailby feather

Announcement for Zagreb STC #9 meetup

Reading Time: 1 minute

We are proud to announce Zagreb STC #9 software testers meetup!
Meetup is scheduled on
Thursday, March 21, 2013, 5:30 PM at Palagruza conference room at Ericsson Nikola Tesla, Krapinska 45 Zagreb, main entrance.

This time we will have following topics on the table (along with traditional pizza and refreshments):
1. Security testing of web application. Two interesting web demos that help you learn about web security

2. Puzzle web game
3. How MediaWiki, software that runs Wikipedia, is tested.
4. Everything else

Venue sponsor is Ericsson Nikola Tesla, and Tentamen will sponsor pizza and refreshments.
Facebooktwittergoogle_plusredditpinterestlinkedinmailby feather