What is Selenium software testing framework?

Selenium software testing framework is portable frame work that has been developed exclusively for the development of the web applications. It actually works as a record and play back tool for the guiding of the tests without having to learn about a TSL or test scripting language. 

The selenium software testing frame work comes with its own test domain – specific language known by the name of selenese which can be used for developing tests in a no. of prominent programming languages such as the following:

1. C#
2. Java
3. Groovy
4. PHP
5. Perl
6. Python
7. Ruby etc.

The tests thus developed can be executed against a number of modern web browsers. The selenium frame work can be deployed on the following three platforms:

1. Windows
2. Linux
3. Macintosh

- Selenium is one of the best open–source software that are available to us today. 

- It was released as an OSS under the license – apache 2.0 and so you won’t be charged for downloading and using it.

- The software got its name for a joke cracked by Jason in an email in which he mocked his competitor by saying that he can cure mercury poisoning with the help of supplements from selenium. 

- The other people who received this email began using this name and eventually the software was named so. 

- The selenium grid represents the latest side project which is known to provide a hub enable execution of the multiple selenium tests on a local and remote system and that too concurrently. 

- This is being done as an effort to minimize the time taken for execution. 

- The selenium provides you with a number of robust tools which one use for the rapid development of the automated tests for testing the web based applications. 

- Plus, it also comes with a number of rich features and functions which have been exclusively for designing the web applications. 

- The operations which are carried out by the selenium framework are highly flexible in nature and allow for the location of the UI elements with supported by a number of options. 

- Also, the selenium frame work accounts for comparing the actual and the expected test results. 

- Selenium’s key feature lies in the support it provides for the execution of one test on a number of browser platforms. 

- The selenium frame work is composed of three major tools each of which plays an important and unique role in the development of the tests for web applications:

1. Selenium IDE
2. Selenium remote control
3. Selenium grid

- There are number of ways in which functionality can be added to the selenium’s frame work to further customize the tests in order to suit one’s specific needs.

- This characteristic that makes the selenium frame work outstanding among the rest. 

- The RC support from the selenium assists the test writes in multiple programming by helping them develop any logic they require for automated testing by using their preferred language. 

- On the other hand, the user can add his own defined extensions via the selenium IDE for creation of additional customized commands. 

- The selenium RC code generated by the selenium IDE can be reconfigured easily which lets the testers generate code that would fit their testing frame work. 

- Also, since the selenium is open to all, all are free to submit their contributions for its enhancement and modification. 

What are the differences between testing WEB application and testing client-sever application?

Web application as we know are the kind of applications that can be accessed by one over a computer or internet or intranet network. Some of the web applications are also coded in to the web browser via web browser supported language like HTML or JavaScript. 

There are so many reasons that make web application quite famous with its users like:

1. Because of web browsers’ ubiquity.
2. Because web applications provide a means to use web browsers as a client that are usually termed as thin clients.
3. Because they can be updated and maintained without having to disturb and install the software system or application on 1000s of client systems.
4. And also because they support cross platform compatibility.

Now that we have discussed regarding the web applications, let us see what client server applications are! 

- A client server application is actually not an application rather it is a computing model that acts like a distributed application whose purpose is to partition the work loads or the tasks among the resource or service providers that are merely servers and clients (the service requester).

- The communication among the server and the client is established over a computer network and in most of the cases the servers as well as the client reside in the same system.  

In this article we are going to discuss the differences between testing the two types of the above mentioned applications. It is very necessary to test these applications since our personal as well as commercial needs are much dependent on these. 

First we will be talking about web application testing and then later regarding client server application testing so that the differences between the two will be clear to you! 

About Web Application Testing

- Web application testing is a combo of the following types of testings:

1. Usability testing
2. Compatibility testing
3. Security testing
4. Performance testing
5. Interface testing and
6. Functionality testing

- All these above mentioned tests make up a complete testing path for web applications. 

- These two types of testing i.e., the web application testing and testing client server application, differ on the basis of the environment in which they are carried out. 

- Testing a web application proves to be more difficult when compared to testing a web client server application and is quite complex too! This is so because the testers do not hold much control over the web application under question. 

- In web application testing, the application to be tested is loaded on a server whose location either or not may be known to the testers. 

- The .exe file is not installed on the client side and therefore it is to be tested on different web browsers. 

- Web applications are mostly tested for their compatibility with different OS platforms, error handling, back end testing, and load testing and static pages. 

About Client Server Testing

- Client server application testing is quite simple as compared to the web application testing and basically involves testing of two components.

- Here, like the web application testing is loaded on the server machine but unlike the web application testing, the exe file is installed on all the client machines. 

- The testing here is carried out broadly in categories mentioned below:

1. GUI on both the sides.
2. Functionality
3. Client server interaction
4. Functionality
5. Back end testing and so on.

- The kind of environment that is used in client server application testing is pretty much like the one that is found in intranet networks. 

- The testing team knows all about the location of the servers in the test scenario. 

What is website usability testing?

Since the past few years the growth and usage of the web sites which are both free and paid had risen rapidly. In other words, we can say that the usability of the web sites has witnessed a massive growth. With the rise of usage of web sites and web applications, it is obvious that the demand for the web site usability testing also increases! 

Now you must be wondering what actually is web site usability testing? In the earlier times, it took expensive recruitment labs and a large amount of time and deployment to carry out the web site usability testing. Since the advent of the web site usability testing tools, the whole process of testing seems to be so smooth and so under control. 

In this article we have discussed about web site usability testing. You might be thinking that why it is necessary to carry out web site usability and what good it does to the web sites and web applications. 

- The web site usability testing contributes as an essential element of the quality assurance of the web site or web application under the testing. 

- Web site usability testing can be considered to be an exact, actual and true test of how a web site or web application is actually being used by the end users.

- Web site usability testing  becomes quite easy when you know how to do it and also quite cheap when you are going to carry it out yourself. 

- Web site usability testing involves checking the following aspect of the web sites and web applications:

1. It checks if the web site or the web application is being used by a series of individuals under some guidance from a facilitator.
2. It checks whether or not the web site or the web application can be successfully used by the outsiders.
3. It checks if the web site or the web application is focusing only on a particular group.

There are some common terms associated with the web site usability testing that we are going to discuss now:

1. Observer: An observer is the person in charge of the observation of the of the test that is in progress and he/ she often sits in another room.
2. Facilitator: He/ she is the person in charge of the guidance of the user while the usability test is under progress and takes relevant notes.
3. Owner: Owns the web site or the web application.
4. Web site development team: This team constitutes of all the people who are involved with the development and maintenance of the web site or the web application. It includes the following:

a)    Strategy group

b)    Programmers

c)    Designers

d)    Stake holders and so on.

5. User: The person who uses the web application or web testing during the usability testing.
6. Usability: It can be thought of as a measure up to which the intended user achieve his/ her goals using the web site or web application that is under test.

Testers usually take a whole one whopping big usability test which makes the whole testing process quite clumsy rather than breaking down the testing process in to little parts and then executing them. 

There are 5 appropriate timings for carrying out the web site and application testing as mentioned below:

1. At the time of the conception of the web site you can start by testing a printed mock up of the home page of the site.
2. Before a re development plan is created.
3. Repeatedly during development.
4. Whenever an anomaly shows up in a traffic analysis.
5. When the owner of the web site calls for some info regarding his web site or web application. 

How does penetration testing tool emphasize on web application security?

In this internet savvy world, web applications have become an important part of web utilization. Web applications provide a means to utilize or exploit the services offered by the web in a more meaningful manner. 

The earlier years saw less use of web applications, but now it is reaching new heights day by day with a great demand for improving the existing ones along with the introduction of new ones. With such a vast number of users, the application needs to maintain its security from the malicious attackers among these users and so adequate security measures have to be taken.

For this purpose, it is required that the security mechanism of the applications to be checked thoroughly for any vulnerabilities and security leaks via the penetration testing. Penetration testing is perhaps the best testing methodology when it comes to the testing the security different software system components like network security, data base security etc. 

There should be some testing methodology that could dig out all the potential vulnerabilities. Is there an answer? Yes there certainly is! The penetration testing! Perhaps many of us are familiar with this testing methodology. In this piece of writing we have discussed how the penetration testing tools emphasize up on the web application security. 

About Penetration Testing and its emphasis on Web Application Security

- Penetration testing is yet another testing methodology that has been adopted for testing the security of the  web applications against the malicious attacks.

- It provides a way to evaluate the security level of the web application by troubling the application with false simulated attacks as malicious attacks from the outside as well as inside attackers. 

- It also deals with the aliens, foreigners or outside attackers who do not have any authorized access to the computer system or network and inside attackers who do have that access.

- An active analysis is required to be carried out for the penetration testing which carries out an assessment of all the potential vulnerabilities of the web application that are merely a consequence of its poor security level as well as configuration level. 

- Apart from this the known and unknown flaws form both the hardware as well as software components of the application contribute to these vulnerabilities rather than only operational weaknesses.

- A proper active analysis is achieved only if it is carried out from the view point of a malicious attacker and involves the active exploitation of the recognized vulnerabilities.

- The web application security depends up on the effectiveness of the testing.

- The testing in turn is largely affected by the effectiveness of the tools that are employed in the testing.

- The tools indeed affect the web application security, since if the tools are reliable and efficient in searching for the vulnerabilities, obviously there will be more stringent checking of the security mechanisms. 

- The identification and recognition of the vulnerabilities is always the first step in penetration testing.

- A required number of penetration tests are then carried out on that particular system with the coupling of information with the active assessment of the risks associated with the computer system or network using the penetration testing tools. 

- A whole lot of effective tools are designed to reduce the affect of the identified potential vulnerabilities. 

- Penetration testing tools have been recognized as important component of the web application security audits. 

What are different aspects of DBMS specific SQL injection attack?

DBMS specific SQL injection attack is one of the different types of the SQL injection. Some of the SQL injection attacks that are carried out today on web sites are based up on the DBMS specific SQL injection. 

About DBMS specific SQL

- DBMS specific SQL is employed for sending the certain specified statements to the engine of the data base for its execution. 

- Unless the connection is not specified, the default cursors for the default connections are used by the prolific. 

- For the DBMS specific SQL, the statements can fed to the data base engine in any format that it supports. 

- Such a privilege grants you the access to all the features of the data base.

- SQL injection attacks are quite well known vectors for the data base management systems because they fail to cleanse or sanitize the input supplied by the users. 

- Like in the web based applications, the passing SQL commands (these commands are the parameters of some stored procedure and functions) are exploited by the SQL injection attacks. 

- These malicious commands are then executed in the context of the component through which the required function is called. 

- This whole process is carried out via the system components as well as the administrator’s privileges.

- This process results in what is called the privilege escalation. 

Example to illustrate Privilege Escalation

- Suppose some component provides the backup functionality and is run at higher privilege.

- A function injected with the malicious SQL statements is called. 

- This allows the user become a DBA by escalating their privileges which then helps them to overtake the data base. 

- By keeping the data base patches up to date, many of the SQL injection attacks can be effectively avoided. 

- Though the classic SQL injection attack had become outdated and the inference SQL injection still continues to prevail as great security threat, the DBMS specific SQL injection attack is still considered to be supportive regardless of how the classic SQLIA, inference SQL and other types of SQLIAs are utilized. 

- The permissions to log in the data base that belongs to some web application can be limited to only what is required. 

- This may prove to be effective in reducing the affect of the SQL injection attack that may further exploit any bugs and errors present in the web application or site.

- Like bugs and errors the severity of the SQL injection attacks also ranges among low, medium and high levels.

- Following a successful SQL injection attack, the attackers can very easily execute the arbitrary SQL commands.

- Such vulnerability can be exploited by the remote authenticated users for injecting the malicious SQL statements and commands. 

-  A successful SQL injection can steal the sensitive data from the data base or modify it as he/ she desires.

- The attacker can even carry out the administrative operations on the data base like issuing a command to shut down the whole data base, recover a deleted file etc.

Approaches to avoid malicious SQL injection in database

Any of the two below mentioned approaches can be followed for avoiding the malicious SQL injections in to the data base:

1.  Parameterized queries: 

      - This approach involves the use of bounded queries. 

    - Out of the two, this is easier to follow and work in an almost similar way in many languages including java, .NET, PHP, Perl etc. 

      - In the parameterized queries the data and the query is kept separate from each other by bounds.

2.  Parameterized stored procedures: 

     - Though being a little difficult to implement, it proves to be more effective than the previous one in avoiding many types of SQL injection attacks.

Avoiding the use of dynamic table names and even if you are, don’t accept the names from the users since on using these measures it is very unlikely that your application will fall victim to the SQL injection attack. 

Explain the concepts of XSS cross site scripting?

XSS or cross site scripting is a much familiar word in today’s cyber world. Cross site scripting is categorized under the category of computer security vulnerabilities which are common among the web applications.

Purpose of XSS Cross Site Scripting

- This vulnerability makes the web application so vulnerable that the malicious outside attackers are able to inject the malicious client side scripts in to the web pages or applications that are later viewed by the people who visit the page.

- Another purpose may be to incur the access controls like the same origin policy.

- The cross site scripting vulnerability itself accounts for almost 80.5 percent of all the security vulnerabilities identified and documented in the year of 2007 by the Symantec.

- The cross site scripting technique is employed for curbing risk depending on the measure of the sensitivity of the data that is being processed by that particular web site or web page.

- Apart from this factor, another factor that influences this is the security mitigation as implemented by the owner of that web site.

Limitations of XSS Cross Site Scripting

- Cross site scripting can also be employed by some people to create petty nuisance.

- This vulnerability of the security system is often misused by the attackers for bypassing the security mechanisms on the client side which are usually implemented by the web browsers up on the web content on that particular site.

- There are various ways through which the attacker can find the access to the web pages for injecting their malicious scripts in to them.

- Such ways or methods can provide the attacker an unauthorized access to all the sensitive content of the page, information of the user activity as stored by the browser and session cookies etc.

About Cross Site Scripting

- Cross site scripting is a type of code injection attack and is somewhat similar to the SQL injection attacks.

- Earlier the cross site scripting technique was defined as the loading of the third party application that had been attacked at an unrelated attack site while executing java scripts in the context of security of the domain on target as created by the attacker.

- Eventually this cross site scripting refer to the different modes of the code injection, non java script vectors (like VBscript, flash, Java, ActiveX, HTML, SQL and so on).

- The cross site scripting vulnerabilities have been under exploitation since the advent of 20th century.

- So many famous social networking sites like my space, orkut, twitter, Facebook etc have been a victim of the cross site scripting in the past.

- With the sophistication of the cross site scripting techniques, they have now surpassed the vulnerabilities like buffer overflows reporting to be the most common security vulnerability.

- Even now 68 percent of the total web sites have been sorted as vulnerable to the cross site scripting attacks.

Classifications of XSS flaws

As such there are no proper criteria for the classification of the XSS flaws, but according to the experts they are classified in to two categories:

1. Persistent XSS Flaws
It is also known as stored XSS flaws and is the most destructive type. It occurs when the data which has been provided by the attacker is stored by the server.

2. Non persistent XSS flaws
It is also known as reflected XSS flaws and it is the most common type. It occurs when data from a web client is used by server scripts for generating required pages without the sanitization of the queries.

Some other experts classify them as:
1. DOM based XSS flaws: infect client side scripts.
2. Traditional XSS flaws: occur as a result of the flaws in the server side scripts.

What is the difference between desktop applications and web applications?

Today’s world is lot more dependent on the number of software applications which are involved with most of the tasks that we do. Application softwares are gaining popularity day by day by the name of “apps” and there are million application softwares available today and a lot others are in processing.

Many application softwares of different specifications and different designs under so many categories have been designed to enable the user to perform his/ her tasks efficient with ease and with reduced drudgery of performing many tasks that otherwise would have be carried out manually.

Some common examples of application softwares are:
1. Accounting softwares
2. Enterprise softwares
3. Graphics software
4. Media players
5. Office suites and so on.

There are so many types of application softwares like desktop application softwares, web application softwares, utilities and so on based on the field where they are used.

This article is focussed up on two main types of application softwares namely web application softwares and the desk top application softwares and the differences between them.

What are Desktop Applications

- A desktop application can be defined as an application that can run on a lap top or a desk top computer and does not requires any other software application for its functioning unlike web application softwares that do require web browsers to run.

- This definition of the desk top applications can be used to describe the applications that operate on the smart phones and tablets.

- When it comes to the terms of the security, the desk top application softwares are considered to more secure than the web applications since they are operated offline i.e., without internet connectivity and hence there is a lesser risk of them falling prey to some virus or Trojan horse or malware etc.

- It is a different thing that the desk top application softwares may get affected with virus because of the use of corrupted data but, usually they are safe to user as compared to the web applications.

- Most of the desk top applications come either as ports collection or as packages.

- When these applications come as ports collection, they have to be compiled from the source and often it takes up a very long time and depends on the processor of the system.

- Because of such large time consumption, the packages are considered.

- Most of the desk top applications were originally developed for the Linux operating system. These desk top application software apart from serving quick access and use, entertain the below mentioned features like:
1. Instant content synchronization
2. Quick file system access and
3. Management of the downloaded content etc

What are Web Applications?

- Web applications are open to all sorts of the malwares or viruses that are spread all over the whole cyber network and so these viruses can affect the web applications which in turn can have an adverse affect on your whole system.

- In contrast to the desk top applications, the web applications need an internet access to be used.

- The network can either be an intranet connection or an internet connection.

- Web application softwares are coded in the languages that are supported by the web browsers such as JavaScript, HTML etc unlike the desk top applications that are coded in ordinary programming languages like C, C++ etc.

- These web applications employ the web browser itself as their client called thin client.

- As compared to the desk top applications, the web applications are quite easy to be maintained and installed. Some examples are:
1. Online retail sales
2. Web mail
3. Wikis
4. Online auctions

What causes browser display differences?

Most of the time while browsing the same over many browsers you might have noticed considerable differences between the displays across the various browsers. These differences cause a lot of annoyance to the users.

There are various reasons why there occur differences across the different browsers. This article is focussed up on such browser display differences and errors as well as suggestions to avoid them.

ABOUT WEB BROWSER DISPLAY DIFFERENCES

- Earlier it was quite difficult and time consuming task to compare the web sites displays under many different browsers but nowadays several tools have been developed that have proven to be quite effective in testing the appearance of a web site on various browsers.

- These tools help in checking out the differences by taking the snap shots of the web site across the various browsers and then comparing them.

- You can even have the snap shots of your web page under different computers and screen resolutions.

- An HTML tool box is incorporated in these tools which tell whether the differences have occurred due to the incompatibility of the HTML code used in the web site or are they because of the browser incompatibility.

- The HTML tool box in some of the tools has also the capability for repairing off the code errors in just a few clicks.

Some of the most common factors that causes browser display differences are:
1. Browser bugs
2. Browser incompatibility
3. HTML errors
4. Different font sizes
5. Different computer types
6. Different screen sizes
7. Different versions of the browsers

RARE CASES
- In some very rare cases, the problem of differences might also occur due to certain features of a web site that have been exclusively designed for certain browsers and are not meant for others.

- Usually a web site is developed so that all of its features are accessible by all the web sites.

- For example, the web site for downloading Google chrome extensions and tools has been designed exclusively for the Google chrome browser.

- Though this web site can be viewed in any other browser but, one cannot download extensions through that browser.

STEPS FOR ELIMINATING DISPLAY DIFFERENCES ARE:

There are several steps that one can take for eliminating such differences:
1. Avoiding using cutting edge HTML as far as possible.
2. Set some goals for your web site.
3. Always check for the browsers incompatibilities.
4. Follow the trial and error debugging method.
5. Never forget to validate your web pages.

WHAT WEB BROWSERS ACTUALLY DO?

- They translate the web site code in to the formatted web pages.

- Every individual web browser has its own way of translating the web pages.

- This can be compared to the following example: you give a sentence written in German to a few people and ask them to translate it in to English. Checking the results, you will observe that all of them though have translated the sentence but their ways of translation are different i.e., the have used different words and grammar composition.

- Though the rules and standards for using HTML have been stated by the World Wide Web consortium, web site designers have their own way of implementing it.

- There is a fact that you should know which is that there is no such an effective browser that supports the hundred percent of the HTML, though there are certain browsers that come a little far away than their counterparts.

- If your browser does not supports a part of the code, it is sure to affect the display of your web site.

- This problem is further exaggerated by the HTML extensions that are specific to certain browsers.

- Such problems have forced the designers to put a label on their web site stating on which browser their web site can be viewed.

What are different kind of browser bugs?

It is a universal fact that every thing in this world is infected with some discrepancies. So does it hold well for the web browsers! This article is here to discuss about the bugs associated with the web browsers.

Till date so many bugs of the web browsers like Mozilla, internet explorer, Netscape, opera and so on have been discovered. Let us check out some of the prominent errors:

Multiple browsers bugs

Bugs discovered under this category are:

(a) Font variant ligatures are not implemented by most of the bugs. The font module level 3 of the CSS defines the property of the font variant ligatures to specify the use of ligatures. Till now no such browser has been developed that supports this property fully.

(b) Font weight is not implemented consistently by the browsers. This font weight property of CSS lays down the specifications regarding the numeric values and key words.

(c) Data tables are not managed properly by the browsers. Most of the table properties are not supported by the browsers.

(d) Layout affected by outlining property.

(e) Styling legend tags

(f) Bugs in Mozilla Firefox
Styling is not applied and problems have been experienced with the horizontal scroll bar.

(g) Bugs in Internet Explorer
When the cursor is hovered over some elements, they did not work properly with the forms; the left origin of the positioning coordinates is incorrectly set.

(h) Bugs in Opera
&rsquo and &isquo entities were not recognizable by the opera, but this was later fixed in the 8th version.

(i) Bugs in Safari
These crashes were reported when : hover :: after was used.

(j) The borders separating the head and the body sections are often placed incorrectly by the opera.

(k) Multi-column ordered list remembering.

(l) Backgrounds show through invisible tables.

(m) Buttons with images cannot be aligned with those having only text.

(n) In some browsers even the fixed elements align along with the adjacent elements.

WHAT CHALLENGES ARE FACED WHILE DEVELOPING A WEBSITE

- When you start developing or designing your web sites choose carefully between the CSS and HTML.

- Don’t go for such an advance version of the languages because if you did then you may run in to the problems with the incompatibility of the browser.

- There is so much of competition going around the whole software market.

- The browser developers are releasing new browsers at very fast pace without even testing them properly which then becomes a headache for the web site designers.

- The new languages being used today like HTML 5 and CSS 3 are now gaining very much popularity though they are pretty much complex then their preceding versions.

- Number of features to be implemented is quite huge which is the major cause of the bugs.

- Whenever you come across a bug, do not forget to report it since it may be so very rare that nobody else would have stumbled up on it.

- One thing you should always remember is to keep the problem in the reduced form as much as possible.

- For doing this you an simply make up a copy of the code and from that remove the java script or CSS files one by one and ultimately you’ll come at a point when the problem will go away.

- Now you add that file and remove the others from the ones that you did previously.

- If you find that the bug is now going away even after removing all the files then it is likely that the bug lies in HTML coding.

- Now after you know that which aspect houses the problem, you need to locate that file or code.

What we can do to avoid browser incompatibility?

Malfunctioning of the web sites across various browsers has become a topic of utter annoyance.

Why it happens so that your web site functions perfectly well on one browser and at the same time fails to perform well in some other browser?
Why it appears to be missing some thing while it appears as proper on other browsers?

The root cause of all such errors and differences is the browser incompatibility.

WHAT IS BROWSER INCOMPATIBILITY & TOOLS FOR DETECTING BROWSER INCOMPATIBILITY

- There are various tools that can help you across detecting the browser incompatibility.

- Such tools check for the browser incompatibility by comparing the various snap shots of the web site operating under various web browsers.

- Different browsers and different browser versions all add up to the browser incompatibility.

- Browser incompatibility though cannot be eradicated fully; it can be at least reduced to a certain extent.

- Though the browser is only to be blamed for its incompatibility, the measures to reduce or avoid it can be taken from both sides.

- It can be done by improving either the standards of the browser or by taking care of the web site.

- If the web site in its design and code is good, incompatibility will be noticed less.

WHY INCOMPATIBILITY ARISES?

- It arises either because of the incompatibility of the web browser or because of the problems in the web site itself.

- So you need to focus on the design an implementation of your web site rather than bogging up yourself with the browser issues.

- Employing cutting edge HTML can also run you in to the incompatibility problems as the HTML standards usually are a way step ahead of what is supported by the web browsers.

- Till now, no such browser has been developed that will take in to consideration 100 percent HTML.

- No doubt there are certain browsers that are a bit close to this value than the others.

- Using latest versions and standards of the HTML is always not a good choice. So be wise when you choose the version of HTML for designing up your web site.

- Another fact to be kept in mind is that not all the web browsers are equally efficient in translating the HTML code in to formatted web sites.

- There are some browsers that may leave certain parts of the HTML code because they are not able to execute it and again you will have trouble with your browser compatibility.

- Also all the web browsers do not translate a web page in the same manner and don’t give the same results.

- Before you start building up your web site, check out the compatibility of the different browsers so that you will have an idea what all formats and standards they support and you can build your site according and simultaneously avoiding a bug deal of incompatibility.

- After you have finished developing your web site, have your pages validated. If you are getting errors in your web site try out the trail and error debugging method.

Though the World Wide Web consortium has specified the standards for using HTML, you can very well invent your own and design your web site accordingly. But this has a disadvantage that the browser may reject the parts that cannot be executed and the appearance and functioning of your web site will be affected.

The basic difference between the two versions of a browser lies in the support they provide for the HTML. But on top of all it would be better if you pay attention to the browser compatibility while designing your web site. This will prevent you from running in to future issues regarding the incompatibility of the browser.

What are different aspects of Compounded SQL injection attack?

Till now so many types of SQL injection attacks have been identified. But, there is one type of SQL injection type which results in to different kinds of combinations of the other SQL injection attacks. This type of SQL injection attacks are commonly known as the compound SQL injection attacks.

This type of SQL injection attack has been derived from rigorous research and experimenting with the different SQL injection attack vectors putting them in different combinations with the various other web application attacks.

Some of the most commonly employed combinations are:

1. SQL injection + XSS cross site scripting
2. SQL injection + DDos attacks
3. SQL injection + insufficient authentication
4. SQL injection + DNS hijacking

Compounded SQL Injection Attack

- SQL is a language developed for interacting with the data base of the applications and web sites.

- The functions are mainly defined to retrieve the data from the data bases or to update the contents of the existing data bases.

- It uses compound conditions basically that make use of AND or OR.

- A compound statement is used to group all the other statements so as to constitute an executable block.

- SQL variables can be declared in an atomic compound statement that has been dynamically developed.

- A compound statement can be easily embedded in to SQL functions, SQL methods, trigger etc.

- To invoke a dynamic compound statement no privileges are required, although the authorization ID of the compound statement needs to include all the privileges required invoking the other SQL statements that form a part of that particular compound statement.

- Most of the compilers compile the compound statements as one single statement since this technique proves effective for the short scripts that do not require little control flow logic though a great data flow.

- For larger scripts or constructs, it’s better to use the SQL procedures.

- The “discretize” function is quite a simple one and is often used for the classification and modification of the data and gives back a NULL value for the malicious data.

- Later this malicious data is cleansed up by the compound statement.

- Most of the mechanisms can be elaborated using the technique of multi stage cleansing.

- The advantage of the compound statement is that here the FOR loop neither does open up a cursor nor the single row inserts are treated so.

- Here the underlying logic is of a multi table insert that has been selected previously.

- This advantage is reaped by compiling the dynamic statement as a single one.

- In contrast to this dynamic compound statement, there’s another type called Compounded SQL embedded statement.

- These statements can only be embedded in to the applications.

- In contrast to the dynamic statements, these cannot be prepared dynamically.

- These statements do not required any special privileges for invocation.

Explain the concepts of Cross site scripting attacks?

XSS or cross site scripting attack is a much familiar security threat in today’s cyber world and is taking a toll on the web sites and applications by breaking in to their security system.

What is Cross Site Scripting Attack?

- Cross site scripting attack is another attack categorized under the category of computer security vulnerabilities which are the most common and frequent among the web applications.

- These attacks are known for making the web application so vulnerable that the malicious outside attackers are able to inject the malicious client side scripts in to the web pages or applications that are later set for the view by the users who visit the page.

- Another nefarious purpose of these attacks is to incur the access controls like the same origin policy.

- The cross site scripting attacks account for almost 80 percent of all the security threats identified and documented in the year of 2007 till now by the Symantec.

- The cross site scripting technique for the good purpose is usually employed for curbing risk depending on the measure of the sensitivity of the data that is being processed by that particular web site or web page.

- Apart from this factor, another factor that makes it easy for the attacks to happen is the security mitigation as implemented by the owner of that web site.

- Cross site scripting attacks are employed by some people to create petty nuisance.

- This is nothing but the misuse of the vulnerability of the security system by the attackers for bypassing the security mechanisms on the client side which are usually implemented by the web browsers up on the web content on the web site.

- There are various ways through which the site can be attacked and accessed for injecting the malicious scripts in to them.

- Such ways or methods can provide the attacker an unauthorized and easy way to access all the sensitive content of the page, information of the user activity as stored by the web browser and session cookies etc.

- Cross site scripting attacks are a type of code injection attack and somewhat similar to the SQL injection attacks.

- Earlier the cross site scripting technique was seen as the loading of the third party application that had been attacked at an unrelated attack site while the execution of the java scripts took place in the context of security of the domain on target as created by the attacker.

- Eventually this cross site scripting attacks were carried out through different modes of the code injection using non java script vectors (like VBscript, flash, Java, ActiveX, HTML, SQL and so on).

- Cross site scripting attacks are a consequence of the cross site scripting vulnerabilities that have been under exploitation since the advent of 20th century.

So many famous social networking sites of today like my space, orkut, twitter, Facebook etc have witnessed these attacks in the past. With the advancement of the cross site scripting techniques, they have now successfully surpassed the vulnerabilities like buffer overflows reporting to be the most common security vulnerability. Even now around 60 percent of the total web sites have been sorted as vulnerable to the cross site scripting attacks.

As such there are no defined criteria for the classification of the XSS flaws, but according to the experts they are classified in to two categories:

1. Persistent XSS flaws
- Also known as stored XSS flaws and is the most destructive type.
- Occurs when the data which has been provided by the attacker is stored by the server.

2. Non persistent XSS flaws
- Also known as reflected XSS flaws and most common type.
- Occurs when data from a web client is used by server scripts for generating required pages without the sanitization of the queries.

What is meant by content spoofing in detail?

Content spoofing is a rarely discussed topic and is much unheard by the many of us!
So let's evaluate the concepts of content spoofing in detail:

- Content spoofing has been categorized as an attack technique using which the attacker is able to inject a malicious code or payload in to the good content of a web site or a web application.

- This malicious payload or code is later thought of as being the legitimate content of that particular web site or web application which is a wrong interpretation.

- Content spoofing affects usually the web pages which have been built dynamically.

- Text only content spoofing is the technique in which the payload usually as text is passed in to the body of the web page or application in the form of a query string value.

- This approach usually takes effect on the pages of the web sites displaying some news entries and error pages.

- Such content is then later posted on the web site as its legitimate content.

- So when the users visit that particular link they perceive that the spoofed content is nothing but the legitimate content.

- In some cases it is possible that the pay load may exist on the web page for a longer time than estimated.

- Most of the web pages have been built dynamically with the sources from the HTML (hyper text mark up language).

- The attacker can easily change the content and when the particular web page is accessed by a browser, the location comes of the same domain as the user expected but the user does not come to know that the content is not legitimate instead it is shrouded one.

- As this is not enough to harm a web site, some attackers even manage to send malicious links to the users through emails and messages.

- In some cases the malicious links can be enforced up on the users following a cross site scripting attack.

- When the user clicks that link, he/ she visits the web page designed by the attacker with the malicious URL (uniform resource locator).

- The user will not come to know about this that he/ she is actually viewing am unauthentic web page.

- They will unknowingly believe that the spoofed content that they are viewing is purely authentic but this is not the case.

- Content spoofing does nothing but spoils the trust that the user has on the web site.

- The technique of content spoofing is being used like anything for the creation of fake web sites including fake login pages, press releases and defacement.

- Another point to be noted is that if you can fall victim to a cross site scripting attack, then the chances are that you may fall prey to content spoofing attacks as well.

- Content spoofing is a type of exploitation activity used by the hackers who have wrong intentions like presenting certain web pages to the user as if they are legitimate and not from an external source.

- This is somewhat similar to the SQL injection attacks. In both the cases the victims are defrauded like in phishing.

- Some attackers can even access the data base of a web application stored in a server and alter the contents.

- Content spoofing cannot be readily detected since there is large apparent difference between the actual and the spoofed content.

- The content spoofing carried out with the help of dynamic hyper text mark up language or DHTML is considered to be the most dangerous type since it can be used to form fake login pages.

- When any user inputs his sensitive data (can be a password, credit card number etc) in that page, the data goes directly to the attacker without the knowledge of the user that he has fallen victim to an identity theft.

What is meant by negative testing?

Negative testing is one of the most sought after software testing methodology. Negative testing is the counterpart of positive testing.

Facts about Negative Testing

- Negative testing is really very helpful when it comes to handling the invalid input test data and abnormal behavior of the software system or application.

- The purpose of the negative testing is to prevent such situations in which the invalid data might be taken by the system and which in turn may disrupt the functioning of the whole software system or application.

- For example, when a user tries to enter numerical data in the alphabetic field, the software system displays a message like “incorrect data type”.

- Such response from the software system or application is required since it avoids the crashing or hanging of the whole system by preventing input of invalid data.

- Not only this, the negative testing helps one improve the quality of the software system or application by knocking out its weak points.

- In positive testing, giving some invalid data as input to the system is considered to be an exception but this is not so in the case of negative testing.

- In negative testing, giving some exceptional input to the software system or application is treated just like a normal event.

- Negative testing is all about testing the exceptions.

- Usually for a better software testing results, both the negative testing as well as positive testing are combined together and implemented.

- Using such a testing methodology provides greater test coverage rather than using just one of the either mentioned software testing methodologies.

Situations which are typically tested by the negative testing:

1. Filling up fields by user
- Most of the web sites as well as web applications require the user to fill up all the fields that are marked compulsory.
- To test this functionality, leave all the marked fields blank and hit the submit button and observe the response of the site or the application.
- The expected outcome here can be a message asking you to fill up all the compulsory fields.

2.Checking correspondence between field and data type
- Negative testing also checks the correspondence between the field and data types.
- For example, the different fields in a form can accept the specified type of data. - To test this, you can enter various sorts of invalid data types in to those fields and check the behavior of the application.

3. Checks allowed limits and data bounds
- It also checks for the allowed limits and allowed data bounds.
- Fields in a form can accept data only within a specified data range and not above or below that.
- This can be tested in two ways. You can either enter value that is less than the lower range of the data or you can enter value that is above the specified range.
- Another example can be of text box which accepts only a finite number of characters.
- You can test it by inputting less or more number of characters.

4. Checking reason ability of input data. - Negative testing is also an effective tool for checking the reasonability of the input data.
- The age fields in some web forms etc do not allow any negative integers and also no floating point value.
- This can be tested by simply putting in the wrong data types like a negative integer.

5. Tests the web sessions
- Negative testing can also be used to test the web sessions either for timing or for log-in purposes.
- There are some web pages for viewing which you first have to log in.
- This can be tested by trying to open that web page without logging in.

Negative testing is pretty easy to be carried out manually, but still you can find many automation tools for it.