No último sábado, 9 de Fevereiro de 2019, rolou o primeiro bate-papo do grupo de mentoria do blog Talking About Testing, onde Alekson Fortes, Henrique de Souza e eu (Walmyr Filho), conversamos sobre DevOps baseado nos 3 caminhos descritos no livro “The DevOps Handbook: How to Create World‑Class Agility, Reliability, and Security in Technology Organizations“, … Continue lendo Bate-papo sobre DevOps – Grupo de mentoria Talking About Testing
Q: What is the best fuzzer (automated software testing tool) to find 0-days? Why?
A:
0-day is a very broad statement.
I tend to use the payload fuzzers in BurpSuite and OWasp Zap Proxy, but these require me to identify the target that I’m testing, and the appropriate data scope and range to fuzz.
I suspect you might be more interested in application or file based fuzzers.
Google have introduced a service for fuzzing applications.
There are many lists of fuzzers to read through.
New tools are being created for this all the time and there is a constant flood of research on fuzzing:
scholar.google.co.uk/scholar?hl=en&as_sdt=0%2C5&q=fuzzing&btnG=
Since the fuzzers all work at different levels and on different technologies you have to be very specific in your research to make sure you don’t overload yourself with tools (with is all too easy to do in Security Testing)
https://eviltester.com/blog/eviltester/quora/2019-02-13-what-best-fuzzer/
I like to write little bots from the console to help with with application and game automation. But when the variables and objects I need are created from within anonymous functions I can’t get access. In this post I will explain how to access them.
I’ve tried writing helper code to access the methods within objects and trawl through the DOM to find specifically named objects, and that can help with a large application where the objects are all public.
But when the application is essentially one anonymous function kept alive by event handlers and timers, how do we access the objects.
The short answer is:
e.g. if there is a pacman object I want to access, then find a line that uses it, breakpoint the line, then from the console:
window.pacman = pacman
And I now have access to the private pacman object from the console when not in debug mode because the window now has a reference to it.
This requires a manual step before any of my automated bots can be used but if I write down what to ‘search for’ to find the line in the code then it is pretty easy to repeat.
If we are relying on the objects being private and inaccessible due to the anonymous function then we really shouldn’t because if it is in our browser, the user can gain access to it.
Always have protection on your server side to handle anything thrown at it.
This opens up a bunch of new options for testing and automating modern JavaScript approaches for me.
This can’t really be used for continuous integration automating or fully autonomous code injection since there is a manual step involved. But for automating tactically where the user is present, this opens up more possibilities.
Using the simple open source Pacman clone from platzh1rsch.ch where all the code is wrapped and called from anonymous function. I show the steps and thought processes for gaining console access to the main game and pacman objects to allow me to write infinite life cheats.
I have some material covering this topic:
https://eviltester.com/2019/02/hacking-javascript-private-variables.html
No ano de 2019 a Escola Talking About Testing está fechando uma parceria com a organização Patas Dadas e 10% do valor pago por cada curso será doado à tal organização. A Patas Dadas tem a missão de resgatar animais em situação de abandono, proporcionando o atendimento veterinário necessário até estarem prontos para a adoção, buscando … Continue lendo Talking About Testing & Patas Dadas
https://talkingabouttesting.com/2019/02/12/talking-about-testing-patas-dadas/
Mais um post da série qualidade de código em teste de software Se você está chegando neste post agora e ainda não leu os conteúdos anteriores, recomendo começar por eles. Seguem os links: Escreva pequenas unidades de código Escreva simples unidades de código Agora se você já leu o primeiro e segundo post da série, vamos … Continue lendo Escreva código uma só vez
https://talkingabouttesting.com/2019/02/11/escreva-codigo-uma-so-vez/
Good pipelines are stable and can support frequent and small releases. When building the pipeline you need to include not only the build and unit tests part, but also the e2e tests and even the smoke tests and deploy to all the environments, so you have as minimun as human interation as possible, avoiding releases … Continue reading Automated tests in a CD/CI pipeline →
https://azevedorafaela.com/2019/02/07/automated-tests-in-a-cd-ci-pipeline/
One way I practice my Software Testing, improve my JavaScript programming and practice my automating is by ‘hacking’ JavaScript games.
One of my bots scored 282010 on https://phoboslab.org/xtype/ This ‘bot’ is JavaScript code that runs from the Browser Dev Tools and plays the game.
I have a video showing the bot in action below.
To create this I have to learn to use the dev tool to inspect the Dom, and the running memory space, and read the JavaScript. All of this is modelling the application. A recon step that helps me with my Software Testing.
As I recon the app I look at the network tab to see what files are loaded and what API calls are issued. This also informs my model. And makes me think about Injection and Manipulation points.
Perhaps I can use a proxy to trap and amend those requests? Perhaps my proxy can respond with a different file or data automatically?
These are thought process and skills that I can apply in my testing. I also learn more about HTTP, Dev tools and Proxies.
When the game is running I have to observe its execution behaviour. I build a model of the software and its functionality. This informs my Software Testing. I have to build models of the application as I test and make decisions about what to target.
To ‘hack’ the game, I have to inspect the objects which have been instantiated by the code. I can do this in the console by typing in the object names.
To learn what these objects are I have to read the game code. This improves my JavaScript because one of the best ways to learn to write code is to read code and try to understand what it does.
I can use the Snippets view in Chrome Sources to write JavaScript. This is a built in mini JavaScript IDE in the browser.
I can write simple code here to manipulate the game objects in memory to help me cheat and hack the game. I don’t need to learn a lot of JavaScript to do this, and most of the JavaScript you need is already in the game source itself.
To write a ‘bot’… code that executes in its own thread periodically to do something, I use the ‘setInterval’ command. This is the fundamental key to writing JavaScript bots. e.g.
var infiniteLivesBot = setInterval(infiniteLives,1000);
The above line calls a function named infiniteLives every second. That infiniteLives function checks if my number of lives have decreased, and if so, increase them. e.g.
function infiniteLives(){
if(game.lives<3){
game.lives=3;
}
}
var infiniteLivesBot = setInterval(infiniteLives,1000);
I can easily stop this bot using the clearInterval command.
clearInterval(infiniteLivesBot);
I can run that code from the snippets view, or paste it into the console, or convert it into a bookmarklet. Whatever is more convenient to help me when I want to hack the game. I do the same thing to support my testing e.g. setup data, delete data etc.
This is a form of ‘tactical’ automating. It won’t scale, it doesn’t go into continuous integration. It supports me. It does a specific task. It automates part of my work. It is a good start to learning to automate more strategically.
To automate xtype I had to learn how to trigger mouse events to initiate the firing functionality. I couldn’t remember how to do this. I copy and pasted a snippet of code from stackoverflow. All professional programmers do this.
stackoverflow.com/questions/2381572/how-can-i-trigger-a-javascript-event-click
var event = document.createEvent(“MouseEvents”);
event.initEvent(“mousedown”, true, true);
document.getElementById(“canvas”).dispatchEvent(event, true);
Part of learning programming is knowing where to find a general answer. Knowing which part of the answer to isolate. Then having the confidence to bring that into your code and experiment with it.
As I do this, I learn more JavaScript. Which allows me to write scripts in other tools e.g. Postman. And I can inject code into applications e.g. using WebDriver JavaScriptExecutor. The more I practice, the more options I open up.
I take the knowledge and then write small utilities or applications to help me. I write a lot of small JavaScript utilities to help me with data extract activities and reformatting of data from Web applications.
I extended my knowledge by writing JavaScript applications and games which I bundled into:
If you want to experiment with simple games manipulation and hacking then the games in this app are designed for that purpose.
Doing this also has a knock on effect on how I view web applications. The GUI is no longer a trusted client. The GUI can be manipulated by the user. The messages it sends to the server can be manipulated by the user. The server needs to be robust.
This helps my Software Testing. I have to go deeper when I test. And by practicing I develop the skills to go deeper when I test. I can recognise when requirements need to be tested more deeply than they state on the surface.
This helps my programming. I am very aware that the server needs to validate and approach the input data with caution.
This is one way that I practice my Software Testing, JavaScript programming and automating. The benefit to me has been enormous. I recommend this, or adapt the ideas and create your own practice path.
I cover many of the skills to do this in my online Technical Web Testing 101 course https://www.eviltester.com/page/onlinetraining/techwebtesting101/
This was a hard bot to write Xtype is a bullet hell shooter which are challenging to play, let alone automate - and no, I’m not going to show you the code for the bot.
But this is not my first bot.
I’ve written bots to play z-type, Cookie Clicker, 3D Monster Maze
I like these games because they are all well written, I can read the code to improve my programming, and they are fun to play.
Many of my bots are not full playing bots like the x-type bot. They are support tools. And when I started to automate x-type I started with support tools:
For 3D Monster Maze I only wrote support tools:
For many games I try to think how to add extra features to make the game more interesting. I don’t have the skill or patience to write games like these, but I do have the skill and motivation to ‘augment’ them for my learning.
This is analogous to writing ‘tools’ to support our testing, or making applications more ‘testable’.
Note: my games github.com/eviltester/TestingApp are not well written, but they are very easy to understand and hack.
https://eviltester.com/2019/02/practice-javascript-software-testing-automation.html
Quick tips for pretty printing JSON in the Browser.
All examples in this post use the swapi.co API
In the network tab, I will very often be observing network traffic, and I’ll want to interrogate the message to view it more easily.
So I copy and paste it from the network tab.
I could use an online tool to format it and view it:
Or I could use the browser itself.
Pasting the Json into the console will show an interactive view where I can expand and contract the outline and view the JSON.
JavaScript has a built in JSON class and I can use the stringify method to pretty print an object as JSON to the console.
So I first create an object from the JSON:
bob={"name":"Luke Skywalker"}
Then I can pretty print the JSON (4 is the indentation level):
JSON.stringify(bob, null, 4)
e.g
"{
"name": "Luke Skywalker",
"height": "172",
"mass": "77",
"hair_color": "blond",
"skin_color": "fair",
"eye_color": "blue",
"birth_year": "19BBY",
"gender": "male",
"homeworld": "https://swapi.co/api/planets/1/",
"films": [
"https://swapi.co/api/films/2/",
"https://swapi.co/api/films/6/",
"https://swapi.co/api/films/3/",
"https://swapi.co/api/films/1/",
"https://swapi.co/api/films/7/"
],
"species": [
"https://swapi.co/api/species/1/"
],
"vehicles": [
"https://swapi.co/api/vehicles/14/",
"https://swapi.co/api/vehicles/30/"
],
"starships": [
"https://swapi.co/api/starships/12/",
"https://swapi.co/api/starships/22/"
],
"created": "2014-12-09T13:50:51.644000Z",
"edited": "2014-12-20T21:17:56.891000Z",
"url": "https://swapi.co/api/people/1/"
}"
https://eviltester.com/2019/02/pretty-print-json-using-dev-tools.html
Just because a site says we can’t paste into a field, doesn’t mean we have to believe it.
Inspired by this blog post:
dev.to/claireparker/how-to-prevent-pasting-into-input-fields-nn
Clair Parker-Jones shows how to prevent people pasting into input fields. This is common code and you’ll see it on StackOverflow a lot. Claire’s post seemed to receive a lot of flack comments but, people do this and she just wanted to learn how it was done and shared that knowledge. She also put the time into creating a codepen example which you can explore and experiment with.
I forked the example code in here:
https://codepen.io/eviltester/pen/WPpJGo
This is terrible UX pattern but we see it all the time. And as testers we have to work with it, or workaround it.
So how do we bypass it?
inspect and remove listener in the dev tools
with code from the console:
document.getElementById(“paste-no”).onpaste={};
document.getElementById(“paste-no”).onpaste=null;
document.getElementById(“paste-no”).onpaste=new function(){};
If it wasn’t in a frame it would be easy to create a bookmarklet. Creating a bookmarklet can be done, but it is a little bit more complicated than if it wasn’t in a frame. For information on bookmarklets and frames see https://www.irt.org/articles/js170/
Everything in the GUI is ours to observe, interrogate and manipulate. Which is why as testers, the more we understand the technology and the tools, the more we open up possibilities and options in our testing. And we should not limit our testing to the obvious ‘happy’ paths in the GUI.
If you are interested in learning this type of thing then I have an online course:
https://eviltester.com/techwebtest101
I have a follow on exclusive video for Patreons showing another way to bypass the pasting and discussing this in more detail in relation to Software Testing, Risk and Bug & UX Advocacy.
https://www.patreon.com/posts/24482175
https://eviltester.com/2019/02/bypassing-no-paste-fields.html
Hello guys, just came here quickly to share with you this link containing AWS presentantions for this year, some of them already happened, but you can register and watch the next ones for free, the link is below: https://aws.amazon.com/about-aws/events/monthlywebinarseries/
https://azevedorafaela.com/2019/02/03/aws-online-tech-talks-2019/