My take on future of testing has always been – in fact I think it is the current state now, that:

1. Testing is not just functional GUI testing
2. Desktop apps are a thing of past
3. With the advent of Web 2, SOA, Cloud, etc. it is getting more and more technical
4. Performance
5. Security
6. Usability
7. Integration
8. Automation
9. …are the areas where the testers of today need to develop skills in

I have interacted with all kinds of testers, testers from different schools, contexts, methodologies, level of experiences, and most of them specialise in functional testing. But if you would really like to be future-proof – then I think Technical Testing is the way forward.

To add fuel to the topic Goranka Bjedov did a great presentation recently at a conference in Wellington: STANZ

In the presentation she shares her past experiences in software testing, especially last couple of years of her life when she comes across some hard reality of life/software quality. And she ends her presentation with the following summary:

1. We can reduce dev time (and costs) by writing productivity tests
2. We can bring in quality by adding smart system tests in right places
3. Think performance, scalability
4. Think usability
5. We can reduce number of machines needed in dat centers
6. We must start calculating and communicating the value of our work (dollar amounts)
7. We must stop being the cost center

The original list is not available any more. Dazzlepod has though made the list available without the passwords so people could check if any of their email addresses have been compromised. The list is available here: http://dazzlepod.com/lulzsec/?page=1

Requirement:
There are almost 62,000 email addresses and Dazzlepod has divided the list in to 120 pages.
I would like to go through the list and check if any of mine or my family member’s email has been compromised. Going through 120 pages and searching for almost 10 aliases on each page is a daunting task.

Solution:
So I went ahead and automated the process, that is scripted a spider (kind of). The spider goes though all 120 pages and reports if any of the aliases I know of have been compromised.

This script is created using iMacros plug-in for Firefox.

Instructions:

• Download and install Firefox (if you don’t have it already).
• Download and install iMacros for Firefox
• Click here to download my iMacros script and copy it to iMacros folder. It is mostly (C:\Users\<username>\Documents\iMacros\Macros) in Windows-7 environment.
• Open the script in editor and update the values in var mynames = new Array(“alias1“,”alias2“) with your aliases. Do not include domain name and suffix.
• Now run the script and you should get the response in 5-10 minutes. Depending on number of aliases and website speed.

If your browser blocks the download of a ‘javascript’ file then here is the script for your reference:


var i, j, retcode;
var report;
var ret;
var macro;
var jsLF = "\n";
var iPages = 120;
/*NOTE: Change the list in next line to include all the email aliases you'd like to check.
E.g.: ("alias1","alias2","alias3","alias4")
*/
var mynames = new Array("alias1","alias2")

alert ( report );


UPDATE:
1 - There is a longer list now on Dazzlepod with almost 260,000 emails: http://dazzlepod.com/lulzsec/final/
2 - They now also have a search box, so that makes this script redundant

[Image Source]

Here is a simple example where clicking anywhere on the screen (except header and footer) takes the user to another website. http://www.collegehumor.com/video:1928558

Prevention

Currently it seems like there is only one way of protecting against such attacks and that is by using the ‘NoScript‘ add-on for Firefox.

As per the tip in my previous post: checkout the domain name.

It is actually replaced by an IP address

At number eight (8) there is a new entry – A8 – UnvalidatedRedirects and Forwards (NEW). I thought I’ll briefly talk about it as it recently happened with me.

I received the following email from a friend on Facebook (FB). When a user on FB sends an email with a link, FB prefixes the link with its own URL: http://www.facebook.com/<sometext>/<original link>

As any normal user I clicked on the link thinking what it must be.

The link redirected me to the following page:

What this page was trying to do was: it displayed the message “Content requires Adobe Flash Player 10.37…”.
If the user clicked on ‘Install’ it downloaded a “setup.exe” file.
On double-clicking it, it would have tried to infect your PC.

If you look at the page closely there are number of issues in there to help the user identify that it is a phishing page.

1. The title of the page (on top left) is spelt wrongly – YuoTube
2. User has used Facebook’s icon as the website icon
3. The link/URL is neither Facebook.com nor Youtube.com, in fact it is just an IP address
4. Message “…Contect requires Flash Player…” is itself embeded inside a flash video. As in flash is already installed and running on the page.

Hacker has tried to make the page look as similar as possible to Youtube, but it fails big time. Above are some of the quick noticable items, but this page actually nowhere close to a real Youtube page.

TIP: The best way to identify if it is a phishing site or not is by noting the domain name of the website. If the domain name does not sound familiar to the site you were supposed to be at then there is something wrong.