Archive for August, 2008

Finding Your Organization’s Business Logic Flaws

Monday, August 11th, 2008 by The Director reports:

 Cybercriminals increasingly are employing no-tech or low-tech techniques for making big money online — no exploits or sophisticated hacker tools required.

The techniques themselves aren’t new — some have been around for nearly a decade. But the Web model has made these schemes that capitalize on so-called business logic flaws more lucrative than ever, according to Jeremiah Grossman, one of the researchers who will pull back the covers on these insidious and often transparent methods of attack at Black Hat USA next week in Las Vegas.

A sample:

One hack that Grossman and Ford will show at Black Hat involved a bank customer of WhiteHat’s, which was among 600 small- to medium-sized financial institutions that were vulnerable to a logic flaw in their application-hosting provider’s system. The flaw allowed attackers to steal money from the bank. “The attackers didn’t build [or] host their own Website,” Grossman says. “One particular flaw in the ASP’s [application service provider] system allowed [them] to see and transfer money on any account on the entire system.”

The ASP wasn’t willing to do the complete system redesign it would have taken to shore up the problem once WhiteHat pointed it out. “During one of our tests, we got the [system] to send us a check in the mail for $2, made out to ‘WH Test,’ and we emailed a photo of it to our customer.”

It was discovered that the cybercriminals had stolen money from the bank using the flaw in the ASP’s system and wired over $70,000 to Eastern Europe, Grossman says. He plans to provide details of the ASP’s flaw in his presentation next week.

If you’re looking for business logic flaws in your organization’s application, here are a few handy places to look:


Fresh Out Of Directives

Friday, August 8th, 2008 by The Director

The Washington Post Web site fails spectacularly if you fail to include the www in the URL and instead just type

Don't we have any directives that work?
Click for full size

On the plus side, the advertisement module is apparently configured correctly.

Remember, ungentle readers, to make sure that your Web sites work without the www subdomain.  Otherwise, at the very least, you’re inconveniencing me, a surly QA guy with a Web site.

‘No’ Is An Unlimited Resource Redux

Friday, August 8th, 2008 by The Director

Remember, ungentle reader, I have pointed out that ‘no’ is an unlimited resource.

At Practical QA, Linda Wilkinson goes into greater detail about the importance of not screwing up your project by urinating submissively and agreeing to whatever your client wants. Although she doesn’t use the submissive urination metaphor, to the piece’s ultimate detriment.

Her topic paragraph:

If someone were to ask me what I think is the number one problem facing IT today, I’d say it was the inability to say “no”. Not specifications, not offshoring, not lack of technical talent, not lack of jobs, and not any single type of project methodology.

Well, IT doesn’t have a blanket no, really, since it just says no to QA too well.

Forensic QA: The Cat Power Case

Friday, August 8th, 2008 by The Director

Isarian sends in this screenshot to the Yahoo! Music page for a band called Cat Power and asks, “See the “{$” at the very end of the Biography section. Looks like they were trying to insert a string?”

Cat Powers include random tag markers or something
Click for full size

First of all, the question I have is Does Isarian actually listen to a band named Cat Power?  Brother, if you want to really get into QA, you’ve got to listen to real music.  Heavy metal.  Like Tragedy.

Aside from that, let’s delve into the problem he notes.  It’s a little game I like to call forensic QA. (more…)

Too Far Ahead Of The Curve

Thursday, August 7th, 2008 by The Director

Like Brett Favre leading a receiver too far and dropping the ball into the hands of an opponents linebacker (American football terms, gentle European or Asian readers), the New York Jets Web site team this morning acted immediately to change its front page to let its fan (what?  Are there more than one) buy a Favre jersey after his recent trade to the Jets from the Green Bay Packers:

Get your Favre jersey now!
Click for full size

Except, of course (more…)

The Limitations of BrowserShots

Tuesday, August 5th, 2008 by The Director

We’ve all been there, or maybe I’ve just been there enough for all of us.  The designers/developers talk about the QA timeline and budget, and beneath the insignificant times for manual testing, regression testing but at least contained in the test fantasy, unlike performance testing which never appears for small projects, we get to the browser compatibility portion of the program. Instead of a rigorous run through of the site or application in various Web browsers on Web platforms, you get 15 minutes to run it through

I have a particular look for that moment in meetings.  I lower my brow, raise an eyebrow, tighten my mouth, and squint just a little.  This look indicates that I’ve reevaluated my assessment, and I’m checking the incurable wing box on the papers for your commitment. is a handy little tool that will take a single page from your Web site, submit it to a distributed set of computers so that it can access your Web page in a varied set of browsers and platforms, and display a set of images of what that page looks like in those browsers.  You know, it’s a handy tool for a designer who wants to see how CSS and templates display across browsers, but it’s not a complete set of browser compatability testing, no matter how much your project manager and other stakeholders wish it.

Here’s a handy bulleted list of some shortcomings of BrowserShots and what it cannot do that real QA, or at least the intern you can spare on it, can handle.

  • Mouse over effects.  It just takes a screenshot, remember.  That means that any mouseover images won’t show as broken images (and brother, I see this often enough to want to mouse over every menu item on every page).  Additionally, it won’t tell you that your a:hover style is Times New Roman 34 point when viewed in Safari.  Although I’ve not seen that particular combination, I see plenty of instances where it throws off the layout.  The images of the browser don’t show you that, but mousing over a link in a Web browser will.
  • Animation.  The screenshot takes a quick shot, so it won’t show any animation you’ve got going on.  You’ll get a single bit of it.
  • Anything rendered through plugins.  You won’t get to see if that animation works or that MP3 plays.  Additionally, you won’t get to see how many plugins cause problems since you’ll just get the image.
  • Pages requiring login.  You can see how the login form looks, but it doesn’t have a facility to show you pages requiring login.
  • In-place content rotation.  That is, if the application is supposed to show multiple rotating things, such as touts or callouts, in a position on the page, you’re going to see the one that loads the first time the browser loads.
  • Polls.  You’ll see the poll question, but not how the results display after the user votes.
  • Refreshed information. If something changes after x amount of time, you only get the first screenshot, so you won’t see any changes on the page.
  • Forms.  So many gotchas in browser compatibility come from how forms behave, but you only get to look at them, not test their validation.
  • Showing layouts of hidden bits in forms.  If you’ve got a drop-down list, you won’t see how the items within the list are rendered (that is, whether the list is wide enough).  Also, you won’t see the alignment of the entry into text boxes (off center sometimes; try it).
  • Showing any of those show/hide divs. Designers are so fond of these devices now.  They like to click links and show/hide content on the page, but you will never see how that looks because BrowserShots shows only the page’s appearance on page load.
  • Whether tracking works.  You need to run through the site to make sure tracking works as expected.  BrowserShots shows the page.  Period.  Additionally, tracking links and redirects may work oddly in BrowserShots.
  • Some screenshots taken before site renders if it’s a slow site.  If your site is full of slow-loading awesomeness, some of the screenshots that display on will show the site as its rendering, not its final look.  Granted, that indicates problems anyway, but your designers will look at it and tell you that the site would have rendered correctly given enough time, even when this might not be the case.I mean, let’s look at one of our favorite sites,, as it appears in BrowserShots:Slow to load, so it doesn't display.
                                       Click for full size.

    Seriously, what does that show you that’s useful?
  • Page behavior with browser resizing.  Most of the screenshots come from full-size browser windows.  You have no insight into what happens when the user sees it in windowed mode.  Does the sidebar, set to an absolute right position in the CSS, overlay the content page when the window is less than 800 pixels wide?  Hey, who knows?
  • Scrolling concerns.  You can tell in the screenshots if you’d need to scroll right to see the page or down, but it’s not as obvious–or annoying–as it would be if you had to do it in an actual browser.  If you did, you’d log an issue, but BrowserShots makes this easy to overlook.

You can work around some of these by running your site through over and over again and for each individual page, but come on, eventually that will be as time consuming as just running through the site in different browsers.  Less cool, maybe, and it feels like work instead of submitting your URL and reading Slashdot until the pictures show up.

You know, I’ve got nothing against BrowserShots and as I’ve indicated, I think it’s got its place.  However, it is not a complete browser compatability regimen, and if your organization insists on using it as such, well, you’re going to have some well-deserved problems.

Make Smashups More Easily

Monday, August 4th, 2008 by The Director

I know a developer who’s thinks that this evolution of software development is interesting: Get Iceberg! Develop Custom Applications Without Coding.

Yay, a way to reduce application development to a lower level and with less quality control than ever before.  Pardon me, but I’m not thrilled with the thought of mashups or semantic development making applications worse.

So here’s the obligatory JavaScript errors on the Get Iceberg blog that occur when you click away:

Without knowledge of coding, here's what you get.
Click for full size

That happened to someone who probably knew how to code something.  Imagine what business users developing their own applications will do.

Well, The Name Is Cracked

Friday, August 1st, 2008 by The Director

JavaScript error on interior pages of cracked up
Click for full size

Just a standard error message.  However, it’s Friday, and I thought you needed a good excuse to click over to  Remember to keep laughing, as it’s the only thing keeping us from crying.

It Only Annoys The Firefox Users

Friday, August 1st, 2008 by The Director

Say you’re running a famous and wildly successful QA blog whose advertising and t-shirt sales revenue were allowing you to go to to look for new digs.  You conduct your search and look over the first page of results.  Nothing here to see, so you mouse over what looks like a button of further search results.  The background changes and the mouse cursor changes to the pointing hand:

This would look to be a hotlink.
Click for full size

You click.  And nothing happens.

Silly user!  You see, the developers at have put in a bunch of JavaScript gee-whizzery to make this behave like it’s completely a button, but if you’re using Firefox, only the number or text is hyperlinked.

That is, 40% of the screen area where the mouse cursor is the pointing hand actually links anywhere.

Well, browser compatibility costs money, and it’s only enough to annoy you by making you wonder if you really clicked at all. Where else are you going to go to get MLS listings, simpleton?  Hit that number!

wordpress visitors