MOBILE SECURITY FRAMEWORK(MOBSF) installation in Ubuntu/Linux Mint

Mobile Security Framework (MobSF) is an intelligent, all-in-one open source mobile application (Android/iOS/Windows) automated pen-testing framework capable of performing static and dynamic analysis. It can be used for effective and fast security analysis of Android, iOS and Windows mobile Applications and supports both binaries (APK, IPA & APPX ) and zipped source code.

MobSF can also perform Web API Security testing with it's API Fuzzer that can do Information Gathering, analyze Security Headers, identify Mobile API specific vulnerabilities like XXE, SSRF, Path Traversal, IDOR, and other logical issues related to Session and API Rate Limiting.

To Install & Configure MOBSF: System Requirements:

Ubuntu 14.04
Ram >= 4GB
HDD >= 50GB
Python 2.7
Oracle JDK 1.7 or higher

INSTALL ORACLE VITUALBOX

wget -q https://www.virtualbox.org/download/oracle_vbox.asc -O- | sudo apt-key add –

Install VirtualBox:

$sudo apt-get update

$sudo apt-get install vitualbox-5.0

Download latest release of MobSF:

https://github.com/ajinabraham/Mobile-Security-Framework-MobSF/releases

Download MobSF VM 0.2 ova file:

https://goo.gl/h7CCxx

Now Copy file MobSF you download:

---> for Windows path: C:\MobSF
----> for Linux path: /home/[username]/MobSF

Install MobSF Python by using pip.

For Ubuntu:
$sudo apt-get -y install python-pip

For Windows:
Download file: https://bootstrap.pypa.io/get-pip.py

Run command:

python get-pip.py

INSTALL MOBSF

Windows: C:\Python27\Scripts\pip.exe install -r requirments.txt

Ubuntu: pip install -r requirements.txt

Install complete!

REST API Interview Questions And Answers For Software Testers

The common information about REST API for Interview section.

api testing, www.techsouljours.blogspot.com

API testing interview questions and answers

1) Explain what is REST and RESTFUL?

REST:

REST represents REpresentational State Transfer; it is a relatively new aspect of writing web API. In REST architecture, a REST Server provides access to resources and REST client accesses and presents those resources. Here each resource is identified by URIs or global IDs. REST uses different ways to represent a resource like text, JSON, and XML. XML and JSON are the most popular representations of resources these days.

RESTFUL Web Service

Mostly, there are two kinds of Web Services which are quite popular.

1. SOAP (Simple Object Access Protocol) which is an XML-based way to expose web services.

2. Web services developed using REST style are known as RESTful web services. These web services use HTTP methods to implement the concept of REST architecture. A RESTful web service usually defines a URI, Uniform Resource Identifier a service, provides resource representation such as JSON and set of HTTP Methods.

2) Explain the architectural style for creating web API?

The architectural style for creating web api are

HTTP for client server communication
XML/JSON as formatting language
Simple URI as the address for the services
Stateless communication

3) Mention what are the HTTP methods supported by REST?

HTTP methods supported by REST are:

GET: It requests a resource at the request URL. It should not contain a request body as it will be discarded. Maybe it can be cached locally or on the server.
POST: It submits information to the service for processing; it should typically return the modified or new resource
PUT: At the request URL it update the resource
DELETE: At the request URL it removes the resource
OPTIONS: It indicates which techniques are supported
HEAD: About the request URL it returns meta information

What is latest technology/trends in Software testing?

Feature of Software testing, In the next few years , testing will set some new trends that will amaze the world.

Here we go with some of the latest trends in testing domain.

Source

The Future belongs to Open Source Tools: The next decade (may be more!) will see a lot of Open source tools in action as more and more organizations will adopt them for proper implementation of Agile, DevOps, and Test Automation. Support communities for the open source tools can only become more and more involved and active.
Quality @ High speed is the new mantra: Everyone wants the best products in the fastest possible time. This is making organizations focus on providing the best user experience along with the fastest time to market. The speed is only going to increase (and the quality better) with the latest technologies and tools at the disposal of teams.
Software Development Engineers in Test (SDETs) will be in huge demand: SDETs have been existing among us since almost a decade, but their role was very different from traditional testing roles. That said, by early 2020, almost all testers will need to wear an SDET hat to be successful in the field of Test Automation, that is going to become mainstream.

OWASP ZAP Tool : Security testing tool with implementation and reports

Introduction on the OWASP ZAP Tool

OWASP ZAP :

The OWASP Foundation came online on December 1st 2001 it was established as a not-for-profit charitable organization in the United States on April 21, 2004 to ensure the ongoing availability and support for our work at OWASP.

Why to go for the OWASP ZAP ?

1. Open source Tool

2. Governed by rough consensus & running code

3. Abide by a code of ethics (see ethics)

4. Not-for-profit

5. Not driven by commercial interests

6. Risk based approach

7. Ideal for the Beginers

8. For Automating the Security Test

9. Cross Platforms

10. Easy to Install

11. Internationalized

12. Compatible with Other tools

OWASP ZAP TOP 10 Features :

1. Injection

2. Broken Authentication and Session Management

3. Cross-site Scripting (XSS)

4. Broken Access Control

5. Security Misconfiguration

6. Sensitive Data Exposure

7. Insufficient Attack Protection

8. Cross Site Request Forgery (CSRF)

9. Using Component with known Vulnerabilities

10. Underprotected API’s

Explanation of the Above Features in Details :-

1. Injection

Any source of data can be an injection vector

Often found in SQL,XPATH or NoSQL queries

It occurs when application sends untrusted data to the interpreter

For example, Attacker can execute malicious SQL statements that control a web application's database server.

How to prevent?

What is Macaca Inspector?

This is a slick web based inspector created by the Macaca team, that is from the mighty Alibaba Inc. Macaca basically provides a full suites of open source solutions based on Selenium Web Driver, for both Web and mobile. This inspector is just one of the tools.

The tool has the ability to pull Xpath values for Android or IOS.

How to Install Macaca Inspector?

These instructions are under the assumption you have Appium installed locally already with nodeJS, and Android and ANT path is set globally.

NPM command will only work if the NodeJS is installed on the system.

First you have to instal the nodeJS

1) On windows, Open up CMD and run “npm install macaca-cli -g“

Once the installation is complete, you will see the Successful message.

Install Appium in Linux Mint

Here I have displayed the installation procedure of Appium in Linux Mint

SUMMARY OF TOOLS REQUIRED BY APPIUM

Java SDK 1.7 The openjdk-7-jdk package must be installed. Do not confuse it with openjdk-7-jre, which contains just the Java runtime environment.
Apache Ant Java version of GNU make for building Java applications
Apache Maven Java dependency management and build system
RVM Ruby Version Manager
gem Ruby package manager
bundler Ruby dependency manager
Node.js JavaScript runtime
npm Node.js package manager
grunt JavaScript task runner

These tools can be installed by following the next steps.

1. INSTALL JAVA

$ sudo apt-get install openjdk-7-jdk

Sometimes Vim may not execute bashrc - in such cases, $ gedit .bashrc works where worked for me

$ vim .bashrc

export JAVA_HOME="/usr/lib/jvm/java-7-openjdk-amd64"

export PATH="$PATH:$JAVA_HOME"

$ source .bashrc

Run the following command to check whether Java is accessible:

$ java -version

You should get the following output in your terminal:

java version "1.7.0_95"

OpenJDK Runtime Environment (IcedTea 2.6.4) (7u95-2.6.4-0ubuntu0.14.04.1)

OpenJDK 64-Bit Server VM (build 24.95-b01, mixed mode)

2. INSTALL APACHE ANT

Move to the workspace folder that we created in step 0 and download the latest version of Apache Ant (which is 1.9.6 at the time of writing):

$ wget http://www.eu.apache.org/dist//ant/binaries/apache-ant-1.9.6-bin.tar.gz

When that’s done, just uncompress the file and delete the original .tar.gz folder since we won’t need it anymore.

$ tar -xvzf apache-ant-1.9.6-bin.tar.gz

$ rm apache-ant-1.9.6-bin.tar.gz

Now you will have a folder named apache-ant-1.9.6 in your workspace folder.
Use that folder to create the ANT_HOME in your .bashrc file:

$vim .bashrc

export ANT_HOME="$HOME/workspace/apache-ant-1.9.6"
export PATH="$PATH:$ANT_HOME/bin" # Add ant to PATH

$source .bashrc

From the ANT_HOME directory, run the following:

$ ant -f fetch.xml -Ddest=system

This will get the library dependencies of most of the Ant tasks that require them. If you don’t do this, many of the dependent Ant tasks will not be available.

Role of OSI Layer when we open a webpage

Our sessions are role of OSI layer when we open a webpage in a real world

When you are trying to open a web page on your PC this is what typically happens (I am just putting the basic concepts together for understanding, most of the steps below are much more elaborate, complicated and involves more devices, protocols & lot of other details than shown below)

OSI Layer pictorial representation when web launches in the browser

Role of OSI Layer when we open a website

Keep in mind that although the OSI model is what we study, we don't use OSI in real work networks. We use the TCP/IP Network Model. The OSI model is still taught due to it's usefulness in separating concepts into modules (layers). The OSI model is translated to the TCP/IP model.

Understanding of OSI Layer Model

User Launches a site in the browser, You typically type an web address (Uniform resource locator) in a Web browser. Web browser uses something called Hypertext Transfer Protocol which is an Application layer protocol.

OSI Layer Data, Protocols and activities

OSI Layer Datas, Protocols and Activities

Behind the scene the web browser get the IP address of the URL you typed (say http://www.spansid.blogspot.com) using a process can Domain Name System which is also an Application layer protocol.

Role of OSI layer when open a webpage in Seven Layer

Lighthouse

Lighthouse is an open-source, automated tool for improving the quality of web pages. You can run it against any web page, public or requiring authentication. It has audits for performance, accessibility, progressive web apps, and more.

You can run Lighthouse in Chrome DevTools, from the command line, or as a Node module. You give Lighthouse a URL to audit, it runs a series of audits against the page, and then it generates a report on how well the page did.

Here I have done Lighthouse Page Performance testing for "techsouljours.blogspot.com"

How we go for the Steps:

Steps 1. Launch the site of any URL to test and if want to check for particular page or link, kindly redirect to it.

Automation Tool for web performance with Google LightHouse

Google LightHouse Web Performace Test

2. From Keyboard press Function key F12 and go to Audit Tab.

Google automation console chrome tool for web performance report

Google LightHouse Web Performance tool - Audit

3. We could see perform an audit to test the particular page, click and proceed.

After waiting for 50 - 60 seconds

Chrome console audit for web performance for any site with html report

Google LightHouse web performance chrome console testing website with report

We could see the performance report

Device Not Found in ADB and here is the solution to connect device in system

HOW TO CONNECT DEVICE IN SYSTEM WHEN ITS NOT SHOWING IN ADB

When device will not show in ADB, Follow the steps below:

1. First make sure your device is connected in system with USB.
2. Now go to My Computer and RIGHT click and select the MANAGE.
3. Now click on Device Manager and check if your device is not installed it will be showing Question (?) Mark there under Portable Devices

ADB Device not found in windows

4. Right click on it and select the Update Driver software

ADB device not found issue resolving by updating driver software

5. Now Select Browse My computer for driver software

Update driver software for adb device not found

6. Now select the Let me Pick from a list of device on my computer

ADB device not found, solution to update driver software

7. Select the first options and keep selecting Next

ADB device found by updating driver software

8. At last select the close option as its update and now you can see the device connect and

- check in command prompt mentioning adb devices

- this command will show you all the devices connected in your system.

Hope this information will be useful to you all... :)

Post author by Test Engineer Ruchi Singh

Automation testing for mobile application via terminal to find crash (Monkey testing)

Monkey testing is a technique used in software testing to test the application or product by providing random data and observing if the system or application crashes

In Monkey testing the tester or sometimes developer also is considered like a monkey assuming that if a monkey uses the computer then he will enter some random data without any knowledge or understanding.
Here the tests done are very random and it may not be correct.
Because of such random testing the testers may not be able to recreate the issues or bugs.

Advantages of Monkey testing:

Monkey testing is a very good approach to find out some new bugs which may not be possible from the stated scenarios.
Monkey testing can also be a good way to perform stress testing and load testing since the scenarios tested are generally random and ad-hoc.
It is very easy to execute because it just requires some random data to run against some random tests.
Execution of test cases and setting up of environments expenses are very less in monkey testing.
By using tools the process of Monkey testing can be automated.
Monkey testing can be performed for desktop applications, web applications as well as mobile applications.

Wanna find more crash in the mobile application android (apk) or iOS (ipa), Here we go

Make sure your device is connected in system and Login in the App before running it.

Command you need to give in command prompt:

C:\Users\user>adb shell monkey -p com.acb.acbsmart -v 10000

-p stands for package name (com.acb.acbsmart)
-v stands for number of times you want to run (eg. you can give what ever you want like: 10000,15000, 12000,etc), it will run till that many iterations.

Monkey testing via terminal to find crash in the mobile application

Note: Before running this Monkey testing check with developer as this will Hang Server (mainly when we perform so many iteration) or best you can do is Turn off the Internet and then RUN.

Hope this information will be useful to you all... :)

Post author by Test Engineer Ruchi Singh

Appium Installation in windows with all available Links

Appium Installation process with all the details

1. Install the Java Software Development Kit (JDK)

http://www.oracle.com/technetwork/java/javase/downloads/jdk8-downloads-2133151.html
And follow this link for other info
http://toolsqa.com/mobile-automation/appium/install-the-java-development-kit-jdk/

2. Install Android SDK / ADB on Windows and Install Android SDK Packages and Set up Android Environment Variable
In below Link go to Step 3,4 and 5

http://toolsqa.com/mobile-automation/appium/appium-tutorial/

Appium installation link

https://bitbucket.org/appium/appium.app/downloads/

For Appium jar file link:

http://www.automationtestinghub.com/appium-jars-download/

3. NodeJ is not needed initially but you can install

Download Link: https://nodejs.org/en/download/
For more info visit: http://toolsqa.com/mobile-automation/appium/download-and-install-nodejs/

List of Web application testing tools To Meet Your Testing Objectives

Check out this list that covers open-source as well as licensed software testing tools. Most of the tools listed here offer free trial versions to give a chance to the users to check it out before final investment.

We have listed some key tools to execute Performance, Load and Stress Testing on the Web Applications. This ensures the application’s performance under diverse situations and challenging scenarios.

Apache JMeter

It is an Open Source load testing tool, scripted in Java 6+ and can operate across platforms. Apache recently released JMeter ‘v2.11’ that supports all platforms and is used for load testing to analyze and gauge performance of the system/application.

Its strong GUI helps build Test Plan quickly and debug processes. It further helps analyze the overall performance under various loads on the server, and the network.

Official Website: Apache JMeter

2. NeoLoad

This is a load and stress testing tool by Neotys built for Windows, Linux, and Solaris. It is available in English and French, and its latest version 4.2 helps measure, analyze, and improve the performance of the website.

While there are multiple users simultaneously accessing the website, the tool helps check the performance of the website under added load to ensure required user experience. It makes the testing process faster, efficient, and repetitive.

Official Website: NeoLoad

3. LoadRunner

A load testing tool by HP that is built for Windows and Linux to test the web and other applications effectively. It is available in version 12.0 with multiple languages.

The tool helps evaluate the tool’s performance under heavy load, where there is a probability of multiple users accessing the website at the same time. Additionally, it handles numerous protocols for load testing – .NET Record/Replay, Database, DCOM, GUI Virtual Users, Java Record/Replay, Network, Oracle E-Business, Remote Access.

Official Website: LoadRunner

4. LoadUI

LoadUI latest version is available in version 2.7 that is written in Java, JaveFX, and Groovy language and supports diverse platforms. It mainly supports web services and SopaUI 5.0 (a functional testing tool).

The latest version has corrected issues that were present in the earlier version of LoadUI. The tool is currently available in Pro version with drag-and-drop interface that helps test the load in a real-time scenario.

Official Website: LoadUI

5. Loadster

It is a commercial load testing tool implemented to test websites web applications/services (HTTP web services) that emulates the environment to test the application’s performance under heavy load, given by the tool. It supports Linux, Mac, and Windows.

It is a feature-loaded tool that works on web applications/services, cookies, sessions, custom header, etc. It is implemented to test the performance, resilience, stability and scalability of web applications. It simulates multiple users, networks with the site and collects statistics. This helps determine and eliminate performance bottlenecks to ultimately manage traffic and crisis situations.

Official Website: Loadster

6. Load impact

It is an online load testing tool used to test the performance of websites, web and mobile apps, and APIs under load and across various platforms. The tools enables to conduct tests online instead of having an offline platform in place.

While the testing process is fast, the user can also repeat the tests easily and within shorter time span.

Official Website: Load impact

Functionality, behaviour, usability and security of websites/web applications are some rising concerns that are bothering enterprises across sectors. Appropriate testing tools help you eliminate bugs within shorter cycles and get your web application functional and market ready.

Most of the bugs occur due to functional issues within the website/web application. Below are some select web functional/regression testing tools for your quick reference.

1. Selenium

Selenium is an acclaimed and popular automated testing suite amongst testers these lately. It has been designed to support and boost Test Automation for testing the functional aspects of the web applications across a diverse range of browsers and platforms.

The suite comprises 4 basic components namely, Selenium IDE, Selenium RC, WebDriver, Selenium Grid. The WebDriver directly communicates with the web browser and uses its native compatibility to automate.

Official website: Selenium

2. TestCafe v14.1.3

It is a web testing framework that tests all web applications across Windows, MacOS, and Linux OS. It is popularly used for web application testing and generates clear and simple tests. It uses browsers that support HTML5 for recording and can run functional tests across Windows, Mac and Linux, and on remote computers.

For mobile devices it can run tests on iPhone, iPad, Android and Windows Phone. Additionally, it can simultaneously execute tests across multiple browsers and machines.

Official Website: TestCafe v14.1.3

3. CasperJS v1.1-beta3

It is an easy to use open source navigation tool for Windows, MacOS, and Linux OS, used for scripting & testing the PhantomJS and SlimerJS (Gecko) with the help of its useful and valuable functions, methods and syntactic sugar, written in Java script language. Basically, it works for forms, links, page screenshot, remote DOM, events sign-in process, etc. Also, downloads binary and other resources, writes functional test suites and save it in a JUnit XML format.

Official Website: CasperJS v1.1-beta3

4. Screenster

Screenster is an UI based functional and regression testing tool to test web applications and can work across all Windows OS that require all major browsers and Java6 or high. While operating it takes screenshots at every step and compares them to the baseline, enables verification and further provides complete access to Selenium API whenever required.

It is an UI based functional and regression testing tool for web applications, works on all Windows OS that requires all major browsers and Java6 or high. A very good screen validator uses to give 10x productivity without a single line of code. During operation, it takes screenshot on each and every step and compares them to baseline, permits verification of changes or lack of changes to UI, provides full access to Selenium API when needed

Official website: Screenster

5. SoapUI

It is a cross-platform free open-source functional testing tool written in Java language for service-oriented architectures (SOA) and representational state transfers (REST). It offers user-friendly interface with multiple features used for API testing that facilitates easy and speedy performance of functional/regression and load testing.

Its commercial version (SoapUI Pro) is particularly used to test functionality of the application. It supports all protocols and technologies connected to the particular application.

Official Website: SoapUI

6. Sahi

An open-source cross-platform web application testing tool that is scripted in Java and JavaScript, and released under an Open-Source Apache License 2.0. It is used to test multiple browser applications under web 2.0.

It identifies elements easily and works on applications that include dynamic ids and applications developed by using ExtJS, ZK, Dojo, YUI, etc.

Official Website: Sahi

Financial services and the banking sector has been an all-time victim of security breaches, compromising massive sensitive user data. However, financial services are a must-have for everyone. So here we list some Security testing tools for building a robust application for the marketplace.

1. NTOSpider

NTOSpider provides full security for your web applications/services, mobile, and RIA applications. It is a Windows based web security tool and importantly it scans your application completely in less time and ensures security to the system, cost-effectively.

Official website: NTOSpider

2. Brakeman v2.6.1

The tool is an Open-source scanner that checks Ruby on Rails apps for security vulnerabilities, available for Jenkins/Hudson and works on Rails 2.x, 3.x, and 4.x. It methodologically scans Rails application code to identify security issues at every stage.

Official Website: Brakeman

3. SiteDigger v3.0

It examines Google’s cache, errors, configuration issues, proprietary information and major security nuggets on the websites. Additionally, it has a good user interface that provides real-time results with the ability to save signature selection and result set.

You are not required to have Google API License Key to access the tool, as it runs on across all Windows OS required Microsoft .NET Framework v3.5.

Official Website: SiteDigger

4. Netsparker

It is a cross-platform web application security scanner that detects and reports website/web application vulnerabilities and issues with the security across any website/web app irrespective of the OS or technology it is built on.

Official Website: Netsparker

5. Network Mapper (NMap)

It is a cross-platform web security scanner scripted by Gordon Lyon founder of hosts and services on a computer network. It delivers required packets to the target machine and scrutinizes the response received.

Previously, it was only used for Linux, but it can be now used for Microsoft Windows, BSD variants – Mac OS X, AmigaOS, Solaris, HP-UX, , andSGI IRIX.

Official Website: NMap

Top Cross browser testing tools

Considering seamless user experience is key for every brand and every enterprise, getting the right tool in place is indispensable for every tester. These are some tools for your reference.

1. Browsera

It is an online cross-browser testing tool that operates on Windows and Mac OS X platform and detects cross-browser layout issues by comparing the output from each browser. When every test is completed, every JavaScript error is reported and collated. The entire website can be tested by using the crawling feature of the tool.

Official Website: Browsera

2. IE NetRenderer

It is a free HTML tool for Apple iMac and Linux facilitates users to view the website displays in IE browsers 5.5 to 11. Besides, it also presents an extensive number of tasks in real time. These services can be executed at a fast paced.

Besides, the tool also helps capture various other tasks on the website across browsers and in real time.

Official Website: IE NetRenderer

3. IETester v0.5.2

It is a Windows web browser by Core Services that provides a user-friendly interface, enabling the users to get all functionalities rapidly and easily. It provides a configuration without customizations with focus on speed and efficiency.

With the Microsoft ribbon toolbar, the users can easily switch across Internet Explorer versions (5.5 to 9) with a single click. Apart from this it also facilitates compatibility tests.

Official Website: IETester

4. W3C Link Checker

It is a link checking service provider by W3C that is used to links and anchors existing on a website page or across the entire website by using languages; HTML, XHTML or CSS.

Official website: W3C Link Checker

Post author by Senior QA Nazeer

TechSoulJour

Pages