By Parul Wahi

Borland silk test is a leading tool for functional and regression, cross platform and localization testing. It can test application based on vast set of technologies like Java, .Net , web , active x, adobe Flex ,client server  etc. Silk Test’s powerful testing framework enables high reusability of test scripts across test projects, building and maintaining regression testing suites and thus helps in expanding test coverage and optimize application quality.

Silk Test Features

A single, automated functional testing tool tests a broad range of enterprise technologies and environments—without costly connectors, adaptors or add-ins
•    A wizard-driven toolbar workflow enables novice users to develop useful tests quickly
•    Robust, resilient tests are supported by a flexible, object-oriented, fourth-generation scripting language called 4Test is designed expressly for automated testing
•    Silk Test also offers functionality of test case management, test planning, data base function, date time functions etc. to make your automation more effective.
•    Silk Test offers many features such as basic workflow for recording tests, workflow for linking a single test case to test data values stored in external tables and code completion in the SilkTest IDE .
•    Unicode support allows localization testing of global applications on multiple platforms with a single script
•    A built-in, customizable error-recovery system returns systems to pre-failure state and resumes testing, unlike other tools that leave systems unstable with unexecuted tests
•    TrueLog based visual reports simplify problem diagnosis when you find defects
•    Integration with Borland’s software test management tool delivers enhanced management capabilities that support a mature and complete functional and regression testing process
•    Built-in support for testing Adobe Flex applications using Internet Explorer, Firefox, the Standalone Flex Player, and Adobe AIR
•    Animated Run Mode to provide ‘slow motion’ playback of test scripts

Architecture

Silk Test consists of two distinct components that execute in separate
processes:
• The Silk Test Host software
• The Silk Test Agent software

The SilkTest Host

The host software is the SilkTest component you use to develop, edit, compile, run and debug your test scripts and testplans. The machine that runs this component is often referred to as the host machine.

The SilkTest Agent

The SilkTest Agent is the component of SilkTest that interacts with the GUI of your application. The Agent translates the commands in your 4Test scripts into GUI specific commands, driving and monitoring the application you are testing. The Agent can run locally on the same machine on which the Host is running or, in a networked environment, any number of Agents can run on remote   machines. In a networked environment, the machine that runs the Agent is often referred to as the remote machine.

How SilkTest  Works and records user actions

Applications are composed of graphical user interface (GUI) objects such as windows, menus and buttons that a user manipulates using a keyboard and a mouse to initiate application operations. Silk Test interprets these objects and recognizes them based on the class, properties and methods that uniquely identify them. During testing, Silk Test interacts with the objects to submit operations to the application automatically, simulating the actions of a user, and then verifies the results of each operation. The simulated user, Silk Test, is said to be driving the application.

Before you begin creating and running test scripts, you create a repository of information about your application to be used by Silk Test. This repository includes descriptions of the GUI objects that comprise your application.Based on the properties and methods Silk Test associates with these objects, Silk Test can recognize the actions performed on them and intelligently record those actions into your test script using the 4Test language.

Test automation is normally developed in SilkTest host using either record/playback or by manual scripting using 4Test. Normally, test cases for SilkTest are developed in IDE (Integrated Development Environment) provided by SilkTest host software. Executing automated test suite is the responsibility of SilkTest agents. SilkTest even supports parallel execution of test cases with the help of these agents. SilkTest host can communicate with these agents residing on multiple machines and execute automated test cases on multiple machines simultaneously. Example , if you need to test your application on Windows 2000, Windows XP and Windows 2000 SP 2, you can have SilkTest agent installed on these machines and run automated test suite in parallel on all these machines at once. Feature like this, saves precious execution time for the testers.

In the next series we will discuss the testing process of silk test and will learn to create simple 4test scripts.

(to be continued…)

By Kuldeep Singh

Introduction: This document has been prepared in order to resolve the issue that might occur during Invocation of RPT- Agent Controller process on Linux Machine.

Requirement: Our requirement was to generate the load from Linux machine (client) on the application server

For this, we have installed Load Generating tool (Rational Performance Tool version - 7.0.2) on window machine (OS: Window XP 2000 Profession SP-2) and RPT-Agent controller Process (version-7.0.2.1) on Linux machine (OS-Red Hat Enterprise Linux AS release 4-Nahant).

Below are enlisted some of the issues which were encountered during the load distribution through load generating machine (RPT) to Linux machine.

On executing the performance schedule we were getting the following error “Connection failed on host 172.23.244.207”.

————————————————————

 Security Message

Connection failed on host 172.23.244.207

Reason:
IWAT0284E The agent controller is not available on host 172.23.244.207
Make sure that:
*the agent controller is installed.
*the agent controller is configured to communicate with your machine
*you have the correct host name and port number for the agent controller.

————————————————————–

Possible reason: The above error might have occurred due to Agent Controller is not installed or is not running on Linux machine.
Since, on Linux machine Agent Controller process (RAServer) process is not started automatically. So, we have to start this process manually.

Starting and Stopping Agent Controller on Linux machine:
• To start the Agent Controller process (RAServer) on Linux machine, move to the Installation location’s bin directory (for e.g. /opt/IBM/AgentController/bin). Then execute the following command
./RAStart.sh

• To stop the Agent Controller process (RAServer) on Linux machine, move to the Installation location’s bin directory ( for e.g. /opt/IBM/AgentController/bin) and then execute the following command
 ./RAStop.sh

On trying to start the Agent Controller process on Linux machine we may get the following Errors. (Below section describe the Error description, reason and resolution for the same)

Error:
1) Starting Agent Controller
“RAServer: error while loading shared libraries: libstdc++-libc6.2-2.so.3: cannot open shared object file: Error 40 No such file or directory.
RAServer failed to start.” Error

Possible Reason: Since the Agent Controller is compiled using libstdc++-libc6.2-2.so.3 shared library. Ensure that this shared library exists under the /usr/lib directory. If it does not exist, then you have to install the RPM package compat-libstdc++ that comes with the operating system installation media.
Note: - To make sure that libstdc++-libc6.2-2.so.3 shared library is available in the /usr/lib directory:
Move to the /usr/lib directory and execute the following command at the Shell prompt.
 # ls –l libstdc*

Resolution:
The solution is to install the standard C++ compatibility libraries in order to satisfy this library dependency. The version of Linux on the client machine will determine what RPM or software package needs to be installed.
In our case, since we are using Red Hat Enterprise Linux As Release 4 (Nahant) Operating System on Linux machine, we need to install compat-libstdc++-296-2.96.132.7.2.i386.rpm package that is located on the Red Hat 4.0 Installation Disc 3.
Note: For more which rpm package required installing, browse the following link
http://seer.entsupport.symantec.com/docs/267077.htm

We can also download required rpm package from the following link
http://rpmfind.net/linux/rpm2html/search.php?query=libstdc%2B%2B-libc6.2-2.so.3&submit=Search
http://rpmfind.net/linux/RPM.

How to Install Required RPM Package:
1) Insert the required disc in CD-ROM and change the directory Red Hat/RPMS from Shell command.
  cd media/CDROM/Red Hat/RPMS/
2) Enter the following command and execute
rpm –ivh compat-libstdc++-296-2.96-132.7.2.i386.rpm
If installation is successful, you see the following message:
Preparing…   ########################################### [100%]
1:compat-libstdc++-296   ################################## [100%]
RPM prints out the name of the package and then prints a succession of hash marks as the package is installed as a progress meter.
Note: For more information on RPM package browse the following link
http://www.faqs.org/docs/securing/chap3sec20.html

Now we can start the Agent Controller Process (RAServer) on Linux machine. Following message should be displayed on successfully start the Agent Controller Process.

Starting Agent Controller
RAServer Started Successfully
RPM prints out the name of the package and then prints a succession

2) “RAServer failed to Start” Error
Possible Reason: This failure is usually caused when TCP/IP port 1002 is not free. Agent Controller listens on this port by default. Agent controller was just stopped and restarted before the port could be released.
• If Agent Controller failed to start. You can start it as follows:
If port 10002 is being used by another process, you can change the port number by editing the serviceconfig.xml file. Serviceconfig.xml file is located in Installation Location Config’s directory /opt/IBM/AgentController/Config/

• If Agent Controller was just stopped, wait a few minutes and try to start it again.

By Vaibhav Agarwal

There are several parameters to look for bad performing oracle. If you are lucky then for most of the DB related problems you will receive some kind of ORA errors, else it’s up to you to find the culprit.

Mostly sessions, processes, and memory allocation to different pools and cache of DB are some of the areas to tune.

If the database is in shared server mode then look for number of Dispatchers available. (Optional background processes, present only when a shared server configuration is used. At least one dispatcher process is created for every communication protocol in use (D000, . . ., Dnnn). Each dispatcher process is responsible for routing requests from connected user processes to available shared server processes and returning the responses back to the appropriate user processes)

For setting up the optimal values for all the best way is to use Automatic Shared Memory Management feature of oracle.

Oracle DB consists of SGA (system global area). SGA comprises several memory areas, including the buffer cache, shared pool, Java pool, large pool, and redo log buffers.

These pools occupy fixed amounts of memory in the operating system’s memory space; their sizes are specified by the DBA in the initialization parameter files (pfile and spfile).

Alternatively SGA is a group of shared memory structures that contain data and control information for one Oracle database instance. If multiple users are concurrently connected to the same instance, then the data in the instance’s SGA is shared among the users. Consequently, the SGA is sometimes referred to as the shared global area.

Values of different parameter can be changed in pfile and then spfile needs to be created from the changed pfile, as DB reads from spfile not from pfile.

Setting up Automatic Shared Memory Management

Let’s see how this works. First, determine the total size of the SGA. You can estimate this value by determining how much memory is allocated right now.

SQL> select sum(value)/1024/1024 from v$sga;

SUM(VALUE)/1024/1024
——————–
500

The current total size of the SGA right now is approximately 500MB, which will become the value of SGA_TARGET. Next, issue the statement:

alter system set sga_target = 500M scope=both;

This approach obviates the need to set individual values for the pools; thus, you’ll need to make their values zero in the parameter file or remove them completely.

shared_pool_size = 0
large_pool_size = 0
java_pool_size = 0
db_cache_size = 0

Recycle the database to make the values take effect.

This manual process can also be implemented via Enterprise Manager 10g. From the database home page, choose the “Administration” tab and then “Memory Parameters.” For manually configured memory parameters, the button marked “Enable” will be displayed, along with the values of all manually configured pools. Click the “Enable” button to turn Automatic Shared Memory Management on. Enterprise Manager does the rest.

After the automatic memory allocations are configured, you can check their sizes with the following:

SQL> select current_size from v$buffer_pool;

POOL MBYTES
———— ———-
java pool 4
large pool 4
shared pool 148

Which Pools are Not Affected?

Some pools in SGA are not subject to dynamic resizing, and must be specified explicitly.
Examples of these pools are block size and log buffer. Their sizes will remain constant; they will not shrink or expand based on load. (In 10g, a new type of pool can also be defined in the SGA: Streams pool, set with parameter streams_pool_size. This pool is also not subject to automatic memory tuning.)

By Atish Singh

What is SQL injection?
SQL injection is a type of security exploit in which the attacker “injects” SQL code through a web form input box, to gain access to resources, or make changes to data. It is a technique of injecting SQL commands to exploit non- validated input vulnerabilities in a web application database backend. Programmers use sequential commands with user input, making it easier for attackers to inject commands. Attackers can execute arbitrary SQL commands through the web application.

It exploits web applications that use client-supplied SQL queries. It enables an attacker to execute unauthorized SQL commands. It also takes advantage of unsafe queries in web applications, and builds dynamic SQL queries. For example, when a user logs onto a web page by using a user name and password for validation, a SQL query is used. However, the attacker can use SQL injection to send specially crafted username and password fields that poison the original SQL query.

Where to look for SQL injection?

SQL injection is possible at any pages that allow a user to submit data, for example a log in page, search page, feedback, etc. HTML pages that use POST or GET commands. If POST is used, we cannot see the parameters in the URL. Then we should check the source code of the HTML to get information ,for example ,to check whether it is using POST or GET, look for the <form> tag in the source code

<Form action=search.asp method=post>
<input type=hidden name=X value=z>
</Form>
If input is not given, check for pages like ASP, JSP, CGI, or PHP and check the URL that takes the following parameters:
Example
http://www.xyz.com/index.asp?id=100

How to perform SQL Injection and how it works?
To check SQL injection is possible or not, first try a single quote as a input and wait for response from server if server respond SQL Server error like
Microsoft OLEDB provider for ODBC Drivers
Error ‘8004De14’
[Microsoft] [ODBC Microsoft Access Driver] extra )
In query expression ‘userid=’3306’)or(‘a’=’a’ and password=’”.
/_booking/login3.asp, line 49
the time is to celebrate.

Lets take an example for Login Page where username and password is stored in database and the SQL is fired for retrieve username and password for validation of user.

The original query is
strQry=”select count(*) from users where Username=’ ” +txtUser.text + “’ AND
password=’” + txtPassword.Text +”’”;
In the case of the user entering a valid user name of “abc” and a password of “password”, strQry becomes:
Select Count(*) from users where Username =’abc’ and password=’password’
But when the hackers enter ‘Or 1=1—the query now becomes:
Select count(*) from users where username=’’ or 1=1—‘ and password=’’
Because a pair of hyphens designates the beginning of commenting in SQL, the query becomes simply:
Select count(*) from users where username=’’ or 1=1
This works because the condition 1=1 is always true so interpreter of SQL is confused, and it validates to the injector as a user which is first user in database (may be Admin).

If the input is not taken directly by textbox then try another option from which data goes to query string like the URL
http://www.xyz.com/index.asp?id=100
Here temper the id value assigned single quote or some always true value
http://www.xyz.com/index.asp?id=aaa’ or 1=1—

There are different SQL Injection techniques:
1. Authorization bypass
Bypassing log on forms
2. Using the SELECT command
Used to retrieve data from the database
3. Using the INSERT command
Used to add information to the database
4. Using SQL server stored procedures

This are some inputs which are always true
•    abc’ or 1=1—
•    login:abc’ or 1=1—
•    password:abc’ or 1=1—
•    http://search/index.asp?id=abc’ or 1=1—
•    Depending on the query, try the following possibilities:
•    ‘ or 1=1—
•    “ or 1=1—
•    ‘or  ‘a’=’a
•    “ or “a”=”a
•    ‘) or (‘a’=’a)

How to avoid SQL Injection?

To protect from SQL Injection we should avoid the use of interpreter if possible otherwise use safe APIs, Strongly typed parameterized queries (ORM). They handle data escaping.  Validate all input data (length, type, syntax, business rules etc) validation is done before displaying or storing any data, Validation must be done server-side(JavaScript validation doesn’t bring any security) Enforce least privilege, Configure your DB such that the web account can’t do more than what is expected, avoid detailed error messages, Give access to versions numbers, Give access to parts of the code, Give access to configurations, Use stored procedures.