TesterHQ - The Evil Tester Blog Aggregator

May 15, 2018 - 5 minute read - Mailing List

Mailing - 15th May 2018 - The Evil Tester Newsletter - Hacking and being hacked

This mailing list email was send via SendInBlue

To comply with GDPR, because I have moved email sending providers and all double opt-in information was not migrated, if you wish to continue receiving this email after May 20th, I need to ask you to confirm your double opt-in to this list. You can do this by clicking on this link which will redirect you to my website and double opt-in your email address to the list. You can also visit the email list sign up page and fill in your details and see the full usage conditions for your email (summary: we keep it private, we never share it, we send newsletters).

Summary

On Getting Hacked

Yesterday, I spent the day Hacking a WordPress site and fixing my own site after it had been hacked.

I wrote a write up of the situation on my blog and I’ll provide some additional and different information here.

I’ve always been nervous about WordPress after a very early version of EvilTester.com was hacked. That was completely my fault because I left the site alone, without patching or monitoring. I moved to static sites after that and hosted on Blogger. I don’t particularly like Blogger as a platform - the HTML it uses is abhorrent but it is secure, easy to use and the commenting works well.

Once something is working, we tend to stick with it. And WordPress seemed to be working for SeleniumSimplified.com - I even had it set to auto update.

But something went wrong and someone was able to insert malicious script tags into the posts. I’m not even sure what they did, I think they periodically redirected you to some other sites.

This type of incident stresses the importance of:

  • backups and the ability to restore
  • redundancy (I have my posts on TesterHQ.com as well as other sites)
  • monitoring (my web host monitored the site for me)
  • contingency planning (what do you do in the event of failure)
  • risk tolerance (making decisions based on how much risk you are prepared to live with)

Also, keeping things simple.

I have removed all 3rd party plugins from WordPress over the years as they are a constant source of vulnerabilities. I found an outdated plugin on a vulnerable site recently and was able to use the vulnerability to view the wp-config.php file and therefore see the database username and password. And even without these vulnerabilities I found plugins slowed down the site, impacted upgrades, constantly tied me to the platform.

And WordPress isn’t actually ‘simple’. Its a fairly complicated solution for most of the use-cases it is deployed for. Most people write posts, and receive comments. A simple solution would be a set of text files, converted into HTML with a theme, and a commenting facility. Wordpress is not this, it is a database driven CMS which supports extensive customisation. Overkill for what most of us use it for.

So many of our systems are like this. And the more complicated we make the solution, the more we have to test it and automate the continuous verification of acceptance criteria (because scope increases too much to manually verify). A complicated solutions complicates the entire development process.

Trying to keep things simple can help prevent risks creeping in, in the first place.

If you find that your automated execution code or test process has become over complicated then I might be able to help via consultancy, or remote code reviews. Contact me for more details.

A quick tip on automating from the JavaScript console

I released a JavaScript game last week.

compendiumdev.co.uk/games/buggygames/protect_the_square/protect_the_square.html

It is very malleable.

For instance here is a very simple script you can run from the console which will make the player move from left to right in the hope that the enemies find it harder to kill.

autoJiggleMove = function(){    
    homeSquare.x+=Math.floor((Math.random() * 2))-1;
}
var autoMoveBot = window.setInterval(autoJiggleMove, 100);

To stop the movement you have to issue the command.

window.clearInterval(autoMoveBot)

I have found that I’m using simple scripts like this from the console more often now to help me setup data and manipulate systems into state required for testing. It also helps me understand the underlying code for the web application in more detail.

If you are interested then hunt around in the code and see if you can identify how to make the bot shoot instead of move.

Because this script uses the setInterval it runs in ‘background’ while the application is running which is very useful for monitoring and supporting your testing activities.

I cover the basics of this type of automating and interaction on my online course Technical Web Testing 101 - https://www.compendiumdev.co.uk/page/techweb101course

Thanks for your Support

I do appreciate the emails and tweets etc that I receive describing how my books and courses have helped people.

When you do buy the books and courses it does help support my work. So thank you for that.

Also watching, and liking, my YouTube videos helps boost their ranking in the search engine. If you haven’t subscribed to the YouTube channel then you can do so by following this link goo.gl/8MdLpU and if you have subscribed, but don’t receive emails from YouTube, when I upload videos, then you can do that by clicking the bell notification button next to your subscribe status on YouTube.

Thanks

Thanks for signing up for the newsletter. I hope some of this information is useful to you.

If you need short term help improving your software testing or automated execution then I do have a few days per month available and you might be able to hire me to help via consultancy or training. contact me via my web site

You can reply directly to this email with any questions and comments and they will only be sent to me.

Thanks,

Alan


Alan Richardson