Pull to refresh

Web services testing *

Seven tasks for test, one for deploy

Show first
Rating limit

Testing Metrics You Must Add to Your Process

Иннотех corporate blog IT systems testing *Web services testing *Mobile applications testing *Game testing *

Testing is one of the key processes in development. However, without analysis it is tough to say how effective testers really are. Innotech’s lead tester-engineer Pavel Petrov shared a number of metrics that are being used in project work.

Read more
Rating 0
Views 3K
Comments 2

Stop losing clients! Or how a developer can test a website, by the example of PVS-Studio. Part 1

PVS-Studio corporate blog IT systems testing *Python *Django *Web services testing *

A website with bugs could be a real pain in the neck for business. Just one 404 or 500 error could end up costing an obscene amount of money for the company and hurt a good reputation. But there is a way to avoid this issue: the website testing. That's sort of what this article is about. After reading this article, you will learn how to test code in Django, create your "own website tester" and much more. Welcome to the article.

Read more
Rating 0
Views 548
Comments 2

Helpful service for microservice JSON-RPC based test automation

IT systems testing *Web services testing *

Test automation, with product built in microservice architecture could be very situational in context of testing goals and ways to achieve them. You got an easy life if you testing a service, that is an isolated entity, which is receiving some data and providing a result of it's work in a response, by callback or through additional endpoint. In this case all you need to do is cover all the endpoints of the service, and probably learn to catch it's callbacks. However, it's not the only case. Sometimes you need to test service which isn't totally isolated, but a part of a chain of interactions. This service could send some data to other services within your infrastructure or even to third parties. This time you got plenty of additional things to bother of:

Read more
Rating 0
Views 599
Comments 0

Application performance monitoring and health metrics without APM

IT systems testing *System administration *IT Infrastructure *Web services testing *Service Desk *

I have already written about AIOps and machine learning methods in working with IT incidents, about hybrid umbrella monitoring and various approaches to service management. Now I would like to share a very specific algorithm, how one can quickly get information about functioning conditions of business applications using synthetic monitoring and how to build, on this basis, the health metric of business services at no special cost. The story is based on a real case of implementing the algorithm into the IT system of one of the airlines.

Currently there are many APM systems, such as Appdynamics, Dynatrace, and others, having a UX control module inside that uses synthetic checks. And if the task is to learn about failures quicker than customers, I will tell you why all these APM systems are not needed. Also, nowadays health metrics are a fashionable feature of APM and I will show how you can build them without APM. 

Читать далее
Rating 0
Views 1.1K
Comments 0

How to choose the appropriate level of statistical significance for an AB-test

Web services testing *Product Management *Statistics in IT

Nowadays a lot of product managers have to confirm most of their decisions with AB-tests. Yet, it is far not always clear how to choose the parameters for the test. A particularly difficult parameter to tune is often the level of statistical significance. If we choose too high level - tests will fail even though improvements do exist. If we choose too low level - we'll be getting lots of "confirmations" of false improvements.

When we make decisions based on AB-tests, once in a while we'll be making mistakes. We can limit the losses caused by such mistakes by choosing the appropriate level of statistical significance.

Read more
Rating 0
Views 533
Comments 0

Revealed: 7 Top Web Development Companies & Trends for 2021

Web design *Website development *Web services testing *Web analytics *Web services monetization *

As we enter a new decade, the IT industry has also encountered many loopholes that we must work on. Seeing this, hundreds of motivated young minds have decided to become entrepreneurs. But is it so easy to succeed in a world where competition is already so high?

Bluntly, the answer is NO. It is not easy to be successful, and the reason for these startups' failure is the lack of digital presence or inadequate technical support. Another major reason that has been seen is the wrong choice of the web development company.

Hiring dedicated web developers may seem like an easy task at first, but it is not. It is one of the most challenging tasks. And to prevent you from falling into the pits of failure, I have created a list of the 7 best web development companies in India and abroad.
Read more →
Rating 0
Views 6.9K
Comments 0

Tests as must have for complex projects

Website development *Ruby *TDD *Ruby on Rails *Web services testing *

Development in its pure form is not only writing code, but also a number of manipulations that are necessary for its correct and timely work. Testing in development takes the lion's share of both time and resources, but proper testing will bring only time savings and the best result for the client.

Read more →
Rating 0
Views 1.3K
Comments 0

Are my open-source libraries vulnerable? (2 min reading to make your life more secure)

Information Security *IT systems testing *Web services testing *Mobile applications testing *DevOps *

The explosion of open source and issues related to it

The amount of open source or other third party code used in a software project is estimated as 60-90% of a codebase. Components, such as libraries, frameworks, and other software modules, almost always run with full privileges. If a vulnerable component is exploited, such an attack can facilitate serious data loss or server takeover. Applications using components with known vulnerabilities may undermine application defences and enable a range of possible attacks and impacts.

Conclusion: even if you perform constant security code reviews, you still might be vulnerable because of third-party components.

Some have tried to do this manually, but the sheer amount of work and data is growing and is time consuming, difficult, and error prone to manage. It would require several full time employees and skilled security analysts to constantly monitor all sources to stay on top.
Read more →
Total votes 6: ↑5 and ↓1 +4
Views 1.9K
Comments 2

V&V not for vendetta

Arcadia corporate blog IT systems testing *Web services testing *

Over the past six years, I have worked on developing and acceptance testing of the applications for conducting and supporting clinical trials. Applications of various sizes and complexity, big data, a huge number of visualizations and views, data warehousing, ETL, etc. The products are used by doctors, clinical trials management and people who are involved in the control and monitoring of research.

For the applications that have or can have a direct impact on the life and health of patients, a formal acceptance testing process is required. Acceptance test results along with the rest of the documentation package are submitted for audit to the FDA (Food and Drug Administration, USA). The FDA authorizes the use of the application as a tool for monitoring and conducting clinical trials. In total, my team has developed, tested and sent to the production more than thirty applications. In this article, I will briefly talk about acceptance testing and improvement of tools used for it.

Note: I do not pretend to be the ultimate truth and completely understand that most of what I write about is a Captain Obvious monologue. But I hope that the described can be useful to both the entry level and the teams that encounter this in everyday work, or at least it may make happy those who have simpler processes.
Read more →
Total votes 2: ↑1 and ↓1 0
Views 359
Comments 0

SOAP Routing Detours Vulnerability

Information Security *XML *Web services testing *CTF *


The WS-Routing Protocol is a protocol for exchanging SOAP messages from an initial message sender to receiver, typically via a set of intermediaries. The WS-Routing protocol is implemented as a SOAP extension, and is embedded in the SOAP Header. WS-Routing is often used to provide a way to direct XML traffic through complex environments and transactions by allowing interim way stations in the XML path to assign routing instructions to an XML document.

Taking a minimalist approach, WS-Routing encapsulates a message path within a SOAP message, so that the message contains enough information to be sent across the Internet using transports like TCP and UDP while supporting:

  • The SOAP message path model,
  • Full-duplex, one-way message patterns,
  • Full-duplex, request-response message patterns, and
  • Message correlation.

Routing Detours are a type of «Man in the Middle» attack where Intermediaries can be injected or «hijacked» to route sensitive messages to an outside location. Routing information (either in the HTTP header or in WS-Routing header) can be modified en route and traces of the routing can be removed from the header and message such that the receiving application none the wiser that a routing detour has occurred. 
Read more →
Rating 0
Views 1K
Comments 0

Testing SQL Server code with tSQLt

Arcadia corporate blog IT systems testing *SQL *Microsoft SQL Server *Web services testing *
FYI: this article is an expanded version of my talk at SQA Days #25.

Based on my experience with colleagues, I can state: DB code testing is not a widely spread practice. This can be potentially dangerous. DB logic is written by human beings just like all other «usual» code. So, there can be failures which can cause negative consequences for a product, business or users. Whether these are stored procedures helping backend or it is ETL modifying data in a warehouse — there is always a risk and testing helps to decrease it. I want to tell you what tSQLt is and how it helps us to test DB code.

Read more →
Total votes 8: ↑7 and ↓1 +6
Views 1.9K
Comments 1

How to Make Emails and Not Mess Up: Practical Tips

VK corporate blog Spamming and anti-spamming IT systems testing *Email layout *Web services testing *

A developer, who first encountered generating emails, has almost no chance to write an application, that will do it correctly. Around 40% of emails, generated by corporate applications, are violating some form of standard, and due to this, there are problems with delivery and display. There are reasons for this: emails are technically more difficult than the web, and operating emails is regulated by a few hundred standards, as well as an uncountable number of generally accepted (and not as much) practices, whereas the email clients are more varied and unpredictable than browsers. Testing may significantly improve the situation, but materials that are dedicated to testing the email system, are practically non-existent.

Mail.ru regularly interacts with its users by email. In our projects, all the components responsible for generating emails and even individual mailings, are subject to mandatory testing. In this article, we will share our experience (learning from our mistakes).
Read more →
Total votes 40: ↑40 and ↓0 +40
Views 2.4K
Comments 2

Quality as Team's responsibility. Our QA experience

IT systems testing *Web services testing *Development Management *Project management *

Disclaimer: This is a translation of an article. All rights belongs to author of original article and Miro company.

I'm a QA Engineer in Miro. Let me tell about our experiment of transferring partially testing tasks to developers and of transforming Test Engineer role into QA (Quality assurance).

First briefly about our development process. We have daily releases for client side and 3 to 5 weekly releases of server side. Team have 60+ people spitted onto 10 Functional Scrum Teams.

I'm working in Integration team. Our tasks are:

  • Integration of our service into external products
  • Integration of external products into our service
    For example we have integrated Jira. Jira Cards — visual representation of tasks so it's useful to work with tasks not opening Jira at all.


How the experiment starts

All starts with trivial issue. When someone of Test Engineers had sick leave then team performance was degraded significantly. Team was continued working on tasks. However when code was reached testing phase task was hold on. As a result new functionality didn't reach production in time.

Going onto vacation by Test Engineer is a more complex story. He/she needs to find another Test Engineer who ready to take extra tasks and conduct knowledge sharing. Going onto vacation by two Test Engineers at the sane time is not an applicable luxury.

Read more →
Total votes 9: ↑8 and ↓1 +7
Views 1.7K
Comments 0

Hack the JWT Token

Information Security *Website development *Web services testing *

For Educational Purposes Only! Intended for Hackers Penetration testers.


The algorithm HS256 uses the secret key to sign and verify each message. The algorithm RS256 uses the private key to sign the message and uses the public key for authentication.

If you change the algorithm from RS256 to HS256, the backend code uses the public key as the secret key and then uses the HS256 algorithm to verify the signature. Asymmetric Cipher Algorithm => Symmetric Cipher Algorithm.

Because the public key can sometimes be obtained by the attacker, the attacker can modify the algorithm in the header to HS256 and then use the RSA public key to sign the data.
The backend code uses the RSA public key + HS256 algorithm for signature verification.


Vulnerability appear when client side validation looks like this:

const decoded = jwt.verify(
   { algorithms: ['HS256'  , 'RS256'] }          //accepted both algorithms 

Lets assume we have initial token like presented below and " => " will explain modification that attacker can make:

alg: 'RS256'                         =>  'HS256'
sub: '123',
name: 'Oleh Khomiak',
admin: 'false'                       => 'true'

The backend code uses the public key as the secret key and then uses the HS256 algorithm to verify the signature.
Read more →
Total votes 12: ↑10 and ↓2 +8
Views 52K
Comments 0

The most common OAuth 2.0 Hacks

Information Security *Website development *Web services testing *

OAuth 2 overview

This article assumes that readers are familiar with OAuth 2. However, below a brief description of it is presented below.

  1. The application requests authorization to access service resources from the user. The application needs to provide the client ID, client secret, redirect URI and the required scopes.
  2. If the user authorizes the request, the application receives an authorization grant
  3. The application requests an access token from the authorization server by presenting authentication of its own identity, and the authorization grant
  4. If the application identity is authenticated and the authorization grant is valid, the authorization server issues the access and refresh (if required) token to the application. Authorization is complete.
  5. The application requests the resource from the resource server and presents the access token for authentication
  6. If the access token is valid, the resource server serves the resource to the application

The are some main Pros and Cons in OAuth 2.0

  • OAuth 2.0 is easier to use and implement (compared to OAuth 1.0)
  • Wide spread and continuing growing
  • Short lived Tokens
  • Encapsulated Tokens

— No signature (relies solely on SSL/TLS ), Bearer Tokens
— No built-in security
— Can be dangerous if used from not experienced people
— Too many compromises. Working group did not make clear decisions
— Mobile integration (web views)
— Oauth 2.0 spec is not a protocol, it is rather a framework — RFC 6749

Read more →
Total votes 18: ↑17 and ↓1 +16
Views 38K
Comments 2

Authors' contribution