Priority and Severity in Software Testing

Severity of a bug is based on how much does it impact on the system. Severity refers to the seriousness of the bug with respect to functionality of the product. Is related to technical aspect of the product. It reflects on how bad the bug is for the system.The Quality Assurance (QA) Engineer decides the severity level. It is determined as per the risk assessment of the customer. Severity is defined by Tester.

Severity can be categorized into the following levels
Blocker
Critical
Major
Minor
Trivial (Also known as Cosmetic)
Enhancement (Suggestions)

Priority is based on how fast we should resolve the bug. Should we fix it now, or can it wait? How difficult is it to resolve? How many resources will be tied up by the resolution?
Priority is defined by Test Lead or Project Manager.

Priority can be categorized into the following levels
Urgent
High
Medium
Low

Lets take some example on Severity and Priority:-

high priority and low severity :
If Gmail logo is not correct then its high priority... though there is no functional bug here, any one would try to correct the logo as quick as possible as it represent the business name. So it is taken as high priority and low severity.

Low Priority & High severity :
Suppose one application which generates some banking related reports monthly, quarterly & yearly by doing some calculations. If there is a mistake while calculating yearly statement. This is a high severity fault but low priority because this fault can be fixed in the next release as a change request.

High Priority & High Severity :
Any banking application if there is a fault while calculating weekly report. This is a high severity and high priority fault because this fault will block the functionality of the application immediately within a week. It should be fixed immediately.

Low Priority & Low Severity :
If there is a spell mistake on the pages which has very fewer hits throughout the month on any website. This error can be considered as low severity and low priority.

Note for Experience peoples - most of the testing Guys do while answering the Simple question they took the examples from the Global project LIKE Yahoo, Google, Rediff, etc.
I my opinion this is Bad Habit, Always give the Example from your current or previous projects. It actually leaves a good impression on the Interviewer. You just know the concept of what "Priority" and "Severity" is, Prepare the examples from your current / previous projects.

Selenium Testing

Selenium is automating web applications for testing purposes. Nearly all of the software applications today are written as web-based applications to be run in an Internet browser. Now a day’s many organizations are using some form of Agile methodology, test automation is frequently becoming a requirement for software projects. Test automation means using a software tool to run repeatable tests against the application to be tested.
Advantages of the automation tools are repeatability of the tests and the speed at which the tests can be executed. Selenium is possibly the most widely-used open source solution. It support for several languages (Java, JavaScript, Ruby, PHP, Python, Perl and C#) and support for almost every browser out there.

Selenium IDE - Continue Reading

Difference between QA & QC

By meaning, quality assurance is the method of verifying or determining whether product or services meet or exceed customer satisfaction. It has five cycle plus they be “Plan, do, check and act”. Quality assurance team plans on how to produce a product or service that will meet a customer appreciation or satisfaction at the end of the day or releasing the product. After planning, execution takes place and deliverables are checked for conformity or variance.

Quality control on the other hand is a process employed to ensure a certain level of quality in a product or service. Test Engineers comes under QC because the responsibility of QC Group are to Test the application before deliver it to client. QC performs Validation that includes actual testing like Functional, Regression, and Sanity and so on.

QA group is the Process oriented and has the responsibility verify and implement that the Process are followed or not. QA are Proactive. QA perform verification that includes Inspection, walkthrough, Audit and so on.
QA and Testing both make software better. QA enhance the quality via a progress of development process, the related methods & systems and Testing enhances it via finding defects and enabling improvements/corrections.

Quality Assurance makes sure you are doing the right things, the correct way.
Quality Control makes sure the result of what you’ve done is what you expected.
Generally, QA and QC (Test Engineers) both are separate group and both different functioning.

XSS - Cross Site Scripting

Cross site scripting (XSS) flaws are a relatively common issue in web application security. 
Cross-Site Scripting attacks are a type of injection problem, in which malicious scripts are injected into the otherwise benign and trusted web sites. Cross-site scripting (XSS) attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user. Flaws that allow these attacks to succeed are quite widespread and occur anywhere a web application uses input from a user in the output it generates without validating or encoding it.
An attacker can use XSS to send a malicious script to an unsuspecting user. The end user’s browser has no way to know that the script should not be trusted, and will execute the script. Because it thinks the script came from a trusted source, the malicious script can access any cookies, session tokens, or other sensitive information retained by your browser and used with that site. These scripts can even rewrite the content of the HTML page.

Cross-Site Scripting (XSS) attacks occur when:

• Data enters a Web application through an untrusted source, most frequently a web request.
• The data is included in dynamic content that is sent to a web user without being validated for malicious code.

Black Box testing and example

One way to test for XSS vulnerabilities is to verify whether an application or web server will respond to requests containing simple scripts with an HTTP response that could be executed by a browser. For example, Sambar Server (version 5.3) is a popular freeware web server with known XSS vulnerabilities. Sending the server a request such as the following generates a response from the server that will be executed by a web browser:

http://server/cgi-bin/testcgi.exe?<SCRIPT>alert(“Cookie”+document.cookie)</SCRIPT>

The script is executed by the browser because the application generates an error message containing the original script, and the browser interprets the response as an executable script originating from the server. All web servers and web applications are potentially vulnerable to this type of misuse, and preventing such attacks is extremely difficult.

Example 1:
Since JavaScript is case sensitive, some people attempt to filter XSS by converting all characters to upper case, rendering Cross Site Scripting utilizing inline JavaScript useless. If this is the case, you may want to use VBScript since it is not a case sensitive language.

JavaScript:
<script>alert(document.cookie);</script>
VBScript:
<script type="text/vbscript">alert(DOCUMENT.COOKIE)</script>

The purpose of the security test is to discover the vulnerabilities of the web application so that the developers can then remove these vulnerabilities from the application and make the web application and data safe from unauthorized actions.

Next: SQL Injection