Get best of the week

MosQA # 2 - materials from mitap and search for all flags from the quest



On February 25, the second meeting of the MosQA testers community was held at the Mail.ru Group’s Moscow office. We talked about how, in Badoo, developers also began to write tests, shared a universal task for an interview in Python, and the guys from OK talked about how they measure the performance of Android applications. And to add drive and brain activity, we offered the participants a quiz - it was held in CTF format (Capture The Flag). CTFs are usually held for hacking and security professionals and during the competition they offer to take flags exploiting a particular vulnerability. We had to test the form for adding comments and the site itself on which the form was located. You can watch and try your hand at MosQA CTF website. And for those who have long been waiting for analysis, welcome to cat.

Program:


“A common language with developers, or why we started to write tests on Go”


Ekaterina Kharitonova, Sr. QA engineer, Badoo

Report - on our experience in testing services using test frameworks in PHP and Go. And also about why the test documentation doesn’t become obsolete here and how the developers and testers learned to interact as efficiently as possible - without annoying each other with unnecessary communication.



"How to find your hero? We will interview the developer of autotests (in Python) »


Andrey Yakovlev, leading specialist in test automation, Mail.ru Group I will

share an interesting, in my opinion, case study, how to interview and evaluate the developer of automated tests in Python using an example of one problem.



"Measurements of performance in the OK.RU android application"


Anton Smolyanin, Test Automation Engineer, Odnoklassniki project, Mail.ru Group

In the report I’ll tell you why, in principle, do measurements, show acceleration graphs, share the story of how slow sections of the application were found and fixed, I’ll pay attention to Google’s recommendations on this issue.



CTF Quest


The right platform for CTF was not found right away: there are open solutions for CTF security, but their format did not suit us. As a result, for two evenings in the bar (in the same place where there was an after party after the meeting) Alexey Androsovdoochiksketched a solution on his knee. And we pulled on the cases and UI just a few hours before the event. Tested already in production. Well, as usual, found a couple of rough edges. About them below. Do not judge strictly, I wanted a fan - and, it seems, we managed to give you pleasure.

Responses were received in the "Name" field. They were in two formats: cases and flags. Cases - text that fits the regulars and is a test case for a text field. Standard limits checks, user input processing, etc.

There were 15 cases in total:

  1. Empty line
  2. 1 character
  3. Space at the beginning
  4. Single space
  5. Space at the end
  6. Spaces in the middle
  7. 9 characters
  8. 10 characters
  9. 11 characters
  10. HTML tag for example <h1>
  11. XSS injection e.g. <script>alert()</script>
  12. SQL injection, the line begins with an apostrophe
  13. Any character not in [a-za-za0-9]
  14. Not an ASCII character, it was possible to substitute emoji
  15. Newline character

The last item with an asterisk. The form escapes a newline character, and in order to get a flag, you could use a feed driver, for example: The



second response format is flags. They were located in different parts of the site, in which, in our opinion, you need to look at the responsible honey badger. They were a random set of characters, similar to a hash - to see it and pass by would be difficult. This is where they had to be found:

  1. On page 404
  2. On robots.txt
  3. OG tags. Yes, they need to be checked too!
  4. In the source code of the page
  5. In the x-token cookie
  6. The name of the resource, which was not on the server and in the console, shone with the 404th status
  7. On the page when entering from IE. Well, or substituting it in the User-Agent)
  8. Using the GET method instead of POST, for the URL to which the form data went.
  9. And in the source code of the mosqa.ru/admin page

Total: 24 points.

Once again, congratulations to the winners who took cool t-shirts with them. Sonic, if you read us, find yourself! Your t-shirt is waiting for you.

We want to put our platform in OpenSource . Distributed under the MIT license. Add to your cases and flags, fix bugs, create new cool quests.

We are always glad to see new honey badgers in our cozy chat . We want more honey badgers. Therefore, if you are ready to do a digest, look for speakers, new platforms - you will get a cool T-shirt. And if you feel within yourself the strength to prepare a report, then we’ll lose weight!

PS All materials (photos, presentations, and separately video) can be found in our Cloud .

Honey badgers, go ahead! :)

More articles:


All Articles