Software Testing Social Network

<!-- /* Style Definitions */ p.MsoNormal, li.MsoNormal, div.MsoNormal {mso-style-parent:""; margin:0in; margin-bottom:.0001pt; mso-pagination:widow-orphan; font-size:12.0pt; font-family:"Times New Roman"; mso-fareast-font-family:"Times New Roman";} @page Section1 {size:8.5in 11.0in; margin:1.0in 1.25in 1.0in 1.25in; mso-header-margin:.5in; mso-footer-margin:.5in; mso-paper-source:0;} div.Section1 {page:Section1;} -->

                                                  ISTQB Sample Paper

1 Which of the following is a major task of test planning?
A Determining the test approach.
B Preparing test specifications.
C Evaluating exit criteria and reporting.
D Measuring and analyzing results.
2 Which of the following statements is MOST OFTEN true?
A Source-code inspections are often used in component testing.
B Component testing searches for defects in programs that are separately testable.
C Component testing is an important part of user acceptance testing.
D Component testing aims to expose problems in the interactions between software and hardware components.

3 In a system designed to work out the tax to be paid: An employee has £4000 of salary tax free.
The next £1500 is taxed at 10%.
The next £28000 after that is taxed at 22%.
Any further amount is taxed at 40%.
To the nearest whole pound, which of these groups of numbers fall into three DIFFERENT equivalence classes?
A £4000; £5000; £5500.
B £32001; £34000; £36500.
C £28000; £28001; £32001.
D £4000; £4200; £5600.
4 Which of the following will NOT be detected by static analysis?
A Parameter type mismatches.
B Errors in requirements.
C Undeclared variables.
D Uncalled functions.
5 Which of the following test activities can be automated? i Reviews and inspections.
ii Metrics gathering.
iii Test planning.
iv Test execution.
v Data generation.
A i, iii, iv.
B i, ii, iii.
C ii, iv, v.
D ii, iii, v.
6 Which of the following is an objective of a pilot project for the introduction of a testing tool?
A Evaluate testers’ competence to use the tool.
B Complete the testing of a key project.
C Assess whether the benefits will be achieved at reasonable cost.
D Discover what the requirements for the tool are.
7 What is the MAIN purpose of a Master Test Plan?
A To communicate how incidents will be managed.
B To communicate how testing will be performed.
C To produce a test schedule.
D To produce a work breakdown structure.
8In a REACTIVE approach to testing when would you expect the bulk of the test design work to be begun?
A After the software or system has been produced.
B During development.
C As early as possible.
D During requirements analysis.
9 What is the objective of debugging? i To localise a defect.
ii To fix a defect.
iii To show value.
iv To increase the range of testing.
A i, iii.
B ii, iii, iv.
C ii, iv.
D i, ii.
10 Given the following decision table
What is the expected result for each of the following test cases?A.TC1: Fred is a 32 year old smoker resident in London
B.TC3: Jean-Michel is a 65 year non-smoker resident in Paris
A A – Insure, 10% discount, B – Insure, no discount.
B A – Don’t insure, B – Don’t insure.
C A – Insure, no discount, B – Don’t insure.
D A – Insure, no discount, B – Insure with 10% discount.
11 Which of the following are valid objectives for testing?
i.To find defects.
ii.To gain confidence in the level of quality.
iii.To identify the cause of defects.
iv.To prevent defects.
A i,ii, and iii.
B ii, iii and iv.
C i, ii and iv.
D i,iii and iv.
12 The process of designing test cases consists of the following activities:
i. Elaborate and describe test cases in detail by using test design techniques.
ii. Specify the order of test case execution.
iii. Analyse requirements and specifications to determine test conditions.
iv. Specify expected results.
According to the process of identifying and designing tests, what is the correct order of these activities?
A iii, i, iv, ii.
B iii, iv, i, ii.
C iii, ii, i, iv.
D ii, iii, i, iv.
13 What is the main purpose of impact analysis for testers?
A To determine the programming effort needed to make the changes.
B To determine what proportion of the changes need to be tested.
C To determine how much the planned changes will affect users.
D To determine how the existing system may be affected by changes.
14Which of the following requirements would be tested by a functional system test?
A The system must be able to perform its functions for an average of 23 hours 50 mins per day.
B The system must perform adequately for up to 30 users.
C The system must allow a user to amend the address of a customer.
D The system must allow 12,000 new customers per year.
15 In a system designed to work out the tax to be paid:
An employee has £4000 of salary tax free.
The next £1500 is taxed at 10%.
The next £28000 after that is taxed at 22%.
Any further amount is taxed at 40%.To the nearest whole pound, which of these is a valid Boundary Value Analysis test case?
A £28000.
B £33501.
C £32001.
D £1500.
16 Which of the following defines the sequence in which tests should be executed?
A Test plan.
B Test procedure specification.
C Test case specification.
D Test design specification.
17 Given the following state transition

Which of the following series of state transitions below will provide 0-switch coverage?
A A, B, E, B, C, F, D.
B A, B, E, B, C, F, F.
C A, B, E, B, C, D.
D A, B, C, F, F, D.
18 Given the following decision table

What is the expected result for each of the following test cases?
A. Frequent flyer member, travelling in Business class
B. Non-member, travelling in Economy class
A A – Don’t offer any upgrade, B – Don’t offer any upgrade.
B A – Don’t offer any upgrade, B – Offer upgrade to Business class.
C A – Offer upgrade to First, B – Don’t offer any upgrade.
D A – Offer upgrade to First, B – Offer upgrade to Business class.
19 During which fundamental test process activity do we determine if MORE tests are needed?
A Test implementation and execution.
B Evaluating test exit criteria.
C Test analysis and design.
D Test planning and control.
20 What is the difference between a project risk and a product risk?
A Project risks are potential failure areas in the software or system; product risks are risks that surround the
project’s capability to deliver its objectives.
B Project risks are the risks that surround the project’s capability to deliver its objectives; product risks are
potential failure areas in the software or system.
C Project risks are typically related to supplier issues, organizational factors and technical issues; product risks
are typically related to skill and staff shortages.
D Project risks are risks that delivered software will not work; product risks are typically related to supplier issues,
organizational factors and technical issues.
21 Given the following specification, which of the following values for age are in the SAME equivalence partition?
If you are less than 18, you are too young to be insured.
Between 18 and 30 inclusive, you will receive a 20% discount.
Anyone over 30 is not eligible for a discount.
A 17, 18, 19.
B 29, 30, 31.
C 18, 29, 30.
D 17, 29, 31.
21 Considering the following pseudo-code, calculate the MINIMUM number of test cases for statement coverage, and the MINIMUM number of test cases for decision coverage respectively.
READ A
READ B
READ C
IF C>A THEN
IF C>B THEN
PRINT "C must be smaller than at least one number"
ELSE
PRINT "Proceed to next stage"
ENDIF
ELSE
PRINT "B can be smaller than C"
ENDIF
A 3, 3.
B 2, 3.
C 2, 4.
D 3, 2.
23 Which of the following is a benefit of independent testing?
A Code cannot be released into production until independent testing is complete.
B Testing is isolated from development.
C Developers do not have to take as much responsibility for quality.
D Independent testers see other and different defects, and are unbiased.
24 Which of the following tools is most likely to contain a comparator? A Dynamic Analysis tool.
B Test Execution tool.
C Static Analysis tool.
D Security tool.
25 Given the following State Table:

Which of the following represents an INVALID state transition?
A E from State S2.
B E from State S3.
C B from State S1.
D F from State S3.
26 Which of the following is a characteristic of good testing in any life cycle model?
A All document reviews involve the development team.
B Some, but not all, development activities have corresponding test activities.
C Each test level has test objectives specific to that level.
D Analysis and design of tests begins as soon as development is complete.
27 Which activity in the fundamental test process includes evaluation of the testability of the requirements and system?
A Test analysis and design.
B Test planning and control.
C Test closure.
D Test implementation and execution.
28 The following statements are used to describe the basis for creating test cases using either black or white box techniques:
i information about how the software is constructed.
ii models of the system, software or components.
iii analysis of the test basis documentation.
iv analysis of the internal structure of the components.Which combination of the statements describes the basis for black box techniques?
A ii and iii.
B ii and iv.
C i and iv.
D i and iii.
29 What is typically the MOST important reason to use risk to drive testing efforts?
A Because testing everything is not feasible.
B Because risk-based testing is the most efficient approach to finding bugs.
C Because risk-based testing is the most effective way to show value.
D Because software is inherently risky.
30 Which of the following defines the scope of maintenance testing?
A The coverage of the current regression pack.
B The size and risk of any change(s) to the system.
C The time since the last change was made to the system.
D Defects found at the last regression test run.
31 Which is the MOST important advantage of independence in testing?
A An independent tester may find defects more quickly than the person who wrote the software.
B An independent tester may be more focused on showing how the software works than the person who wrote
the software.
C An independent tester may be more effective and efficient because they are less familiar with the software
than the person who wrote it.
D An independent tester may be more effective at finding defects missed by the person who wrote the software.
32 For testing, which of the options below best represents the main concerns of Configuration Management?
i. All items of testware are identified and version controlled;
ii. All items of testware are used in the final acceptance test;
iii. All items of testware are stored in a common repository;
iv. All items of testware are tracked for change;
v. All items of testware are assigned to a responsible owner;
vi. All items of testware are related to each other and to development items.
A i, iv, vi.
B ii, iii, v.
C i, iii, iv.
D iv, v, vi.
33 Which of the following would be a valid measure of test progress?
A Number of undetected defects.
B Total number of defects in the product.
C Number of test cases not yet executed.
D Effort required to fix all defects.
34 Which of following statements is true? Select ALL correct options
Regression testing should be performed:
i once a month
ii when a defect has been fixed
iii when the test environment has changed
iv when the software has changed
A ii and iv.
B ii, iii and iv.
C i, ii and iii.
D i and iii.
35 In which of the following orders would the phases of a formal review usually occur?
A Planning, preparation, kick off, meeting, rework, follow up.
B Kick off, planning, preparation, meeting, rework, follow up.
C Preparation, planning, kick off, meeting, rework, follow up.
D Planning, kick off, preparation, meeting, rework, follow up.
36 Which of the following are valid objectives for incident reports?
i. Provide developers and other parties with feedback about the problem to enable identification, isolation and correction as necessary.
ii. Provide ideas for test process improvement.
iii. Provide a vehicle for assessing tester competence.
iv. Provide testers with a means of tracking the quality of the system under test.
A i, ii, iii.
B i, ii, iv.
C i, iii, iv.
D ii, iii, iv.
37 Consider the following techniques. Which are static and which are dynamic techniques?
i. Equivalence Partitioning.
ii. Use Case Testing.
iii.Data Flow Analysis.
iv.Exploratory Testing.
v. Decision Testing.
vi Inspections.
A i-iv are static, v-vi are dynamic.
B iii and vi are static, i, ii, iv and v are dynamic.
C ii, iii and vi are static, i, iv and v are dynamic.
D vi is static, i-v are dynamic.
38 Why are static testing and dynamic testing described as complementary?
A Because they share the aim of identifying defects and find the same types of defect.
B Because they have different aims and differ in the types of defect they find.
C Because they have different aims but find the same types of defect.
D Because they share the aim of identifying defects but differ in the types of defect they find.
39 Which of the following are disadvantages of capturing tests by recording the actions of a manual tester?
i The script may be unstable when unexpected events occur.
ii Data for a number of similar tests is automatically stored separately from the script.
iii Expected results must be added to the captured script.
iv The captured script documents the exact inputs entered by the tester.
v When replaying a captured test, the tester may need to debug the script if it doesn’t play correctly.
A i, iii, iv, v.
B ii, iv and v.
C i, ii and iv.
D i and v.
40 Which of the following is determined by the level of product risk identified?
A Extent of testing.
B Scope for the use of test automation.
C Size of the test team.
D Requirement for regression testing.
Answers
Q No Ans
1. A
2. B
3. D
4. B
5. C
6. C
7. B
8. A
9. D
10. C
11. C
12. A
13. D
14. C
15. B
16. B
17. A
18. C
19. B
20. B
21. C
22. A
23. D
24. B
25. B
26. C
27. A
28. A
29. A
30. B
31. D
32. A
33. C
34. B
35. D
36. B
37. B
38. D
39. A
40. A

Web Security Testing Related Points:

1. Password cracking:

                    The security testing on a web application can be kicked off by "password cracking". In order to log in to the private areas of the application, one can either guess a username/ password or use some password cracker tool for the same.

                     If username or password is stored in cookies without encrypting, attacker can use different methods to steal the cookies and then information stored in the cookies like username and password.

2. URL manipulation through HTTP GET methods:

                     The tester should check if the application passes important information in the query string. This happens when the application uses the HTTP GET method to pass information between the client and the server. The information is passed in parameters in the query string. The tester can modify a parameter value in the query string to check if the server accepts it.

Via HTTP GET request user information is passed to server for authentication or fetching data. Attacker can manipulate every input variable passed from this GET request to server in order to get the required information or to corrupt the data. In such conditions any unusual behavior by application or web server is the doorway for the attacker to get into the application.

3. SQL Injection:

                    Entering a single quote (') in any textbox should be rejected by the application. Instead, if the tester encounters a database error, it means that the user input is inserted in some query which is then executed by the application. In such a case, the application is vulnerable to SQL injection.

                    SQL injection attacks are very critical as attacker can get vital information from server database. To check SQL injection entry points into your web application, find out code from your code base where direct MySQL queries are executed on database by accepting some user inputs.

                    If user input data is crafted in SQL queries to query the database, attacker can inject SQL statements or part of SQL statements as user inputs to extract vital information from database. Even if attacker is successful to crash the application, from the SQL query error shown on browser, attacker can get the information they are looking for. Special characters from user inputs should be handled / escaped properly in such cases.

4. Cross site Scripting:

                 The tester should additionally check the web application for XSS (Cross site scripting). Any HTML e.g. or any script e.g.

Note :- The posts posted in this blog are collected. Some have been prepared by me. If any one have objections regarding any copied posts. Please mail me to make that post removed.

I am starting this Blog to share my testing ideas and experience with all of you

Note :- The posts posted in this blog are collected. Some have been prepared by me. If any one have objections regarding any copied posts. Please mail me to make that post removed.

Web Security Testing Related Points:

1. Password cracking:

                    The security testing on a web application can be kicked off by "password cracking". In order to log in to the private areas of the application, one can either guess a username/ password or use some password cracker tool for the same.

                     If username or password is stored in cookies without encrypting, attacker can use different methods to steal the cookies and then information stored in the cookies like username and password.

2. URL manipulation through HTTP GET methods:

                     The tester should check if the application passes important information in the query string. This happens when the application uses the HTTP GET method to pass information between the client and the server. The information is passed in parameters in the query string. The tester can modify a parameter value in the query string to check if the server accepts it.

Via HTTP GET request user information is passed to server for authentication or fetching data. Attacker can manipulate every input variable passed from this GET request to server in order to get the required information or to corrupt the data. In such conditions any unusual behavior by application or web server is the doorway for the attacker to get into the application.

3. SQL Injection:

                    Entering a single quote (') in any textbox should be rejected by the application. Instead, if the tester encounters a database error, it means that the user input is inserted in some query which is then executed by the application. In such a case, the application is vulnerable to SQL injection.

                    SQL injection attacks are very critical as attacker can get vital information from server database. To check SQL injection entry points into your web application, find out code from your code base where direct MySQL queries are executed on database by accepting some user inputs.

                    If user input data is crafted in SQL queries to query the database, attacker can inject SQL statements or part of SQL statements as user inputs to extract vital information from database. Even if attacker is successful to crash the application, from the SQL query error shown on browser, attacker can get the information they are looking for. Special characters from user inputs should be handled / escaped properly in such cases.

4. Cross site Scripting:

                 The tester should additionally check the web application for XSS (Cross site scripting). Any HTML e.g. or any script e.g.

I am starting this Blog to share my testing ideas and experience with all of you