Pages

Monday, November 14, 2011

Guessing the password


Being an avid reader, every day I make a point to read some blog posts on testing. I am a regular follower of some good blogs written by some revered testers of the world. One of them is Pradeep Soundararajan’s Tester Tested ! On one such occasion of going thru his blog, I came across a post where he has written about how he uses puzzle exercises to teach testing . Having a great propensity towards riddles, the post seemed very interesting to me. With utmost alacrity, I jumped into solving few of them. This article is about my experience of solving such a puzzle, Guess the Password - Version 1 & Version 2. Anyone who is reading this post and has not yet solved these two puzzles, I request them to go solve them first and then come back and read further.

I tried version1 first. Having solved many online riddles earlier, it didn’t take much effort of mine to guess the correct username/password. I navigated to the version 1 page and tried to find out if any clue related to username/password was displayed on the page. Initially I thought this application must be validated at server side.  I thought there must be some clue displayed on the page itself looking at which we have to guess the credentials. After we give the credentials and press Log In button, the data is being sent to the server and there it is validated against correct credentials stored in the database. Not finding any clue on the page, I viewed the page source thinking I might get some clue written there as comment lines. To my amazement, the first comment line I saw read something like “Oh, you think you could crack it from the source code? You thought it would be so simple?” I was disheartened reading this. If there is no clue either on the page or the page source, how would I suppose to guess the credentials? But knowing something about the way Pradeep and Santosh present exercises, I took no time in understanding that this comment line was meant to deceive the solution seeker. I therefore started looking at the code at it took merely 2 minutes to guess the correct credentials. I started from the form. My knowledge on java script helped me here. I saw a java script function “validate” is being called when the Log In button is clicked. I then realized that my earlier view on credentials being validated at server side was wrong. I jumped into the validate function code. And it was pretty much simple. The values of the username and password fields are being retrieved and stored in two variables. There are two more variables which contain the correct username and password. There is a condition which checks the username and password values given by the user against the correct username and password stored in two variables. If it matches, you have cracked the username/password. Mine matched on first try. 

However, version 2 was not a kind of cakewalk for me. Though the way of puzzling is almost similar to that of version 1, it took me one whole day and a mail to Santosh to guess the correct username and password. After I succeeded, I realized that I had already guessed the correct username and password much earlier but wasn’t combining them properly. The first difference between version 1 and version 2 was the interchange of variables that store the actual username and password. This didn’t take much time to figure out. The next was the username seemed to be a “blank space” and the password as “testing”. I tried the combination only to fail. I then suspected the character which looks like a blank space was not actually the same blank space that can be generated by the space keystroke on the keyboard. I was aware of a character like this. But I acted over smart, copied the space like character and pasted it in the username field. This didn’t help either. Then I thought of copying the entire source code to a notepad and save it as a local html file. I did so. I then opened it and gave the combination “blank space” and “testing” and hit Log In. Bravo. This time it worked. I was perplexed. It seemed to me weird. I did a lot of research on why this behaved differently when saved as a local html file. I had no more patience to try more combinations. I wrote a mail to Santosh asking what was the correct credentials. I briefly wrote about my effort. He got back to me saying the character looking like a blank space is a variant of space. He asked me to go to StartàRunàType Charmap and search for that special character and copy it from there and paste it in the username field. I did so and this time it worked. This evoked me to try the character which seems like a space but is not a space I was aware of. I pressed Alt+255 to generate that character in the username field and provided the password. This time it did work. I then confirmed that the character displayed in Charmap was same as the character obtained by pressing Alt+255. I was curious to know why when I did a “view page source” to the application and copied the space and pasted did not work. All these time I was using Firefox. I thought of opening the application in IE. I opened it in IE, did a view source, copied the entire source code and pasted in notepad. I then saved it as a local html and try the “no-break space” and “testing” combination. It worked perfectly fine this time. Copying the source code from firefox and saving it as a local html file didn’t work but with IE it worked. From this I drew a conclusion that firefox was not able to display the “no-break space” character. It was displaying it as a blank space. I do not know whether it is a limitation of firefox to be not able to display the special character and converting it into a blank space.

There are few things I learned from this exercise. They go as below:

1.      Analyzing the code gives an idea about how the system works. If some part doesn’t work properly, by looking at the code we can deduce the possible reason. In order to do so, we need to have the basic understanding of programming.

2.       Something which looks like a very usual thing (No-break space in this case) may not be that thing in reality. So if we have to think of other possibilities of what that thing might be. Having an earlier knowledge on “what that thing might be” can be very helpful. Though in case of unavailability of prior knowledge, we should be able to figure out a way to find it.

3.       Trying the same process in different environments or browsers for that matter, many new things can be discovered about the application as well as the environment. In our case the inability of firefox to display the “no-break space” in the source code.

1 comment:

chinmay said...

Thanks for giving us the password puzzle. The whole scenario is nicely explained.