Upload
phoebe-richardson
View
215
Download
0
Tags:
Embed Size (px)
Citation preview
Web Based TestingWeb Based Testing IVS-TRAININGIVS-TRAINING
Ground Rules
Please mute your mobile phones
Stick to timeliness
Help each other in learning – as learning is a continuous process
Please participate actively to make the session interactive
Session Objectives
Introduction to Web applications
Web Application Architecture
Types of Web Applications
Web Pages
Web Portals
Importance of testing Web Applications
Session Objectives
Kinds of testing for Web applications
Usability Testing
Functionality Testing
Performance Testing
Security Testing
Compatibility Testing
Summary
Introduction to Web Applications
With the growth of Information Technology
and 24/7 concept, web applications
started gaining importance!
One way to look at web applications, is to
take an example of the traditional
business transaction application and
replace the user front end with the web
site!
A customer comes to purchase goods
and/or services from a company in
exchange for money. There are many
ways to facilitate this transaction between
client and the company. Instead of Sales
rep., cashier, clerk, etc, you have a
browser pointing at a web site.
The company is never
closed and the clients
can serve themselves!
Web Application Architecture
Web Application Architecture …Continued
The Browser is the Client-end of the system which is connected to the Web site server via the Internet.
The centre piece of all web applications is a relational database which stores dynamic contents.
A transaction server controls the interactions between the database and the other servers (also called as application servers).
Fulfillment may include interfacing with Financial Institutions, ware housing systems, etc.
Administration function handles data updates and database administration.
Types of Web Applications
Web Pages
Web based applications
display information on
different pages within the
application.
We can navigate through
the pages to get the desired
information.
Testing web applications
would involve testing them
page by page.
Web portals
Web Portals comprises of web
pages which consists portlets
which in turn consists of small
pieces of information
We have the choice of having
few portlets that we desire on
our personal pages, have only
little information displayed on
them
Testing of Web portals would
involve testing individual
portlets, then pages with various
portlets
Importance of Testing Web applications
Today business is on the net.
Visitors and potential customers will leave your site and not look back.
In contrast, a professional looking site will make visitors feel more comfortable, stay longer and browse more pages, because of this increased credibility,
Banking and business transaction online have increased the need for security.
Kinds of Testing for Web Applications
Given below are few important types of testing we need to concentrate on while testing a web application on the whole.
Usability Testing
Functionality Testing
Performance Testing
Security Testing
Compatibility Testing
Usability Testing
‘Usability Testing' is defined as "The testing which attempts to find any human-factor problems".
A better description is "testing the
software from a users’ point of
view“.
Factors to be considered for Usability Testing
Ease of Usage
Visual consistency and Consistency of action
Navigation
Clarity (non-ambiguous)
Communication
Understandability (Intuitiveness)
Self learnability
General design / structure check
Usability Testing - Ease of use
Application should be accessible thru’ URL
as well as IP address
Maximizing, minimizing, resizing of windows to be possible
Every screen should have an appropriate title/header
Usability Testing - Ease of use…Continued
1. Time to load the application must be appropriate
2. Positioning of cursor on the first editable field in Data entry screens
3. Acknowledgment of error messages should take the control to where the error occurred
4. Prompt to save unsaved data while trying to move to next screen
Usability Testing - Visual consistency across forms 1. Behaviour when screen resolution is changed
2. Margins and column layout
3. Colour and size of form
4. Fonts used for labels
5. Size of buttons
6. Hotkeys or accelerator keys used
7. Use of animations/graphics
8. Labelling of controls (buttons, boxes)
9. Length of textboxes for the same field
10. Formats for date and time fields
Usability Testing - Visual consistency across forms…Eg
Usability Testing - Consistency of actions 1. When a button is clicked
2. When an error is encountered
3. When a field is being validated
4. Field vs. form level validations
Usability Testing - Clarity (non-ambiguous)
Abbreviations and code language to be used minimally
and should be understandable for end users
The Mandatory fields should be distinguishable
from other fields.
Help and Search links should be distinctly visible
and Help messages to be clear and concise
Usability Testing - Clarity (non-ambiguous)…Continued
Visible font for all text and Avoid all CAPS text
Error messages to be clear, concise, informative
and not blaming the user
Usability Testing - Navigation
1. Should support users’ sequence of accomplishing a task
2. ‘Home’ link to be provided
3. Correct tab order
4. Ensure that cursor becomes hourglass when doing background processing and returns to pointer after the task
5. Text to be selected when textbox is encountered on tab press.
6. All tab controls should be accessible thru’ keyboard
7. Shortcut keys (hot keys) to be unique
8. Functioning of the ‘Back’ and ‘Forward’ functions of the browser
9. Check if all links are active
Usability Testing - Communication
User errors must be
communicated.
Usability Testing – Communication…Continued
1. Anything that needs user action must be communicated in simple language
2. Destructive actions to be confirmed
3. Minimum usage of pop-ups and message boxes
Usability Testing - Learnability
1. Availability of Help feature
2. Availability of Context-sensitive help, wherever needed
Usability Testing - Understandability
1. Grammatical correctness of error messages and help text
2. Check for any spelling mistakes
3. Text box lengths should correspond the length of data they take, wherever possible
4. Default values to be populated wherever possible
5. Ease of usage without help.
Usability Testing - General Design/Structure Check1. Should avoid horizontal scrolling
2. Logical ordering of controls
3. Position of controls should be meaningful
4. Grouping of related information and data
5. Appropriate label for grouped data
6. Drop down/combo box menu to be ordered
7. All the editable items and the user input should be taken in textboxes or dropdowns
8. Toggling of checkboxes
9. Checking/un-checking of checkboxes through space-bar
10. Single choice for radio-buttons
Functionality Testing
When we think of functionality testing of web applications, we need to concentrate on testing the following features:
Testing of Web elements
Testing for localization and internationalization of applications/pages
Personalization of web pages
Testing Web elements
There are different variety of web elements present in the application, some of them include
Text Boxes/Drop down Boxes
Image/Graphics
Mouseover Text/Pop up Messages
Buttons
Frames
Links
We need to test each of these elements where ever applicable.
Testing Web elements…Continued
Testing Localization / Internationalization
Web applications can be used by many people across the world and hence testing for localization or internationalisation is important.
We need to check if the required language change is made for local web pages. (say Japanese, Chinese, etc.)
Ensure that the functionality is not affected or altered because of localization.
Testing Localization / Internationalization…Continued
Testing Personalization of web pages
Personalisation in web application can be made either user-wise or a group-wise.
Access to components for Personalisation. For instance, few portlets may not be meant to be used on personal pages and hence the user should not be able to select them on his personal page.
Testing Personalization of web pages …Continued
Group preferences set by a group manger should ride over personal preferences set by user. We need to test this with different roles.
Testing Personalization of web pages …Continued
Coffee Break !!
Performance Testing
Performance testing is the discipline concerned with determining and reporting the current performance of a software application when subjected to virtual user load
Performance testing involves testing an application for timely responses.
The time needed to complete an action is usually bench-marked or compared against similar actions in similar applications.
What does performance testing measure?
Performance test measures how well application meets the customer expectations in terms of,
Speed – determines if the application responds quickly
Scalability – determines how much user load the application can handle
Stability – determines if the application is stable under expected and unexpected user loads
Stress and Load testing
Stress Testing – ensures the application which is tested for expected load can take on spikes in the load condition like increase in rate of transactions and study its impact on the system resources and helps tune and configure the system optimally
Load Testing - Will simulate a real time user load on the application and testing this prior to production ensures application will be stable and any performance issues can be addressed in pre-production phase
Security Testing
Security in broader sense can be defined as the combination of confidentiality, integrity, and availability. It can also be mentioned as “The quality or state of being protected from uncontrolled losses or effects”.
Security Issues : Identity management, privacy, data integrity
Identity management is implemented by user authentication. User authentication is implemented using authentication methods. Ex: RADIUS, LDAP or SecureID
SSL (Secure Socket Layer)/SSH (Secure Shell Protocol) /IP Security is used to transmit the data safely over internet. SSL works through combination of programs and encryption/decryption routines that exist on web hosting computer and browser. Ex: PGP (Pretty Good Privacy) and S/MIME (Secure/Multipurpose Internet Mail Extensions)
SSL and IPSec encryption mechanisms encrypt at lower levels of session and network layers. SSL is the most widely used security protocol for basic web mail/web based applications.
Data integrity has to do with protection from unauthorized modification of emails. Ex: Hashing and Digital Signatures.
Security CertificateHttps represents Web Site Security
Session Cookies
Session cookies are files containing session information and sometimes contain authentication information. This information is stored in web browser. This makes user navigate easily without having to re-authenticate.
If this session cookies are not managed properly then unauthorized user can easily logon after authorized user logs off by clicking on Browser Back button. This is the most commonly found vulnerability in most of the applications.
Session Cookies Examples – Managed session cookie- Valid Behavior
On click of browser ‘Back’ button after logging out of application, User is navigated to Login Screen.
1
2
3
Session Cookies (Contd..)
User clicks log off
User Clicks Browser Back button
Session cookie not managed (not erased)-Invalid behavior
3
1
2
On click of browser ‘Back’ button after logging out of application, User is navigated to previous Screen.
Session Cookies (Contd..)
User clicks Sign out
User Clicks Browser Back button
Why Security Testing?
Any user is primarily concerned about the security of a transaction made online. Hence that security is of utmost importance in web based applications.
1. Banking websites
2. E-Com systems
3. Confidential Sites like Military, Research, etc.
4. E-mail service providers like yahoo, msn, sify, etc.
5. Retail sites
Why Security Testing? …Continued
Why Security Testing? …Continued
Why Security Testing? …Continued
Types of Security Testing
Vulnerability Scanning
Security Scanning
Penetration Testing
Risk Assessment
Security Auditing
Ethical Hacking
Posture Assessment & Security Testing
Types of Security Testing …Continued
Vulnerability Scanning - Vulnerability Scanning is using automated software to scan one or more systems against known vulnerability signatures. Examples of this software are Nessus, Sara, and ISS.
Security Scanning - Security Scanning is a Vulnerability Scan plus Manual verification. The Security Analyst will then identify network weaknesses and perform a customized professional analysis.
Penetration Testing - Penetration Testing takes a snapshot of the security on one machine, the “trophy”. The Tester will attempt to gain access to the trophy and prove his access, usually, by saving a file on the machine. It is a controlled and coordinated test with the client to ensure that no laws are broken during the test.
Types of Security Testing …Continued
Risk Assessment - Risk Assessment involves a security analysis of interviews compiled with research of business, legal, and industry justifications.
Security Auditing - Security Auditing involves hands on internal inspection of Operating Systems and Applications, often via line-by-line inspection of the code.
Ethical Hacking - Ethical Hacking is basically a number of Penetration Tests on a number of systems on a network segment
Posture Assessment & Security Testing - Posture Assessment and Security Testing combine Security Scanning, Ethical Hacking and Risk Assessments to show an overall Security Posture of the organization.
Firewall Testing
A firewall is a piece of hardware and/or software that "sits" between your computer and the Internet in order to filter the traffic going back and forth.
It acts, as a security checkpoint so that unauthorized data transfer doesn't occur.
The purpose of the test activity is to verify that the firewall system works as intended.
How to do it?
Test the firewall functions
Test environment
Production environment
Select and test features related to log files
Scan for vulnerabilities
Design initial regression testing suite
Prepare to perform ongoing monitoring
Compatibility Testing
It is done to verify that the web site or web application functions properly across any combination of platform, database, application server, browser and other software
Simulating the user environment during the testing phase - ensures that a product works in any specified operating environment
Provides technical integration, functionality and stability testing of complementary, third party products
Across different Browsers and Versions
What Causes Browser Display Differences?
Different Browsers
Different Browser Versions
Different Computer Types
Different Screen Sizes
Different Font Sizes
HTML Errors
Browser Bugs
Close to 17 million people use
something other than IE to
While cruising the Internet!!
Browser Bugs
Example…
What you can do?
1. Set a Goal
The first step to test browser compatibility problems is to determine which browsers really matter to you.
It's hard to test a Web page that displays perfectly on every version of every browser running on every computer. Hence plan your testing based on your requirements.
2. Validate Your Pages
Check for the display of important pages on commonly used browsers.
Example of HTML Errors
Points to be considered for testing compatibility
Timely, cost-effective compatibility testing
Testing too many configurations can waste valuable time and money
Efficient browser and OS combinations help make the testing time saving and cost effective!
Sample Test Matrix for Web Application Browser Compatibility
Browser NS 4.0 NS 4.7 NS 6.x or Mozilla .9x Mozilla 1.x
Platform Mac OS Win 98Win 2000 NT 4.0Win XP<
Mac OSWin 98Win 2000 NT 4.0Win XP
Mac OSWin 98Win 2000 NT 4.0Win XP
Mac OSWin 98Win 2000 NT 4.0Win XP
StateClaim
Title/Pay Plan
Carpool
Mobius/EDL
EQS
Gift
DWH
MS Office 97
MS Office 2000
MS Office XP
Example …
Exercise
Scenario for Discussion:
An email service provider upgrades the email space from 2 MB to 100 MB. What are the tests to be performed this?
Summary
Web applications can be better called as living applications and hence require a new perspective of testing practices.
We need to consider all the aspects discussed in the session every time a change is made in the web application and test it end to end
References
www.securityfocus.com
www.netmechanics.com
www.securitydoc.com
Questions?
Thank You!!
IVS-TRAINING
Please note that submission of Course and Instructor feedback is mandatory for availing attendance for the Course.
Any doubts or suggestions for improvement can be forwarded to: [email protected]