1. Overall strategy of Web Testing
2. Scope of Web Testing
2.1 function test
☆ link, also known as hyperlink, refers to the connection relationship from one web page to another target. The target may be a web page, different locations on the same web page, pictures, e-mail addresses, files, applications, etc.
Links are most prone to the following errors:
☆ wrong links, such as misspelling the URL address, redundant or missing slashes in the URL suffix, incomplete case matching of letters in the URL address, and misspelling of the domain name entered by the user.
☆ an empty link, which will not point to anything when clicked.
☆ dead link, which is a link that was originally normal but later failed.
☆ isolated page refers to that there is no link to the page, which can only be accessed if you know the correct URL address.
☆ it is the process of testing whether the user interface can correctly handle the form and feed back the information to the client.
During the test, the following aspects should be paid attention to:
☆ whether the text input box has a limit on the length.
☆ whether the text input box has restrictions on the character type.
☆ whether the pattern matching of the text input box is correct. If the text box can only input data in date format, it can only match different date formats, not data in other formats.
☆ whether the functions realized by each button are correct.
☆ cookies is a technology that enables the website server to store a small amount of data into the client’s hard disk or memory, or read data from the client’s hard disk.
What are the uses of cookies:
☆ automatic login: when logging in, choose to remember the user name, and the user name will be brought out automatically next time you log in.
☆ accurate advertising. When we use the browser to search for some keywords, such as web test book and a mobile phone, we will push relevant browsed products when we open the browser.
☆ how to view cookies:
Open IE and click Tools → Internet Options → general → (temporary Internet file) browsing history → settings on the toolbar. In this way, you can view the location of cookies and set them.
The test of cookies includes the following aspects:
☆ for the security of cookies, it is better not to store some sensitive information in cookies, and some fields in cookies should be encrypted when necessary. Whether the expiration time of cookies is correct;
☆ whether the variable name and value of cookies are correct;
☆ whether cookies are necessary and missing: first, whether the generated cookie files are consistent with those created, and can not be more or less; second, unnecessary cookies can be deleted.
☆ whether the scope of cookies is correct and reasonable;
☆ test the relationship between the scopes of multiple cookies.
☆ differences in web design language versions can cause serious problems on the client or server side, such as which one to use
Two versions of HTML, etc.
With regard to the testing of design language, we should pay attention to the following aspects:
☆ different browser kernel engines will lead to different compatibility with different development languages. The current mainstream browser kernels include Trident, Tasman, pesto, gecko, KHTML, webcore and WebKit.
☆ different design languages and platforms have different compatibility.
☆ the execution time of different script languages is also different.
☆ ability to embed in other languages. Script language can not realize some operations, such as reading the information of the client. At this time, it needs to be realized with the help of other languages. Consider the current scripting language’s support for other languages.
☆ the system database may be upgraded, and the perfection of the database supported by the script language needs to be considered during the test.
☆ only allowed attachment types can be uploaded;
☆ scripts or executable files cannot be uploaded;
☆ you cannot judge the file type simply by affixing the name;
☆ after browsing the file, you can normally deal with the exceptions when deleting the target file;
☆ it can be handled normally when uploading large files, such as giving prompt information;
☆ the uploaded files shall be provided with an interface for viewing;
☆ the uploaded file should not be directly saved in the database, but the file should be saved in the server-side hard disk, and the basic information of the file should be saved in the database;
☆ the file should be renamed after being uploaded to the server to prevent file name conflict.
☆ the response time of the link should not be too long, generally not more than 5 seconds.
☆ test the maximum load that the system can bear (such as the maximum number of users, the maximum amount of business, the maximum amount of data, etc.) and performance.
☆ test the performance of the system under certain pressure. Generally, the error rate of the business shall not exceed 5%.
☆ GUI (graphical user interface) is the graphical user interface.
☆ verify the default standard definitions of some spaces in the web page, such as default values, items in order, etc.
☆ whether the navigation bar of each page can be displayed correctly;
☆ whether the contents displayed in the navigation bar under each page are correct;
☆ whether the contents displayed on the navigation bar are correct under different states (such as login and non login);
☆ whether each content link of the navigation bar is correct.
Verify the spelling and grammar of page content, menus and links, pictures, and table content.
☆ Page Title Verification;
☆ page element (text, form, menu, link, company trademark, etc.) typesetting verification;
☆ page graphic verification;
☆ page version information verification;
☆ verification of page display under different resolutions;
☆ page length verification.
☆ the tab sequence jumps correctly.
☆ security verification of various login modes and testing of various requirements for passwords.
☆ verification of user permissions (such as function restrictions, data access restrictions, etc.).
☆ verification of special mechanisms such as validity verification of cookies and sessions.
☆ encryption of sensitive data and verification of data storage security.
☆ verify whether the log files of the system are protected.
☆ the test software will not cause unsafe state due to wrong operation under abnormal conditions.
☆ check various other security vulnerabilities, such as wsdigger scanning. Cross site attack XSS. Enter the get method after the URL, such as name =. If a warning pops up or the input string exists in the source file, there is a vulnerability.
☆ SQL injection, SQL = ‘select YHM, mm from users where username =’ + yhmtextfield getTex（t ） +’ and password=’ +mmTextField. Gettex (T). For example, after entering admin ‘– in the user name, you can log in without entering a password.
☆ whether there is a verification code on the login page indicates that there is a vulnerability.
☆ whether the verification code, user name and password are submitted to the server for verification at one time and at the same time. If they are submitted separately, there is a vulnerability.
☆ on the server side, the user name and password can be verified only after the verification code passes, otherwise there is a vulnerability.
☆ whether the verification code is in the form of a picture and in a picture, not in the form of a picture or not in a picture indicates that there is a vulnerability.
☆ request 10 times to observe whether the verification code is randomly generated. If there is a certain rule (for example, the same verification code appears after 5 times), it indicates that there is a vulnerability.
☆ observe whether there are irregular points or lines on the background in the verification code picture. If the background is solid color (e.g. only white), it indicates that there is a vulnerability.
☆ whether the verification code becomes invalid immediately after authentication.
☆ the server cannot prompt accurate information for authentication errors, such as user name error, password error, etc.
☆ provide reasonable locking strategy.
☆ prevent authentication from being bypassed, such as SQL injection.
☆ after the user logs in, the identity information is no longer submitted by the client, but subject to the identity information saved in the server session information.
☆ session ID information cannot be carried in the URL.
☆ the page after login has a clear “exit” or “logout” button, and the session information should be cleared when logging out.
☆ horizontal ultra vires: an attacker attempts to access the resources of a user with the same permissions as him.
☆ vertical ultra vires: a low-level attacker attempts to access the resources of high-level users.
☆ there is no sensitive interface that does not need to be opened to the outside world or the interface has been subject to perfect authority control;
☆ it is forbidden to obtain sensitive directory or file information;
☆ all accesses to the directory cannot print out the file list;
☆ it is forbidden to access and download the backup of documents;
☆ it is not allowed to obtain documents that should not be obtained beyond authority.
☆ such as dirbuster scanning.
☆ database testing is the process of running the database to find errors and defects.
☆ database test methods are also divided into white box test and black box test.
☆ database black box test (whether the database table structure is reasonable; whether the data structure (such as data type and length) is correctly defined, and pay attention to whether the data structure is consistent with the data type and length in the input interface. If not, the database will report an error; Whether the relationship between tables is correct and whether the main foreign key is reasonable; Whether the index creation is reasonable; Whether the stored procedure function is complete, whether it can correctly accept the input and output the correct results; Whether the data can be inserted (added), updated and deleted correctly; Whether the definition of database operation authority is correct; Whether concurrent operations can be handled correctly; Whether the table level and column level integrity constraints are met; Whether the processing capacity, reliability, maintainability and performance of the database meet the requirements.)