Web-Based Applications Testing

Main Challenge in Web application testing:

• Learn the associated technologies to have a better command over the environment

• Need to know how Web technologies affect the interoperability of software components, as well as Web system as a whole

• How to approach the testing of Web-based applications – this requires being familiar with test types, testing issues, common software errors, and quality-related risks that are specific to Web applications

Source: “Testing Applications on the Web” by Hung Q. Nguyen; “Introducing Software Testing” by LouiseTamres

More Challenges….

• Short release cycles

• Constantly changing technology

• Possible huge number of users during initial website launch

• Inability to control the user’s running environment

• 24-hour availability of the website

The quality of a website must be evident from the start. Any difficulty – whether in response time, accuracy of information, or ease of use – will compel the user to click to a competitor’s site. Such problems translate into lost users, lost sales, and poor company image.

Using the test design techniques we have discussed before helps define tests based on functionality, but this is just a subset of what web testing requires.

Many strategies used to test web-based systems originate from client-server applications.

Web Testing vs. Traditional Testing

In a traditional system, all of an application’s processes, except for user interface functions, occur on the main server computer. User interface functions take place on the dumb terminals that simply echo text from the main computer. No processing occurs on the terminals themselves. The network connects the terminals to the main computer. Users send data and commands to the system via keyboard inputs. Desktop PC applications can support either a text-based or graphic user interface.

Client/server systems upon which Web systems are built, require a network and at least 2 machines to operate: a client computer and a server computer. With the majority of Web applications, a Web browser serves as the user interface in the client computer. This Web application model, not only can either the client or the server handle some of the processing work, but server-side processes can be divided between multiple physical boxes.

A Web system may contain any number of Web servers, application servers, and multiple database servers. Web system may also include many server types, such as e-mail servers, e-commerce servers, and user profile servers.

It is software, not hardware, that defines clients and servers. Clients are software programs that requests services from other software programs on behalf of end users. Servers are software programs that offer services. A server may, and often does, become a client in the chain of requests.

Traditionally, hardware are in a controlled environment – meaning that hardware and software are primarily supported by the same vendor.

A Web system consists of many clients as well as server hosts. The server side of Web systems may support a mixture of software and hardware and therefore, are more complex from the configuration and compatibility perspectives.

Most client-server systems are data access applications. A client typically enables users through the GUI to send input data, receive output data, and interact with the back end. Clients of traditional client-server systems are platform specific. i.e. for each support client platform, a client application is developed and tested for that target platform.

Most Web-based system are also data access applications. The browser-based clients are designed to handle similar activities to those supported by a traditional client. The main difference is that the Web-based client is running in the context of a Web browser. Browser vendors need to create rendering engines and interpreters to translate and format HTML contents. Many incompatibility issues are introduced among various browsers and their releases.

From the application’s perspective, there is no need to develop platform-specific clients. If the HTML contents are designed to conform with HTML 3.0 standard, then your client application should run properly in any browser that supports HTML 3.0 standard from any vendor.

DMZ

Data Center

Data Center

LANLANSwitchSwitch

LAN LAN SwitchSwitch

Protected Protected Web serversWeb servers

Agent

Database Database serversservers

Agent Agent

DirectoryDNS

Radius

Servers

SAN

SAN

Agent

Application Application serversservers

DNS

Agent

Application Application serversservers

Protected Network

Web serversWeb servers

Agent

Cache ( proxy server)Cache ( proxy server) CacheCache

Custom server agent feedback via WebOS

API

LocalLocalCampuCampu

ss

LocalLocalCampuCampu

ss

ITM

FirewallsFirewalls

ISP 1ISP 1

Cache ( proxy server)Cache ( proxy server)

CacheCache

routerrouter

ITM

routerrouter

ITM ITM

Unprotected Network

ISP 2ISP 2

Typical Web System Architecture

The environment in which a web application runs contains many components. The network administrator determines the actual configuration. The tester may need to understand a particular network setup in order to define some of the tests. The previous pages shows a typical configuration that contains the following:

1. The user views the website through a browser connected to the internet

2. The website software can execute on the user’s browser, at the host web server connected elsewhere on the internet, or on an application server.

3. Firewall, which is a combination of software and hardware, exists to keep a network secure from intruders.

4. A proxy server is software whose purpose is to be the sole connection between a private network and the internet. A proxy server performs many functions that include preventing certain files from entering or leaving the network as well as improving performance by caching data.

5. Many web applications use a database to store the data necessary to run the website

Web-based systems under testing should address:

• Uncontrolled user interface: compatibility issues with various browsers

• Complex distributed systems: most web-based applications are remotely accessed

• Security issues: protection is needed from unauthorized access and customer information

• Handling customer traffic; customer volume

• Multiple layers in architecture: various servers to provide different services

• New terminology and skill sets: new skills are needed to develop, test web-based technology effectively

• Nonstandardized: because the technology is still maturing, there are few if any, standards.

Web terminologies:

• HTML (HyperText Markup Language)

• Firewall

• Electronic commerce (e-commerce)

• Bandwidth

• Secure Socket Layer (SSL)

• Uniform Resource Locator (URL)

Common protocols used in web-based systems:

• HyperText Transfer Protocol (HTTP): used in browsers to transfer web pages and other related data between client and sever across the internet

• File Transfer Protocol (FTP): used in browsers or applications to copy files between computers by downloading files from one computer to another

• Network News Transfer Protocol (NNTP): used in news reading applications to transfer USENET news articles between servers and clients

• Simple Mail Transfer Protocol (SMTP): used by e-mail applications to send e-mail messages between computers

• Dynamic Host Configuration Protocol (DHCP): used in server based applications to allocate shared IP addresses to individual computers.

Functional and Usability Issues:

The first tests for a web-application should focus on the site’s intended behavior, they are:

• Functionality

• Usability

• Navigation

• Forms

• Page content

Functional testing

Functional testing involves making sure the features that most affect user interactions work properly; they are:

• forms

• searches

• pop-up windows

• shopping carts

• online payments

Functional testing also evaluates the content of dynamically generated pages. These pages are created as users request them. Another aspect of functional testing is to verify many behind the scene features not readily apparent to the user, such as connections to legacy systems, connections to databases, connections to third-party applications, and business scenarios.

Usability testing

Usability testing assesses the website’s user friendliness and suitability by gathering information about how users interact with site. The key to usability testing is to study what a user actually does. The main steps to usability testing are:

• Identify the website’s purpose• Identify the intended users• Define tests and conduct the usability testing• Analyze the acquired information

Successful usability testing does not present only positives, it also shows the weakness in the design. These weakness can be as subtle as the amount of time it takes the user to complete the desired actions in a test case. Addressing these weakness early in the development process allows for more efficient product development.

Navigation testing

Good navigation is an essential part of a website, especially those that are complex and provide a lot of information. Key issues with navigation testing include:

• Moving to and from pages• Scrolling through pages• Clicking on all images and their thumbnails to ensure they work• Testing all links for validity and correctness• Ensuring no broken links exist• Viewing tables and forms to verify proper layout, which can vary with

different browsers• Verifying that windows with multiple frames are processed as if each

were a single-page frame• Measuring load time of every web page• Ensuring compatibility and consistent usage of buttons, keyboard

shortcuts, and mouse actions.

Form testing

Websites that use forms need tests to ensure that each field works properly and that the form post all data as intended by the designers. Testing of forms includes:

• Using the tab key to verify that the form traverses fields in the proper order, both forwards and backwards

• Testing boundary values

• Checking that forms traps invalid data correctly

• Verifying that the form updates information correctly

Page content testing

Each web page must be tested for correct content from the user perspective. There are 2 categories – 1) ensuring that each component functions correctly; 2) ensuring that the content of each is correct

The first category of tests include:• All image and graphics display correctly across various browsers• All content is present per requirements• Page instructions are consistent across browsers• Critical pages maintain same content from version to version• All parts of table or form are present and in the right place• Links to relevant content inside and outside of the site are correct• “mouse over” text object are correct• Web pages are visually appealing

Since most websites undergo continual changes in content, tests must make sure that these changes have no adverse effect on the whole site. Regression testing consists of running existing tests to verify that the site still works as expected.

Configuration and compatibility testing

For both user and web application, hardware settings and configuration also affect the environment. These include CPU types, RAM, graphic display cards, video capture cards, sound cards, network cards and connection types may all affect the appearance of the web page. The goal of the configuration and compatibility testing is to ensure the application functions correctly across the internet.

Writing test cases for configuration testing, different environment and configuration setup issues can affect the user’s experience. Good requirements provide answers user configurations and set up which can be use to develop appropriate test cases.

Compatibility testing ensures product functionality and reliability on the supported browsers and platforms exist on the customer’s computer.

Reliability and availability

A key requirement is a website is that it be available whenever the user requests it, often 24 hours a day, every day. To assess availability, testers must build tests around anticipated usage spikes, such as: for store applications – promotional campaigns and sales, for banking cycles – month end and quarter end dates etc.

Testers must also check for resource issues, such as memory leaks and database limitations, that can degrade performance or even bring the application to a halt.

It is important for testers to be aware of the architecture of the system in order to conduct adequate availability and reliability testing. For example: if the system contains 2 web servers for load balancing, the tester must be able to report the performance of the system with only one web server to make sure that the website can continue to perform at a reduced but acceptable level.

Security testing

In the Web environment or network environment, as security hole is an exposure on the hardware or software that allows unauthorized users to gain increasing access privilege without going through the normal authorization process. Here are some of the common vulnerabilities

• Software bugs: for example buffer overflow, which allows malicious code to be executed on the client machine.

• Java script (or other script languages): a malicious script can be attached to a request you send to a Web server, such as a URL or a database query while you are navigating to a link in a Web page from an untrusted site. When the Web server responds to your request, the unwanted script tags along and now it’s in your browser to do damage.

• Denial-of-Service Attacks: by bombarding servers with many many bogus requests or e-mail messages that the servers are not able to process any legitimate requests that come in.

• Spoofing: this is the act of deceiving by assuming a different identity for the purpose of stealing information

• Virus and Worm

The most common security technologies that are employed by Web-based systems are:

• Encryption: note that encryption does not prevent the theft of information; it simply ensures that information cannot be read by anyone other than its intended recipient.

• Authentication

• Digital Certificates

• Firewalls

• Authorization

General Testing Considerations:

• Testing objectives should be to gather configuration-related issues for the technical support knowledge base

• Does the Web system have an auto log-off feature?• Does the Web system implement and enforce frequent password

changing?• If the security is controlled at the application server level, rather than

the database server level, has the application server’s security logic been tested to see if user access is properly enforced?

• Has any security-related testing been performed on third-party applications or components integrated with the Web system?

• How many consecutive failed logins are allowed? Is this feature configurable by a user?

• When the number of failed logins is exceeded, how does the application respond?

• Are user names and passwords stored in the encrypted format?• Have you tried to cut and paste user name and password? • Have you tried to bypass the login procedure by using a bookmark, a

history entry, or a captured URL?

• Have you tested logging in using HTTP as well as HTTPS?• Are user name and password encrypted at the application level?• Are all authorized users able to access the system?• If an unauthorized login is attempted, how easily can this be done?• When the user must periodically change passwords, are old passwords

deactivated when new ones are chosen?• Do expiration-based user accounts expired as expected?• Are outdated user account features remove and deactivated completely

and correctly?• Are users granted excessive database privileges? Can special access

privileges be granted?• Can special access to database privilege be limited to specific terms?

Thoroughly verifying a website’s security requires special knowledge about information technology. Often security experts from outside the organization will assess security matters that pertain to browser settings, security protocol, firewalls, cryptography, as well as malicious use of cookies, viruses and ActiveX controls. Although average testers may lack expertise in these area, testers can effectively evaluate certain situations such as logins and online payments.

Performance Testing

One of the key benefits of Web applications is that the allow multiple users to access system resources simultaneously. Multiple users may request different services and gain access to varying features all at the same time.It is essential to the success of a Web system to be able to perform critical functions during periods of peak user activity. In the effort of evaluating multi-user support capabilities, three types of tests are commonly conducted:

Performance

Load

Stress

Performance testing is an information gathering and analyzing process in which measurement data are collected to predict when load levels will exhaust system resources.

Load testing evaluates system performance with predefined load level. Load testing measures how long it takes a system to perform various program tasks and functions under normal, or predefined conditions.

Stress testing evaluates the behavior of systems that are pushed beyond their specified operational limits. It evaluates responses to bursts of peak activity the exceed system limitations.

Performance and load tests are often used interchangeably. They both simulate regular user activity. Where stress tests push the systems past their breaking point. System components that break are subsequently investigated and reinforced.

Performance, load and stress tests use actual or simulated workload to exhaust system resources, such as:

•Memory (physical, virtual and storage)•CPU time•TCP/IP addresses•Network bandwidth•File handles

Performance, load and stress tests involve the evaluation of three primary elements:

• System environment and available resources

• Workload

• System response time