How to do Cookies Testing

Below is a list of major scenarios for cookies testing of a website. Multiple test cases can be generated from
these scenarios by performing various combinations.

1. Check if the application is writing cookies properly or not.
2. Test to make sure that no personal or sensitive data is stored in the cookie. If it is there in cookies, it should be in encrypted format.
3. If the application under test is a public website, there should not be overuse of cookies. It may result in loss of website traffic if browser is prompting for cookies more often.
4. Close all browsers, delete all previously written cookies and disable the cookies from your browser settings. Navigate or use that part of web site which use cookies. It should display appropriate messages like "For smooth functioning of this site please enable cookies on your browser."
5. Set browser options to prompt whenever cookie is being stored / saved in your system. Navigate or use that part of web site which use cookies. It will prompt and ask if you want to accept or reject the cookie. Application under test should display an appropriate message if you reject the cookies. Also, check that if pages are getting crashed or data is getting corrupted.
6. Close all browsers windows and manually delete all cookies. Navigate various web pages and check and see if these web pages show unexpected behavior.
7. Edit few cookies manually in notepad or some other editor. Make modifications like alter the cookie content, name of the cookie, change expiry date etc. Now, test the site functionality. Corrupted cookies should not allow to read the data inside it.
8. Cookies written by one web site should not be accessible by other website.
9. If you are testing an online shopping portal, Check if reaching to your final order summary page deletes the cookie of previous page of shopping cart properly and no invalid action or purchase got executed from same logged in user.
10. Check if the application under test is writing the cookies properly on different browsers as intended and site works properly using these cookies. This test can be done on browsers like different versions of internet explorer, Mozilla Firefox, Netscape, Opera etc.
11. If the application under test is using cookies to maintain the logging state for users. Check if some id is being displayed in the address bar. Now, change the id & press enter. It should display an access denied message and and you should not be able to see other user's account.

THE GUIDE LINES TO BE FOLLOWED BY A TEST ENGINEER, SOON AFTER THE USE CASE DOCUMENT IS RECEIVED

1. Identify the module to which the use case belongs to.

 A: Security module.

2. Identify the functionality of the use case with the request of total functionality.

 A: Authentication.

3. Identify the actors involved in the use case.

A: Normal user/Admin user.

 4. Identify the inputs required for testing.

A: Valid and invalid user names and passwords.

 5. Identify whether the use case is linked with other use case or not.

 A: It is linked with Home page and Admin page use cases.

 6. Identify the pre conditions.

A: LOGIN Screen must be available.

7. Identify the post conditions.

A: Either Home page/Admin page for valid users, and error msgs for invalid users.

 8. Identify the functional points and prepare the functional point document.

UNDERSTAND:

9. Understand the main flow of the application.

10. Understand the alternative flow of the application.

11. Understand the special requirements.

 DOCUMENT:

12. Document the test cases for main flow.

13. Document the test cases for alternative flow.

14. Document the test cases for the special requirements.

15. Prepare the cross reference metrics or traceability metrics.

 

Functional Point: The point at which the user can perform some actions in the application can be considered as Functional Point.

Test Scenario: The situation where we can do testing.

There are 3 types of flow:

1. Main flow: Main page/Home Page.

2. Alternative flow: Error message page.

3. Exceptional flow: Server problems/Network problems.

Testing process related Documents:

Bug Report Template

Sample Template of Bug Report

Clck the image to enlarge view

Boundary Value Analysis & Equivalence Partitioning with examples

             Boundary Value Analysis

•      Black-box technique that focuses on the  boundaries of the input domain rather than its center
•          Whenever the engineers need to develop test cases for a range kind of input then they will go for boundary value analysis.

  BVA guidelines:

      

        1.     If input condition specifies a range bounded by values a and b, test cases should include a and b, values just above and just below a and b

      

      2.     If an input condition specifies and number of values, test cases should be exercise the minimum and maximum numbers, as well as values just above and just below the minimum and maximum values

3.     Apply guidelines 1 and 2 to output conditions, test cases should be designed to produce the minimum and maxim output reports

4.     If internal program data structures have boundaries (e.g. size limitations), be certain to test the boundaries

Equivalence Partitioning

• Black-box technique that divides the input domain into classes of data from which test cases can be derived
• An ideal test case uncovers a class of errors that might require many arbitrary test cases to be executed before a general error is observed
• Whenever the test engineer need to develop test cases for a feature which has more number of validation then one will go for equableness class partition. Which describe first divide the class of inputs and then prepare the test cases

Web Application UI Checklist

Web Application UI Checklist

Testing user interface for web application is slightly different from testing user interface of traditional applications. Irrespective of the web application there are certain things which should be tested for every web application. Following checklist will give some information on items that should be tested to ensure quality of the user interface of your web application.

COLORS

• Are hyperlink colors standard?
• Are the field backgrounds the correct color?
• Are the field prompts the correct color?
• Are the screen and field colors adjusted correctly for non-editable mode?
• Does the site use (approximately) standard link colors?
• Are all the buttons are in standard format and size?
• Is the general screen background the correct color?
• Is the page background (color) distraction free?

CONTENT

Test Summary Report

Test Summary Report

A test summary report is a testing work product that formally summarizes the results of all testing on an endeavour.

Why Required?

• Summarize all of the testing that was performed since the previous test summary report.
• Enable project management and the customer to know the status of project testing.

Benefits

Project Management and end customer can:

• Able to get project testing status
• Able to get application quality status
• Able to take corrective actions, if required

Guidelines

1.       A Test summary report should generated on regular basis

2.       It should be in metrics, charts and table forms, if possible

3.       Copy of each summary report should maintain until the build release. It can be kept on central location, for future reference

Security Testing Techniques

Application Access

It doesn’t matter if it is website of desktop application – all the options in access security are implemented by “Roles and Rights Management”. This is often has to be done implicitly when covering functionality: for example, the receptionist in the hospital is hardly concerned about the medical tests in the lab because his job is to register patients appointments. That’s why he has no access to the menus, forms and other information related to lab tests as his Role in the Hospital Management System is “Receptionist”.
How to test the access security? When testing this point of the security options all of the Roles should be checked. Tester should create the accounts with all possible Roles. Then he needs to use all of these accounts in order to be sure that every role has an access only to its own forms, menus and screens. If any access conflict is found, this issue should be logged with complete security.

Data Protection

There are three main aspects in data security. The first one is: the particular user should view or utilize only the data he is supposed to view and use. This option is also provided by roles and rights, for example the company’s telesales manager can only view the data about the available stock, but he doesn’t have any access to the information about how much raw materials was bought for production.

The second aspect is about how the data is stored in the database. You should understand that all the data which is sensitive must be encrypted in order to make it secure. Especially encryption should be very strong for such an important and sensitive data like passwords to user accounts, numbers of credit cards and other business information.

The third aspect is actually an extension of the second one. It is related to the information flows. When the flow of the sensitive data described above occurs in the application, the proper security level must be provided. It doesn’t matter if the information flow is between different modules of the application of between different apps, the data must be safely encrypted in order to protect it.

It’s not actually necessary to say that all the above aspects should be properly tested before using the application. First, the tester should query the DB for passwords to user accounts, clients billing info and other sensitive data. Then he should verify that all this data is thoroughly encrypted being stored in the database. The proper data encryption should also be checked when transmitting it between different forms and screens. After that the tester should verify if the data is successfully decrypted after reaching the destination. The sensitive information like accounts passwords shouldn’t be displayed within the submission form in any understandable format.

Brute-Force Attack

This technique is often done by different software tools. The main idea of it is that the system is trying to get a password match using the valid ID by attempting to login again and again. The most common example of the security technique against this kind of attack is account blocking for some period of time. This is used by such mailing services as Yahoo! or Hotmail. The user has a number of consecutive attempts (mostly 3 ones) to login the account. If these attempts fail, the system blocks the account for a while (the time of blocking varies from 30 minutes to 24 hours).
How to test: The first thing to do is to verify if the mechanism of account suspension is valid and working good. It is simple to check: the tester must try to login the account with invalid user IDs or passwords to make sure that the application successfully blocks the account which is being attempted to login with invalid registration data. If so, the application is secure about any kind of brute-force attack. In other case, there is a security vulnerability that must be reported.
The security aspects described below and also the ones we were talking about in the first part of the article should be taken both for web and desktop apps. The following aspects are related only to web applications.

SQL Injection And Cross Site Scripting (XSS)

These are the names of two similar hacking attempts, so we are going to discuss them together. The thing is that malicious scripts are often used by hackers for manipulating the website. That’s why if you want your site to be secure, you need some ways to immune against such problems. Actually, there are several ones. First, all the input fields must be limited by the number of symbols in order to prevent the attempts of inputting any script there. For example you should limit the field “Last Name” by 30 symbols, but not 255. Objectively there are some fields where large information input is  needed. For such kind of fields the data should be checked and validated before it is saved in the application. Besides in such fields any HTML or script tags should be disallowed. Moreover, in order to prevent XSS attacks, the system should reject any script redirects from all the untrusted and unknown apps.
How to test:The first thing to do is to get sure that all the lengths of all the fields are limited and implemented. Also the tester must get sure that defined length strikes off any script or tag input. Each of these aspects are easy to check, for example, if the defined length of the field is 20 and your input data is “<p>ghjgjghjgjhlkjejfmgmdngjrgk”, than you can verify both of the issues. The last thing to check is that the application doesn’t support anonymous access.

QTP INTERVIEW QUESTIONS 2

What are the Run modes in QTP?

There are 2 run modes in QTP
* Normal: It shows the execution of your QTP script step by step. This works good in case of debugging your script.
* Fast Run: It will not show the execution line by line.

What are the Debugging modes used in QTP?

Different Debugging modes used in QTP are
* Step Into: To run only the current line of the active test or component.
* Step Out: Runs to the end of the called action or user-defined function, then returns to the calling action and pauses the run session.
* Step Over: to run only the current step in the active test or component. When the current step calls another action or a user-defined function,the called action or function is executed entirety, but the called action script is not displayed in the QuickTest window.

What are the draw backs of QTP?

Disadvantages are
* QTP takes very long to open huge tests. Also CPU utilization becomes 100% in that case.
* QTP scripts are heavy as it stores all the html files (for active screen) as well.
* Block commenting is not provided till 8.2 version.

What are the extension of file..........

* Per test object repository: filename.mtr (Mercury Test Repository)
* Shared Oject repository: filename.tsr (Test Shared Repository)
* User Defined Libary File: filename .vbs
* Test Batch Runner File: filename .mtb
* QTP Recovery Scenarion File : filename .qrs

What are two types of automation in QTP ?