20 Days Of Web Testing > Http and https

Why?

When transmitting private and confidential data over the Internet it should always be secured and encrypted so that prying eyes on the network cannot see the data being sent.

This mechanism typically uses the https protocol.

 

Hypertext Transfer Protocol Secure (HTTPS) is a widely-used communications protocol for secure communication over a computer network, with especially wide deployment on the Internet. Technically, it is not a protocol in itself; rather, it is the result of simply layering the Hypertext Transfer Protocol (HTTP) on top of the SSL/TLS protocol, thus adding the security capabilities of SSL/TLS to standard HTTP communications. – Wikipedia

 

If you are transmitting data and you are using the http protocol then it is not secure.

Hence, anyone can intercept the message and read the contents. Perfect for a “man in the middle” attack.

And that’s where you, as a Tester, come in.

 

How?

The easiest way to check whether the site you are connected to is secure is to check the browser address bar and look for https.

A padlock to symbolize that the connection is secure will also be shown.

There are a growing number of add-ons, extensions and tools for checking secure connections.

 

If the site is not HTTPS secured then you can use a web proxy tool to intercept the messages between the web client (browser) and the web server.

You can intercept the messages using tools such as Burpsuite (and many others).

Messages can be intercepted in both directions between the web server and the client, and the client and the webserver.

 

Once you have intercepted the messages using a proxy tool you can then do a number of different tests and attacks.

You could extract information from the message and see whether there is anything personal or private in it. It may provide minor clues or snippets of information that could be used for Social Engineering attacks.

You could delete the message and see what happens to the system. Do you lose information, lose states, break the client, break the server, handle it gracefully, or do nothing?

You could forward the message to the server with different values. There are countless examples where the price of goods to be purchased is included in the message unencrypted. A quick change and you could get goods for whatever price you want.

Intercepting messages is not just about security breaches and attacks.

There are loads of examples in most web systems where missing messages can cause grief.

Explore and learn from each test that you do and you will soon build up experience of what works and what doesn’t. I often find that each test leads to new ideas when using proxies to intercept messages.

 

Useful Hint

In many “test environments” https security may not be enabled and configured (but it will be on live) so double check before generating bugs.  Just make sure it’s on when the site goes live.

 

Useful Links

Good security for web checklist – http://www.techrepublic.com/blog/security/ensure-basic-web-site-security-with-this-checklist/424

Differences between http and https – http://www.virtu-software.com/ask-doug/QandA.asp?q=7

Another differences post – http://www.wisegeek.com/what-is-the-difference-between-http-and-https.htm

Burpsuite – http://portswigger.net/burp/

—-

If you want to talk Testing – catch me later this year at EuroSTAR conference.

 

20 Days Of Web Testing > Is the HTML valid?

Why?

HTML is the main underlying markup language of websites and other web delivered content.

Poorly constructed HTML can lead to bugs, rendering issues, browser compatibility issues and poor accessibility compliance, so it’s a good area to look for when web testing.

Adherence to standards can also help to ensure your site is future proof too.

There are many sites that don’t adhere to the typical HTML standards including some high profile sites. Reasons for non-compliance to standards are often cited as speed and cross browser support (which is ironic since HTML standards are aimed at ensuring cross browser conformance) but that’s something I’m not digging deeper in to here.

I’m struggling to find a WordPress template that adheres to accessibility and html standards also – I’m working on it 🙂

 

Suffice to say that it would be prudent to run a basic HTML compliance check using one of the many tools available.

It will give you a starting point for discussion anyway, whether your business decide to fix the issues or not.

 

How?

Tools like HTML Validator Firefox extension will help you validate as you test.

There are also several validators online that give you quick feedback on the validity of the HTML under test.

These validators will give you information on what part of the HTML is failing validation and also pointers as to what can done about it.

 

Useful Hint

How about encouraging the programmers on your team to install development IDE compliance checkers if they are available. This is the ultimate early warning against HTML validation errors.

 

Useful Links

Good post on why you should validate – http://www.stevefenton.co.uk/Content/Blog/Date/201108/Blog/Do-I-Need-To-Validate-My-HTML

The W3C validator – http://validator.w3.org/

HTML Validator – https://addons.mozilla.org/en-US/firefox/addon/html-validator/

FireWeasel – https://addons.mozilla.org/en-US/firefox/addon/fireweasel/

—-

If you want to talk Testing – catch me later this year at EuroSTAR conference.

 

20 Days Of Web Testing > Compliance and Claims

Why?

Often a product has a release process where some collateral is put together to explain why the product is so good and what features it has.

This material (in any format or medium) may contain some claims about features, performance or adherence to compliance, as too might the specifications and user stories.

As a tester it’s a good idea to find out, as early as possible, what this material is claiming.

You may be lucky enough to have these claims and compliance statements represented in user stories or specifications, often though they are not aligned directly with the product teams work.

Once you have this information you can start to test against these claims.

 

For example:

  • Our product is compliant with X standard ← Really?
  • Our product is the fastest on the market ← Really? How is that proven? Where is the data?
  • Our product is incredibly secure ← Really?

 

How?

Take each claim and compliance and jot down any questions that spring to mind.

It might be as simple as speaking to the product/marketing/management team, or researching each compliance regulation.

Ask questions, seek out more information and always discuss these findings with product/development (the person in charge of releasing stuff).

It could be that all of your questions and concerns fall on deaf ears, in which case give the product a test and find evidence for/against each claim.

Present this to the people that matter, but obviously use judgment on where you spend your time most valuably.

 

Useful Hint

If you are testing against standards and laws it might be worth popping a question on user forums or social channels like Twitter (use the #softwaretesting or #testing hashtags). There are probably loads of people working within compliance standards who would be happy to help you.

 

Useful Links

http://curioustester.blogspot.co.uk/2009/12/claims-testing.html

http://www.bettertesting.co.uk/content/?p=613

—-

If you want to talk Testing – catch me later this year at EuroSTAR conference.

 

Coursera – Great opportunity to bag some learning

I’ve just finished my 7 week course with Dr Chuck on Internet History, Technology and Security.

I’ve also just signed up for another 5 courses over the next 9 months.

What’s Rob talking about?

I’m talking about courses delivered free through the very excellent Learning Management System called Coursera.

One of my team, Kevin, told me about it and I signed up straight away. I signed up for Dr Chuck’s course as it sounded perfectly suited to my work and my chosen career. It was an exceptional experience. Here’s some thoughts:

There are too many courses to choose from
I struggled to keep my choices down to just one at a time. It’s not possible for me to do more than one course at a time – I simply don’t have time, but for those who are time-rich there is nothing to stop you taking multiple courses.

The delivery suits my learning approach
The lessons are delivered via recorded video lectures/sessions run by the course leader. In this case Dr Chuck sat in front of the camera and worked through some ideas using slides, videos and images. He was able to annotate the material to explain and add extra information.

He also included lots of video interviews and other clips to explain ideas or tell stories.

You can pretty much watch these videos at your own leisure throughout the course.

The exams are not rigorous
The tests are multiple choice and the only thing stopping you looking up the answers elsewhere is how honest you are at abiding by the honour code. There was one peer reviewed assignment which seemed to go well, but the ones I marked varied, mostly due to the understanding of the question (I believe).

The exams are not compulsory. I actually like it this way as I can sit the exams but not get stressed and hung up on the pass/fail element. I learn by soaking up the information and making copious notes.

It took longer than the suggested commitment
I think the estimated time to attend the course was about 4 hours per week. I found it took a little over that, depending on whether you watched/researched the extra material.

I tyically worked on the course each lunch time Tue > Thu and early morning Mon and Fri. This suited my time lifestyle. You can make it work as you see fit.

There is a community
Surprisingly for a Social Tester I didn’t do much socialising with the community that built online around the course. I think at one point there were 30k people signed up. I’m not sure how many finished it.

The wiki and meetups that happened around the course looked interesting but I just didn’t feel the need to get involved. I can’t put my finger on why not though…

 

I thoroughly enjoyed the course. I learned loads, felt like I got real value (IT’S FREE!!!) and have signed up for many more courses.

I don’t expect they will all be as good as each other, but if it’s not enjoyable, or too easy/hard then you can drop out and pick up something else. It’s a great way of learning more about a variety of subjects.

I’ve got Social Network Analysis up next, followed by How To Reason And Argue, Critical Thinking and then an Introduction To Sociology. There’s loads of stuff to learn.

If you’re interested in more on the courses visit http://www.coursera.org/

We are all on a journey

At some time or another we all lose sight of the fact that each and every single one of us is on a journey.

Life is a journey. Your careers and jobs are just one part of that bigger journey.

 

 

  • Some people take more control of this journey than others.
  • Some people have more opportunities to take control than others.
  • Some people are further along their journeys than others.

There are many factors that affect the journey you are on.

These could include some of the following:

  • Your personality
  • Your location
  • Your cultural background
  • Your mindset
  • Your boss
  • Your company
  • Your family
  • Your desires and needs
  • Your passion for the job
  • Your peers
  • Your awareness of the industry
  • Your mentors
  • Your heros
  • Yada yada

The list goes on, and on, and on.

Some people are more open to new ideas, new challenges and new opportunities. This often gives them a wider choice of potential paths.

 

This opens up great opportunities, but it can also open up choices which are hard to make.

Some people are further behind on their journey than others. That doesn’t make them “rubbish” or “stupid” or “not part of our group”. It just means they are on a different path, are in a different place on a path and maybe they haven’t yet reached a similar path choice that you have gone down.

10 years ago I was on a path of scripted testing, no exploration and all of this in a waterfall death march environment. I’ve heard people say recently, that testers in these environments are “rubbish”…….really? Why?

I’m a better tester now for sure, but I’ve never considered myself “rubbish” – I’ve just gained wider insights and more experience from the paths I have chosen (or been forced down) in my career and life.

Some people choose alternative paths for a variety of reasons. That’s their choice, not ours. They may want different things from their careers. They may want different outcomes. They will have different personalities than we have.

Some people follow career paths that don’t seem logical, that wind and dip and move backwards.

 

In the end though, they too are on a journey. And that messiness and sporadic direction of travel may suit them well.

In the testing (and wider development community) we are all too quick to assume that someone is rubbish, or inferior, simply because they are on a different path, have not had access to the opportunities we may, may not show any interested in progressing beyond “enough” and may not even be aware of alternative routes they could take.

The work someone did a few years back is often still deeply associated with that person, even though their current work may actually be very good. Work some people do now may be of the same standard that we ourselves may have been doing 4 or 5 years ago.

We’ve grown and taken paths which lead us to now, they may do the same too. In 4 years time they may be doing the same standard of work as we are doing now.

Don’t get me wrong. There are testers who are better than others in certain environments. Or achieve higher marks using whatever yardsticks for measure you are using. There are testers I would hire and who I wouldn’t. But there are also good testers who are right for one context and not for another.

There are testers who, with the right help and support, could become outstanding testers. There are good testers who may not get that help and support…..

There are many routes and paths through our testing careers. The path you choose will not be the one I choose. And that’s ok.

It’s easy to point at someone else and say they are rubbish because they work in X way, or don’t have X skills.

It’s harder to acknowledge the reasons why they are at a certain point on their career journey, to establish whether there really is a problem with them being there (or even if it’s any of your business) and then to support, help and share to guide them down a path they want to go on.

20 Days Of Web Testing > Browser Extensions

Why?

Each of the main browsers on the market has the capability to add in extra features and functions through the form of add-ons (sometimes known as extensions or plugins).

As a Tester these add-ons are invaluable at helping you gain insight as you test. There are too many to list here, but I’ve included some of my favourites here for the popular browser Firefox.

(Note: the URLs sometimes changes and some of these extensions come and go. If the link doesn’t work a quick search should find it)

 

Selenium IDE

http://seleniumhq.org/projects/ide/

Web automation.

Fast becoming an industry standard tool. This is the IDE version.

Visit http://seleniumhq.org/ for more information on other tools in the set like Selenium Grid.

 

IE Tab

https://addons.mozilla.org/en-US/firefox/addon/1419

Flips your Firefox tab in to Internet Explorer mode.

 

Firesizer

https://addons.mozilla.org/en-US/firefox/addon/5792

Re-sizes your window to different screen sizes

 

Fire cookie

https://addons.mozilla.org/en-US/firefox/addon/6683

Allows you to see and manage cookies through the Firebug add-on.

 

Delicious

https://addons.mozilla.org/en-US/firefox/addon/3615

Social bookmarking add-on.

Never lose a site of interest again and share them with the community too.

Perfect for bookmarking testing sites, information, snippets and blogs.

 

Clear Cache

https://addons.mozilla.org/en-US/firefox/addon/1801

Clears out the cache within the browser at the click of a button.

 

Copy Plain Text

https://addons.mozilla.org/en-US/firefox/addon/134

Copies any text from the browser in to a plain text format losing all formatting.

 

Fiddler Hook

http://www.fiddler2.com/fiddler2/addons/fiddlerhook/

Firefox add-on for integrating with fiddler (a debugging tool).

 

Download Status

https://addons.mozilla.org/en-US/firefox/addon/26

Shows your downloads in a toolbar at the bottom of the browser window.

Keeps it nice and tidy and easy access to your downloads.

 

Xmarks

https://addons.mozilla.org/en-US/firefox/addon/2410

Allow you to save your bookmarks and sync them between browsers on different machines. Works across browsers too. This is great if you test on several different machines. It means you can save your bookmarks once and find them on other browsers you have synched.

 

W3C Page Validator

https://addons.mozilla.org/en-US/firefox/addon/2250

Check your page against W3C standards and compliance.

 

Pencil

https://addons.mozilla.org/en-US/firefox/addon/8487

Great for screen mocks and notes.

 

SQL Injection

https://addons.mozilla.org/en-US/firefox/addon/6727

Does exactly as the name suggests

 

Quick Restart

https://addons.mozilla.org/en-US/firefox/addon/3559

Restarts Firefox maintaining all tabs and open docs when it launches it again.

 

Firebug

https://addons.mozilla.org/en-US/firefox/addon/1843

How can you test websites without this one?

 

Regular Expressions Tester

https://addons.mozilla.org/en-US/firefox/addon/2077

Tool for testing and creating regular expressions.

 

Quick Locale Switcher

https://addons.mozilla.org/en-US/firefox/addon/1333

Good extension allowing for quick switching between browser locales.

 

Http Fox

https://addons.mozilla.org/en-US/firefox/addon/6647

Good tool for analyzing the http traffic through your browser.

 

TAW3

https://addons.mozilla.org/en-US/firefox/addon/1158?src=api

Accessibility checking tool. Awesome.

 

Firefox Accessibility Tools

https://addons.mozilla.org/en-US/firefox/addon/5809?src=api

Accessibility compliance checking tool.

 

This is barely scratching the surface but you can already start to imagine how useful some of these would be for your testing. Add-ons allow you to be more efficient with your time, perform tests you might normally not be able to and allow you to let the tools do the hard work.

These are obviously for Firefox, but some of these also exist for Chrome and other browsers.

How?

Open Firefox > Tools > Add-ons > Extensions and then search for, and download each add-on. (or copy and paste the links above)

Each tool will work in different ways but the documentation on the site is normally pretty good.

 

Useful Hint

Did you know you could make Firefox quicker to load? Do the following (only really for those with broadband):

  • Type “about:config” into the address bar and press return
  • Say “yes” to the “I’ll be careful” message
  • Create a new Integer by right clicking and then choosing New > Integer.
    • Call it “nglayout.initialpaint.delay”
    • Set it’s value to “0” (this will now tell Firefox to wait for zero seconds before acting on the information it is receiving)
  • Type “network.http” in the filter field
  • Set “network.http.pipelining” to “true” (Double click to switch the value)
  • Set “network.http.proxy.pipelining” to “true” (Double click to switch the value)
  • Set “network.http.pipelining.maxrequests” to a number. (Double click to edit) Try setting it to 20. (This number is the number of requests the browser can make at one time)

 

Useful Links

Main extensions website for Firefox – https://addons.mozilla.org/en-US/firefox/extensions/

Chrome extensions – https://chrome.google.com/webstore/category/extensions/

Opera extensions – https://addons.opera.com/en/addons/extensions/

Safari extensions – http://extensions.apple.com/

Cool hacks to Firefox like making it quicker – http://www.lifehack.org/articles/technology/15-coolest-firefox-tricks-ever.html

 

—-

If you want to talk Testing – catch me later this year at EuroSTAR conference.

 

What shape are you?

One of the most basic ideas around test automation is the automation triangle. I have no idea who came up with the triangle, but they did a great job of abstracting out a lot of detail and fluff and ending up with a simple way of describing a fairly generic automation strategy.

Here’s the triangle:

As you can see it’s split in to three sections. Each section (working from bottom to top) gets smaller. This signifies the amount of coverage/depth that should be given to each of the areas described in the sections.

So we can see that there should be a greater amount of Unit Tests than UI tests. In fact, the triangle shows that a strategy of having a large number of Unit Tests, a smaller amount (or coverage) of Integration Tests and a small coverage with UI tests is a good strategy.

I kind of agree. UI tests are often brittle and slow to run so it’s a good idea to have as few as possible. Unit tests are quick to run and can test a large amount of the code base so it makes sense to have a lot. Unit tests don’t tell the full picture so it makes sense to have a significant number of Integration tests to make sure things work well together and that the user expectations are being met.

This approach will not work for every single environment. It’s not always possible to have an approach like this, but the image itself and the theory it represents is a good starting point for a discussion.

We’ve talked a lot about this triangle recently at work. We’ve got a way to go to get to where we want to be, but we use this triangle theory as a way to describe the direction we are heading in. It’s become a common way of talking about our automation approach. We feel this approach of having fewer UI tests is good. It “feels” like it will work for us. We may however, change our minds and adapt as we go. That’s what we do.

We joked about the different shapes our automation approach *could* have been in.

It got me thinking and I chatted with a few people in other companies. They too joked about the state of their automation. Behind the jokes though we saw that each company had a different approach and that each approach, although not ideal, was working…..for now.

Each person I spoke to was trying to achieve roughly the same ideas as the triangle theory. Less UI, more Unit and a heavy dose of Integration. Some had further to go than others. And just like us they felt they were heading in the right direction.

One person described their automation strategy as being disjointed.

Another as being a complete disaster.

“A mass of spaghetti” was another comment.

“Not so sure”

What shape is your automation in?

20 Days Of Web Testing > Web Accessibility

Why?

Very few companies take web accessibility very seriously but in a world that is increasingly moving online it is crucially important not to marginalise people who cannot interact with websites and applications easily.

Accessibility testing is very simple in one respect, but really hard in another.

The accessibility of a site is typically judged against International compliance standards set out by W3C. Their guidelines essentially give three levels of compliance A, AA and AAA, although these guidelines are under continual review.

 

How?

To check basic compliance of your websites there are a number of tools on the market, which can help you get a “yes” or a “no” against the recognised compliance standards. These automated tools will be pretty quick to scan the page code for compliance.

This is the easy approach and you can get an answer in minutes, however, the answer you get may not tell you the whole truth.

In a very basic example you may have an image on the page.

The image may not have anything populated in the alt attribute.

The alt attribute is essentially to provide a text alternative to the image for when the Image is not available, or your visitor is using a screen reader.

This user will hear the text you have put for the alt attribute.

 

Running your site against an automated checker will give you a fail because you have no value for the alt attribute. This is easily fixed.

So you populate something in the alt attribute and re-run the scan. It passes.

However, your picture could be of a red apple and the text you entered could read “Cute Cuddly Brown Teddy Bear”.

In accessibility terms, the alt attribute in the IMG tag tells screen readers (and hence people using the screen readers) what the picture is.

So the text of “Cute Cuddly Brown Teddy Bear” is not very helpful, and is actually misleading for someone who cannot see the picture. An automated check will not tell you this.

 

It will also not tell you whether the flow and logic make sense to someone who cannot see the site and may not have prior knowledge of the page they are on.

In my experience there are very few people better at testing for accessibility than the very people who will use your accessible site.

It’s therefore important to consider outsourcing your testing to specialist accessibility testing companies or charities. They will offer you insights you will struggle to get through your own testing.

 

I once tested a site to AA compliance according to the automated checkers, yet when I handed it over to an accessibility-testing expert, I was stunned with how unusable it was even though it met the compliance. It was compliant, but it wasn’t very easy or pleasing to use.

 

Good accessibility testing needs human judgment and thinking. It cannot simply be automated. It requires trials and experimentation. It requires feedback from your target end users.

 

Saying that, the online tools are incredibly good at finding the obvious errors and compliance issues. Each year they become more refined, informative and powerful.

When you run your site against these tools be prepared to be surprised at how inaccessible your site is, especially if it hasn’t been developed with accessibility in mind.

Whether you are aiming for compliance or not, an accessibility check will also point out some obvious flaws in the HTML and give you insight for areas to explore and test further.

And if your company is not intending your site (especially public facing sites) to be compliant to even single A, as a good Tester, shouldn’t you be asking “Why Not?”

 

Useful Hint

This simplest way to check against W3C compliance would be to open up Firefox, install the accessibility checker plug in, open your site to be tested and run a quick scan.

 

Useful Links

Firefox accessibility extension – https://addons.mozilla.org/en-US/firefox/addon/accessibility-evaluation-toolb/

Tips on how best to describe the alt attribute – http://webdesign.about.com/od/beginningtutorials/a/aa122004.htm

The W3 standards on accessibility – http://www.w3.org/standards/webdesign/accessibility

Test Partners accessibility testing – http://www.testpartners.co.uk/accessibility_testing.htm
—-

If you want to talk Testing – catch me later this year at EuroSTAR conference.

 

20 Days Of Web Testing > Resize the windows and resolution

Why?

Not all monitors and displays will be the same size and resolution hence your site/application will render differently and potentially behave slightly differently (i.e. buttons moving, flow being interrupted)

With the proliferation of mobile devices like phones and tablets comes an ever-growing need to ensure your application works on small screens.

It may be you have to create mobile specific versions of your product or look to using adaptive design techniques.

 

How?

A really simple test would be to change the size of the browser window by simply dragging the edges to shrink the page.

Always consider that there may be a minimum size before the layout goes pear shaped.

This is to be expected for most non-adaptive designs (and some adaptive ones too) and the point at which this happens will be purely a judgment call on your part.

Another good test would be to change the resolution of your own monitor and see how the site renders.

Try the site and application on a mobile device or tablet. There are emulators out there that can help you out with this.

There are browser add-ons like Firesizer that can help you change the resolution of the page with ease.

 

Useful Hint

You could use a Firefox extension to help you resize windows.

 

Useful Links

A monster list of emulators – http://www.mobilexweb.com/emulators

Firefox window resizer extension – https://addons.mozilla.org/en-US/firefox/addon/window-resizer/

—-

If you want to talk Testing – catch me later this year at EuroSTAR conference.

 

20 Days of Web Testing – An Introduction

Over the next few weeks I will be publishing a barrage of blog posts regarding some hints and tips for those new to Web Testing.

  • The series is aimed at those new to Web Testing (and/or Testing in general).
  • The ideas are very basic in this guide. If there is something that interests you I would suggest reading further by searching the web for more information or using the useful links I’ve included.
  • The ideas are not aimed at experienced Testers familiar with working with web sites, although you may learn something.
  • The ideas are aimed at those starting out in testing, those moving from client side software to web testing and for those who want to find out new ways of ensuring their own products meet some basic test conditions. (Believe it or not, there are many many thousands of websites and apps that are released with zero testing.)
  • The ideas are not always related to just the web, although many of them are specific to software delivered through a browser.
  • The list of ideas is not complete by any stretch. There are hundreds of tests to run.
  • Please comment on the ideas to expand them, correct anything I’ve got wrong or give me feedback on how useful they are to you.

Once I have finished the 20 days I will publish an eBook with all the published series along with about 15 others.

It will be free to download and distribute as you see fit.

Some of you may find the 20 ideas too simple to use, others may find them too hard, but I’ve tried to keep them as brief and direct as possible.

You can subscribe to my blog via RSS here :

http://feeds.feedburner.com/TheSocialTester 

All of the posts are posted under the category of “20 Days of Web Testing”.

—-

If you would like to sponsor the final eBook then please get in touch.