Website Testing

© Tech Mahindra Limited 2007 Tech Mahindra Limited confidential

Objectives
 At the end of this session, you will be able to:
 Understand white box and black box testing of websites

 Elucidate the aspects like Compatibility, Usability and Security

CONFIDENTIAL© Copyright 2007 Tech Mahindra Limited 2

Web Page Fundamentals
 Web pages are written in simple scripting language such as
HTML

 Simple elements of a web page

 Text (variety of fonts, colors and sizes)
 Hyperlinks
 Graphics and photographs
 Drop down selection boxes (part of forms)
 Fields in which users can enter data (part of forms)

 Complex elements of a web page

 Customizable page layout and content
 Dynamic drop down selection boxes
 Compatibility with a variety of web browsers and their versions,
hardware and operating systems
 Hidden tagging and formatting information that enhances the
usability of a website
CONFIDENTIAL© Copyright 2007 Tech Mahindra Limited 3
Black Box Testing of Websites
 Text
 Check for accuracy of content and subject matter
 Check spellings
 Check if contact information (address, phone numbers) is
current
 Check if layout is the same after changing the resolution

CONFIDENTIAL© Copyright 2007 Tech Mahindra Limited 4

Black Box Testing of Websites (Contd…)
 Hyperlinks
 Verify against specification
 Check if every link leads to correct destination (i.e. find out
broken or incorrect links)
 Check if mouse pointer changes in appearance when scrolled
over a hyperlink
 If the link opens an e-mail page (e.g. ‘Contact us’ link), send a
message and you should get a reply
 Look out for orphan pages i.e. pages which are included in the
design specifications but not reachable (not hooked to any
page in use)

CONFIDENTIAL© Copyright 2007 Tech Mahindra Limited 5

Black Box Testing of Websites (Contd…)
 Graphics
 Verify if all the graphic content is displayed properly
 Change the browser window size and check if graphics and text
are properly ‘intermixed’
 Check if the graphic content of a web page loads in adequate
amount of time

CONFIDENTIAL© Copyright 2007 Tech Mahindra Limited 6

Black Box Testing of Websites (Contd…)
 Forms
 Check if the field length is adequate
 Check if fields accept only valid data (e.g. only numerals in pin
code field)
 Check if optional field is really optional and if mandatory field is
really mandatory
 Check if radio buttons work properly
 Check if data entered through forms is properly stored in
database (field length and content)

CONFIDENTIAL© Copyright 2007 Tech Mahindra Limited 7

White Box Testing of Websites
 To deliver dynamic and customizable contents, HTML is not
enough; it is supplemented by programming languages and
technologies such as VB script, ASP, ActiveX and XML

 Testers only need to be ‘familiar’ with these languages to do

white box testing; expertise is not required

CONFIDENTIAL© Copyright 2007 Tech Mahindra Limited 8

White Box Testing of Websites (Contd…)
 Features that can be Tested

 Dynamic content
 Client side: Content may change based on user preferences.
This can be achieved by use of a simple scripting language
(JavaScript / VB Script) and embedding the same in HTML code
 Server side: For efficiency most dynamic content programming
(e.g. ASP) is located in server. Access the web server to view
the code (if possible)

 Database driven web pages

 Web pages rich in data (e.g. catalogues) are populated from
database
 HTML page only provides a layout

 Performance issues

 Security related defects

CONFIDENTIAL© Copyright 2007 Tech Mahindra Limited 9

Compatibility Testing
 Compatibility Testing means verifying that the web page
interacts with and shares data correctly (as per
specifications) with other software

 Aspects that possibly need to be tested

 Hardware: Mac, IBM PC, PDA, Wi Fi
 Browser types and versions: I.E. 5.0, netscape 7.2
 Video resolution: Is the website readable with all the permitted
screen resolutions (including mobile phones)?
 Text size: Is the website readable with all the permitted text
sizes?

CONFIDENTIAL© Copyright 2007 Tech Mahindra Limited 10

Usability Testing
 Usability means how appropriate, functional and effective is
the interaction between software and its user

 Very important in case of website since these are usually

open to large scale public use (as opposed to banking
software which will mostly be used by bank staff)

 Usability is an important criterion on popularity of websites

CONFIDENTIAL© Copyright 2007 Tech Mahindra Limited 11

Usability Testing - Aspects that Need Attention
 Navigation
 Should be intuitive
 Main features should be accessible from main page
 Site map or other navigational help is easily available

 Graphics
 Web page should not be cluttered with unnecessary graphics
 Font size should be consistent with graphics
 Combination of background and foreground colors should be
soothing to eye
 If thumbnails are used, verify if each thumbnail puts up correct
graphic image

 General appearance should be intuitive and design should

be consistent

CONFIDENTIAL© Copyright 2007 Tech Mahindra Limited 12

Testing for Security
 This involves identifying points in a physical location or
information system that have high risk of being penetrated

 The technique involves developing a matrix where one

dimension is potential perpetrators and the other one is
potential points of penetration

 Security testing process involves FIVE tasks

CONFIDENTIAL© Copyright 2007 Tech Mahindra Limited 13

Testing for Security (Contd…)
 Task 1: Identify potential perpetrators
 A broad list: Project personnel, key officers in the organization,
third parties like auditors, customers

 Information that needs to be gathered about each category:

Knowledge, access level, skill and vulnerability

CONFIDENTIAL© Copyright 2007 Tech Mahindra Limited 14

Testing for Security (Contd…)
 Task 2: Identify potential points of penetration
 Penetration points are typically the least controlled areas and
thus most vulnerable

 Functional vulnerabilities in order of frequency of occurrence

 Poor control over manual handling of data
 Weak or non-existent physical access control
 Computer operating procedures
 Weakness in business test process
 Weakness in control of computer programs
 Weakness in operating system access
 Poor controls over access through impersonation
 Weakness in (magnetic) media control

 Locations of vulnerabilities
 Data and report preparation, computer operations, non-IT areas,
on-line terminal systems, programming offices, etc.

CONFIDENTIAL© Copyright 2007 Tech Mahindra Limited 15

Testing for Security (Contd…)
 Task 3: Create a penetration point matrix
 Vertical axis in the list of potential perpetrators identified in task
1

 Horizontal axis is the potential point of penetration identified in

task 2

 Each point in matrix is examined and allotted a ‘probability of

penetration’ as follows - 3: High, 2: Average, 1: Low,
0: Minimal or no probability

 Add vertical and horizontal axes

CONFIDENTIAL© Copyright 2007 Tech Mahindra Limited 16

Testing for Security (Contd…)

Penetration Points 1 2 3 4 Totals


---------------------
Potential |
perpetrators V
A 1 2 1 1 5

B 1 0 3 0 4

C 2 2 3 1 8

Totals 4 4 7 2

CONFIDENTIAL© Copyright 2007 Tech Mahindra Limited 17

Testing for Security (Contd…)
 Task 4: Identify high risk points of penetration
 Investigate further those perpetrators and points of
penetrations which have high totals (example – row C and
column 3)

 Also investigate points having probability 3 (points C3 and B3)

and then 2 (C1, C2 and A2)

CONFIDENTIAL© Copyright 2007 Tech Mahindra Limited 18

Testing for Security (Contd…)
 Task 5: Execute security test
 Execute one or more of the following three tests for the points
identified in task 4
 Test 1: Evaluate the adequacy of security controls: If controls
appear inadequate for a particular point in the matrix then that
point carries high risk of security.

 Test 2: Determine if penetration can occur at identified point(s);

Testers actually try to penetrate the system at that point (e.g.
testers would try and enter invalid overtime data into payroll
system)

 Test 3: Determine if penetration has actually occurred at this point

CONFIDENTIAL© Copyright 2007 Tech Mahindra Limited 19

 Thank You

© Tech Mahindra Limited 2007 Tech Mahindra Limited confidential