As network technology matures and Website Functions increase, more and more business systems evolve to Weh-based applications, such as Web OA and e-commerce. Testing is the main means to reduce risks for these services. Website testing should be comprehensively considered in terms of user interface, function, compatibility, performance and security, and use automatic testing tools to improve efficiency.
I. Test Methods
Website testing adopts the gray-box testing method. Gray-box testing combines the components of white-box testing and black-box testing to focus on the external attributes and behaviors of the software, in addition, based on understanding the internal data structure, actual logic process, and architecture of the software at the original code level, the software is tested from the developer's perspective, consider the user end, specific system knowledge and operating environment comprehensively. Web applications consist of a large number of components (including software and hardware) That must be tested in the environment of the design system to evaluate their functionality and compatibility. The gray-box test evaluates the software design in the collaborative environment of system components, which is the most effective and complete test for Web-based applications. The gray-box test involves high-level design, environment, and interoperability conditions, and can detect problems that are easily ignored by black-box and white-box tests, in particular, information flow, distributed hardware/software configuration, and compatibility issues on the end-to-end. Environment errors that are closely related to Web systems are often found during the gray-box test.
Ii. User Interface
User interaction: whether there is a central workspace and the workspace is consistent across pages. Whether or not each page has a navigation tool and remains intuitive and consistent. Whether the naming method of Ul control is concise and consistent, whether the default status of each control is appropriate, and whether the main part of the Web application system can be accessed through the home page; whether the operation and response methods are consistent with Web applications and industry standards, whether the response results are correct, and whether data consistency errors and output errors have occurred. If the description text points to the picture on the right, whether the image appears on the right; whether the document number and name in the table are on the left; whether other details are on the right; and whether the expected results are displayed according to the help document provided; whether to provide correct feedback and error message.
Page elements: the Page Structure, Ul control, Font, and link style of the entire Web application system are consistent. Whether the background color matches the font color and foreground color. Whether the text is rewound correctly. Whether the paragraph is not aligned or the row is exclusive. Whether the width of each column in the table is sufficient, and whether the whole row is extended because there is too much content in a cell. Whether the image size is smaller than 3OK, and whether the big image is used on the homepage.
Iii. Function Testing
Link: whether all links actually link to the page of The Link as instructed, and whether the page of the link exists. Ensure that there is no isolated page on the Web application system (that is, no link points to the page, and only the correct URL address can be accessed ). The link test must be completed in the integration test phase, that is, the link test must be conducted after all pages of the Web application system are developed.
Form: You must test the integrity and correctness of the Form submission operation. For example, whether the date of birth and occupation entered by the user are appropriate, and whether the province and city of the user are matched. If the default value is used, check whether the default value is correct. Can a form only accept specified values? For example, you can only accept certain characters. during testing, you can skip these characters to see if the system reports an error. Whether the server correctly saves the data submitted through the form, and whether the background system can correctly interpret and use the information.
Cookie: if the Web application system uses a Cookie, you must check whether the Cookie works properly, including whether the Cookie works, whether the Cookie is saved at a scheduled time, and whether the refresh affects the Cookie. If the registration information is saved in the Cookie, make sure that the Cookie works properly and has been encrypted. If you use cookies to count the number of times, verify that the total number of times is correct.
Interface: test the interface between the browser and the server, that is, commit the transaction, view the server record, and verify that what is displayed on the browser happens on the server. You can also query the database to confirm that the transaction data is properly saved. Some Web systems have external interfaces. Check that the software can process all possible messages returned by the external server. The most easy to ignore is interface error handling. Try to interrupt the transaction during processing and interrupt the network connection from the user to the server. In these cases, can the system correctly handle these errors. If the transaction processing is interrupted, whether the order is saved when the user does not return to the website for confirmation.
Specific features of the application system: the specific functional requirements of the application system should be verified. Try all possible operations, such as placing orders, changing orders, canceling orders, and online payment.
Iv. Client compatibility
Operating System: allows you to browse websites on MAC and IBM compatible hosts. Whether a font or plug-in is used only on a system.
Browser: whether to use Netscape, Internet Explor-er, or nx to browse websites. Browsers of different vendors have different support for Java Applet, DHTML, ActiveX, HTML, plug-ins, security protocols, and hzhu P. The user will also make different settings for the browser, such as disabling images or adopting a higher security level. The framework and layer have different display effects in different browsers, and are not even displayed at all. IE3. 0 and later versions can use the SSL security feature. However, users of earlier versions should receive related notifications. One way to test browser compatibility is to create a compatibility matrix to test the adaptability of browsers of different vendors and versions to some plug-ins and settings.
Screen setting: when the screen resolution is changed (640 x48o, 800x600, 1024x768, 1280xl024), font size, and display color depth (16 colors, 24-bit true color, 32-bit true color), whether the page is displayed normally.
Connectivity: some users enjoy Tl leased lines, but many users use 28. SKModem. If the website response time is too long (for example, more than 5 seconds), the user will lose patience and leave. In addition, some pages have time-out restrictions. If the response speed is too slow, you may have to log on again before browsing the content.
Printer: Sometimes the alignment of the image and text displayed on the screen may be different from that displayed on the screen. Therefore, you need to verify that the webpage printing is normal, at least verify that the order confirmation page is printed normally.
Combined testing: the resolution of 800x600 may be good on MAC, but it is hard to see on IBM compatible hosts. NetscaPe can be displayed normally on IBM machines, but cannot be viewed using nx. Ideally, the system can run on all machines, so that future development and changes will not be limited.
V. Performance Testing
Load: The load test aims to measure the performance of the Web application system at a certain load level, so as to ensure that the Web application system can work properly within the required range. The load level can be the number of users simultaneously accessing the Web application system at a certain time point, or the number of online data processing. For example, if the number of users allowed to be online at the same time exceeds the limit, what will happen to the website. Can the Web application system handle the access of a large number of users to the same page? For example, can the Web application system respond to millions of requests during instantaneous access peaks and respond to massive data transfers, whether the system can run for a long time.
Stress Testing: stress testing refers to the reflection of the testing system when a Web application system is actually damaged, that is, the control and fault recovery capabilities of the system. Whether or not the Weh Application system will crash. Hackers often provide wrong data loads or send a large number of packets to attack the server until the Web application system crashes.
Reliability: whether the website has problems such as server memory leakage and insufficient database transaction log capacity.
V. Security Testing
Identity Authentication: whether the user name and password use specific rules, such as case sensitivity, maximum number of characters, and combination of letters and numbers. If ActiveX or Coohe is used to save personal information, whether encryption supports Frequent password modification or not. Whether to limit the number of Logon failures. Whether the logon program can be bypassed by using bookmarks, historical logon information, or captured URLs. Whether to restrict certain IP addresses to log on. After a user logs on, the user does not click any page within a certain period of time (such as a coincidence minute). Do you need to log on again to use the page properly.
Content attack: the content-based attack carries content, and the attack targets applications. The target is to gain control over the application host and attack the host. For example, if the form data is entered in a malicious format, the Web component execution error may occur and application errors may occur. Whether or not the attacker/attacker, data, and computing attacks are prevented. Whether access control is applied to directories and files: whether to filter malicious code and commands, restrict command sets using application protocols, and check keyword-based information. Provides the escape sequence or metacharacters for each input Member of the component to determine whether unexpected results are caused. Whether to bypass validity verification and submit a form from outside the site. Whether a buffer overflow occurs.
SSL (Secure Socket): when using SSL, you must test whether the encryption is correct and check the information integrity. Whether there is a connection time limit. What happens after the time limit is exceeded.
Scripting language: server scripts often constitute security vulnerabilities. Some scripts allow access to the root directory and some allow access to the email server. These vulnerabilities are often exploited by hackers. Whether to place and edit scripts on the server without authorization. Whether the defects in the script language are processed.
Vi. Tools
It should be said that all good tests are automated tests, that is, the test plan is designed by people, but the actual test operations are completed by programs or automated tools: on the one hand, the purpose of the test is to find errors, in the process of correcting errors, frequent regression Testing is required, and most of the tested content is repeated. Such repetitive work can be handed over to the computer. On the other hand, some testing processes cannot be completed manually, such as testing the underlying communication protocol, 1/0 performance, and testing the concurrent transaction volume supported by the service program, appropriate automation tools must be used to simulate the required testing environment, automatically run the software to be tested, and record parameter indicators. In view of the huge workload of regression testing and the failure to manually complete some specific testing tasks, testing must be automated.
Currently, there are many commercialized automated testing tools, including port scanning (such as Nmap and Cisco Secure testing ), network Monitoring (such as Windows NT/2000 Network Moni-tor, Tcpdump, Ethereal), system Security Defect check (such as SAINT, WebTrends Security Analyzer, PGP Cy-berCop compliance/Monitor, Sym