You are here: Ultra Guide>Testing Web>ExploratoryTestingMethods (14 Jul 2020, MiaArmstrong)Edit AttachTags

Exploratory Testing (or just "Testing")

Tips

  • Don't fixate on working applications. Explore a wireframe. Explore a mockup. Explore databases, systems diagrams, APIs, acceptance criteria, ideas, processes, feature files, assumptions, the UI, specifications. Go and explore anything you can gather useful information from!

  • Exploratory testing is an experiment mindset. Channel your curiosity and amplify your investigative approach. Seek out truth and discover answers to questions about risks and assumptions.

  • Give your exploratory session purpose. Become a charter-generating machine. Too refined and you’ll restrict an opportunity to uncover a useful array of information. Go too wide, lose focus, and you’ll miss important discoveries. With practice, you’ll be setting goals that feel “just right”.

  • Charter Definition: Explore <target> with <resources> to discover <information>

  • Example: Explore the shopping basket with the basket API to discover security vulnerabilities

  • Let requirements become an oracle to trigger test ideas and conversation, not the key influencer of where to place exploratory efforts.

  • Automate tasks to support your exploratory efforts: write scripts that input data

  • Define a set of heuristics before exploration and refer to them to trigger ideas (see examples in Data Type Attacks section)

  • Use comparable products to form an opinion. This can also help spark ideas for testing, development, and feature enhancements.

  • Look at the browser’s console and view application logs

Ask Yourself These Questions Before Testing

  • What is your mission?

  • How could you organize testing to help you achieve the mission?

    • How aggressively should you hunt for bugs? Why?

    • Which bugs are less important than others? Why?

    • How important are issues of performance (speed of operation)? Polish of the user interface? Precision of the calculations? Prevention and detection of tampering with the data?

    • How extensively will you document your work? Why?

    • What other information would you expect to provide to the project (if any)? Why?

Learning

  • Anything can guide the tester in what to test, how to test, or how to recognize a problem, such as:

    • The project context, market forces that drive the product (competitors, desired customary benefits, users), hardware and software platforms, and development history of prior version and related products.

    • Risks, failure history, support record of this and related products and how this product currently behaves and fails.

Examples of learning activities:

  • Study competitive products (how they work, what they do, what expectations they create)

  • Research the history of this / related products (design / failures / support)

  • Inspect the product under test (and its data) (Create function lists, data relationship charts, file structures, user tasks, product benefits)

  • Question: Identify missing info, imagine potential sources and potentially revealing questions (use reference materials to supplement answers)

  • Review written sources: specifications, other authoritative documents

  • Try out potentially useful tools

  • Hardware / software platform: Design and run experiments to establish procedures and techniques (ex: printing)

  • Create and apply models:

    • A model is a simplified representation of a relationship, process or system. The simplification makes some aspects of the thing modeled clearer, more visible, and easier to work with.

    • A model is often an expression of something we don’t understand in terms of something we think we do understand

    • All tests are based on models:

      • Many models are implicit

      • When the behavior of a program “feels wrong”, it is clashing with your internal model of the program and how it should behave.

Data Type Attacks

Paths/ Files

  • Long Name (>225 chars)

  • Special Characters in Name (space *?/\|<>,.()[]{};:’”!@#$%^&)

  • Non-Existent

  • Already Exists

  • No Space

  • Minimal Space

  • Write-Protected

  • Unavailable

  • Locked

  • On Remote Machine

  • Corrupted

Time and Date

  • Timeouts

  • Time Difference between Machines

  • Crossing Time Zones

  • Leap Days

  • Always Invalid Days (Feb 30, Sept 31)

  • Feb 29 in Non-Leap Years

  • Different Formats (June 5, 2001; 06/05/2001; 06/05/01; 06-05-01; 6/5/2001 12:34)

  • Daylight Savings Changeover

  • Reset Clock Backward or Forward

Numbers

  • 0

  • 32768 (215)

  • 32769 (215 + 1)

  • 65536 (216)

  • 65537 (216 + 1)

  • 2147483648 (231)

  • 2147483649 (231 + 1)

  • 4294967296 (232)

  • 4294967297 (232 + 1)

  • Scientific Notation (1E-16)

  • Negative

  • Floating Point/ Decimal (0.0001)

  • With Commas (1,234,567)

  • European Style (1.234.567,89)

  • All of the above in calculations

Strings

  • Long (255, 256, 257, 1000, 1024, 2000, 2048 or more characters)

  • Accented Chars (àáâãäåçèéêëìíîðñòôõöö, etc.)

  • Asian Chars ( 〲, 〨, ect. )

  • Common Delimiters and Special Characters ( “ ‘ ` | / \ , ; : & < > ^ * ? Tab )

  • Leave Blank

  • Single Space

  • Multiple Spaces

  • Leading Spaces

  • End-of-Line Characters (^M)

  • SQL Injection ( ‘select * from customer )

  • With All Actions (Entering, Searching, Updating, etc.)

General

  • Violates Domain-Specific Rules (an ip address of 999.999.999.999, an email address with no “@”, an age of -1) See Email Field Sheet for more info on testing email fields

  • Violates Uniqueness Constraint

Web Tests

  • Back (watch for ‘Expired’ messages and double-posted transactions)

  • Refresh

  • Bookmark the URL

  • Select Bookmark when Logged Out

  • Hack the URL (change/remove parameters; see also Data Type Attacks)

  • Multiple Browser Instances Open

Input

  • See also Data Type Attacks

  • HTML/JavaScript Injection (allowing the user to enter arbitrary HTML tags and JavaScript commands can lead to security vulnerabilities)

  • Check Max Length Defined on Text Inputs

  • > 5000 Chars in TextAreas

Syntax

Preferences

  • Javascript Off

  • Cookies Off

  • Security High

  • Resize Browser Window

  • Change Font Size

Interesting articles for further reading:

http://www.satisfice.com/blog/archives/1509

http://testobsessed.com/wp-content/uploads/2011/08/ETinAgile-agile2011-final.pdf

Happy Testing
Topic revision: r2 - 14 Jul 2020, MiaArmstrong
© 2020 Ultranauts - 75 Broad Street, 2nd Floor, Suite 206, New York, NY 10004 - info@ultranauts.co