Manual Software Testing Example

Taking a look at Google.com

First, let’s take a look at it the site.

Google.com as of 05/29/2014
Google.com as of 05/29/2014

Here is a list of what I see:

  1. favicon is a white g on a blue block
    • Not all browsers support favicons next to the address bar. That is because of past phishing scams where the icon was the padlock icon.
    • All modern browsers support he favicon on tabs and bookmark bars.
  2. The URL in the address bar is https when I entered http
    • The site accepts http but redirects to https
  3. Padlock next to address bar
    • Clicking on it will allow the user to view the security certificate
  4. +You link to https://plus.google.com/
    • plus is a subdomain of google.com and is likely out of scope of testing goggle.com
  5. Gmail link to https://mail.google.com/mail/
    • mail is a subdomain of google.com and is likely out of scope of testing goggle.com
  6. Grid icon
    • On-click event: Display links to other services
  7. Sign-in button
    • https://accounts.google.com/ServiceLogin?hl=en&continue=https://www.google.com/
    • Links to accounts.google.com and will redirect (upon successful login) to googgle.com
      • continue is a uri parameter that holds the redirect url
      • returnURL is the same thing but for ASP
  8. ‘Notification’ to install Chrome
    • Chrome icon image
    • Heading text, “A faster way to browse the web”
    • Close icon
      • Hides the ‘notification’
    • Install Google Chrome button
  9. Google Logo banner image
  10. TextBox for search input
  11. Google Search button
    • Goes to https://www.google.com/#q={searchTerm}
  12. I am Feeling Lucky button
  13. Message of the Day with Hyper link
  14. Adverting, Business, About, Privacy & Terms and Settings links
    • All part of the footer

Testing Google.com

Next, let’s discuss how to test each element.

1. Favicon

You can’t really test an image, but you can test how it displays in each browser.
Here is an example of an icon whose background appears to be clear until viewed in Chrome’s background tab:

favicon
favicon

2. HTTP to HTTPS

You can only make sure that all http calls you make are redirected to a secure connection. This is a server setting so it shouldn’t matter what URL you try.
HTTPS can be captured and even decrypted using a proxy like Fiddler. Then you can see things like tracking pixels and post-backs.

HTTPS Traffic Decrytped
HTTPS Traffic Decrytped

3. Padlock

Click on the padlock to view the certificate information. The certificate should be valid. If not, most browsers will display some sort of warning.

Website Identification
Website Identification

4. +You

Testing links that go out of scope should just be limited to verifying the link is valid.

Verify the link goes to plus.google.com. If you are signed out, you will go to accounts.google.com.
This should change to +{yourName} after signing in.

5. Gmail

Testing links that go out of scope should just be limited to verifying the link is valid.

Verify the link goes to mail.google.com. If you are signed out, you will go to accounts.google.com.

6. Grid

Click the grid to trigger the OnClick event. Verify each icon and link.

OnClick Event Pop-up
OnClick Event Pop-up

7. Sign in

Login and verify the button in no longer visible.

The sign in page is out of scope but I’d like to cover it as it is a common element.

Google Sign in
Google Sign in

Here we have a chance to do some security testing. Here:

  • Never return “invalid username”
    • Using a brute force attack you can find a valid username. From there, its a matter of trying passwords.
  • After a certain number of bad attempts with a valid username some locking mechanism should be triggered.
  • Remember me should not work to gain access to high value systems.
    • Example: After logging in, you should be required to re-enter your password to get to your account settings.

Read more on Authentication

8. Install Chrome

This element shouldn’t appear in Chrome. Verify the image, heading text, and the link.

9. Banner Image

Not much testing here. Is the image there?

10. TextBox

Here we have a chance to do some fuzz testing. Generally a TextBox corresponds to a database value. When you enter your credentials in Google’s sign in page and submit the server compares that value to the values in the database. If you had access to this database you could see the max size for each column and its data type. This information is useful in testing bounds and types. In the following example we see that EmailAddress is nvarchar with a length limit of 50 characters. Being a nvarchar we can enter almost any character. If it were an int we could try entering an alphabetic character.

AdventureWorks Example
AdventureWorks Example

Having a connection to a database also comes with the potential for attacks. Common attacks are unicode transformation and SQL injection. I will not be demonstrating these attacks on Goggle as I do not have their permission to do so.

11. Search button

Here are some test cases I derived from exploratory testing:

  • Click Search button without entering anything in the TextBox
    • Nothing should happen
  • Typing in search terms will hide the Search button, due to AutoComplete
    • Verify this behavior

12. I am Felling Lucky

Here are some test cases I derived from exploratory testing:

  • Hover text changes when no search term is present in the TextBox
    • Click the button and verify the trending searches are displayed
  • Typing in search terms will hide the Search button, due to AutoComplete
    • Verify this behavior

13.  Message of the Day

Verify the message matches the URL.

14. Footer

More links to verify. Also, the Settings link