Exploratory testing can be a challenge. How to know that you have covered entire application? What all areas need to be covered?
I have listed down some exploratory testing tips. This checklist will help you in performing exploratory testing in a more structured way.
1. Test for data types
| Path Files | Long Name (>255 chars) pecial Characters in Name (space * ? / \ | < > , . ( ) [ ] { } ; : ‘ “ ! @ # $ % ^ &) Non-Existent, Already Exists No Space, Unavailable |
| Time and Date | Timeouts Time Difference between Machines Crossing Time Zones Leap Days Always Invalid Days (Feb 30, Sept 31)Feb 29 in Non-Leap Years Different Formats (June 5, 2001; 06/05/2001; 06/05/01; 06-05-01; 6/5/2001 12:34) Daylight Savings Changeover Reset Clock Backward or Forward |
| Number | 0 32768 (215) 32769 (215 + 1) 65536 (216) 65537 (216 +1) 2147483648 (231) 2147483649 (231 + 1) 4294967296 (232) 4294967297 (232 + 1) Scientific Notation(1E-16) Negative Floating Point/Decimal (0.0001) With Commas (1,234,567) European Style (1.234.567,89) All the Above in Calculations |
| String | Long (255, 256, 257, 1000, 1024, 2000, 2048 or more characters) Accented Chars (àáâãäåçèéêëìíîðñòôõöö, etc.) Asian Chars Common Delimiters and Special Characters ( “ ‘ ` | / \ , ; : & < > ^ * ? Tab ) Leave Blank Single Space Multiple Spaces Leading Spaces End-of-Line Characters SQL Injection ( ‘select * from customer ) With All Actions (Entering, Searching, Updating, etc.) |
| General | Violates Domain-Specific Rules (an ip address of 999.999.999.999, an email address with no “@”, an age of -1) Violates Uniqueness Constraint |
2. Browser dependent tests
| Navigation tests | Back (look for ‘Expired’ messages and double-posted transactions) Refresh Bookmark the URL and then select Bookmark when Logged Out Hack the URL (change/remove parameters; see also Data Type Attacks) Multiple Browser Instances Open |
| Input tests | HTML/JavaScript Injection (allowing the user to enter arbitrary HTML tags and JavaScript commands can lead to security vulnerabilities) Check Max Length Defined on Text Inputs > 5000 Chars in TextAreas |
| Syntax | Use HTML Syntax Checker (http://validator.w3.org/) and CSS Syntax Checker (http://jigsaw.w3.org/css-validator/) |
| Browser preferences | Javascript Off Cookies Off Security High Resize Change Font Size |
3. Miscellenous
| Variable analysis | Identify anything whose value can change. |
| Interface | Identify any public or private interface that provides visibility or control. Provides places to provoke, monitor, and verify the system. |
| Boundaries | Near the boundaries (too big, too small) and at boundaries. Exact values |
| CURD | Create, update, read and delete |
| Sequence/Workflow | Perform a sequence of actions involving data, verifying the data integrity at each step. |
| Default Values | Changing the default configurations |
| Interruptions | Log Off, Shut Down, Reboot, Kill Process, Disconnect, Hibernate, Timeout, Cancel |
| Stress | CPU, Memory, Network, or Disk at maximum capacity |
| Selections | Some, none, all for example Some permissions, No permissions, All permissions |
| Multiuser/concurrent users | Simultaneous create, update, delete from two accounts or same account logged in twice |
| Dependencies | Identify dependencies across different data/fields, workflow steps etc. |
| Input method | Typing, copy/paste, drag and drop, import etc. |
| Sorting | Alpha/Numeric/alphanumeric/across pages |
| Third part integration | Identify third party issues. 3rd party css/js/API ‘s etc. |
