Mastering Web Testing

Mastering Web Testing


The course is designed for software testers and test managers.


A basic knowledge of the Internet and software testing.

Attendance on the Structured Approach to Software Testing course would be an ideal prerequisite.


5 days.

Lecture presentations are supported by a number of Web sites designed for training purposes, which allow reinforcement of learning and hands-on testing. In addition, various testing tools will be demonstrated.

Course Objectives

While many of the traditional concepts of software testing still hold true, websites and Web applications have a different risk profile to other, more mature environments. A typical Web tester now has to deal with shorter release cycles, changing technology, complex hardware and software platforms and an anticipated user base which is uncontrolled and may run into millions. As more companies use the Internet and Web for mainstream business processes, testers and test managers are being asked to make the transition from testing traditional client/server, PC, and/or mainframe environments to testing websites and applications.

The scope of this course covers Web technology, Web architecture and communications, the testing of functional and non-functional requirements such as usability and includes the complex testing activities of performance and security.

At the end of the course attendees will be able to:

  • Understand the different technologies used in Web environments.
  • Communicate adequately with appropriate technical personnel to ensure that the correct test environments are set up.
  • Create appropriate tests, test cases and test scripts.
  • Execute tests in a controlled manner using the correct setup conditions and inputs.
  • Understand the nature, availability and limitations of Web testing tools.
  • Examine performance requirements and ensure that the requirements are realistic and achievable.
  • Specify what types of performance tests are required and create tests, test cases and test scripts.
  • Execute performance tests and analyse the results.
  • Make a contribution to diagnosing performance problems.
  • Examine a security policy and specify the types of tests necessary to ensure that the requirements contained in the policy are being met.
  • Execute basic security tests and understand the results.

Course Content

Web Basics
Basic Internet Architecture
Network Protocols
IP Addresses and URLs
HTTP/1.1 and HTTP/2
URLs and DNS

Web Technology
Hypertext Markup Language (HTML), HTML5
HTML validation
Web Components
Meta tags
Images, HTML5 Canvas
Cascading Style Sheets (CSS)
Web Open Font Format (WOOF)
Client-side scripting, Webassembly
Extensible Markup Language (XML)
Document Type Definitions (DTD)
XML namespaces
XML schema
Displaying XML with CSS
Extensible Stylesheet Language (XSL)

Software Compatibility
Client software
Different browsers (IE, Edge, Firefox, Chrome)
Browser modes
IE Compatibility View and Enterprise Mode
Internet Explorer and Edge Reading View
Audio and video
Server software
Choosing the software test environment

Hardware Compatibility
Client hardware
Mobile clients
Variable screen widths
Testing responsive design
Choosing the hardware test environment

Universal Resource Locators (URLs)
Static and Dynamic Links, Download Links
Framesets and Inline Frames
Navigational Aids
Internal Search Engines
Site Maps, Site Navigation Tools
Navigational Efficiency

Client-side Functionality
Forms and responsive design
Client-side and server-side validation
Validation with the Pattern attribute
Document Object Model (DOM)
Client-side pop-ups
Client-side objects
Java and the Java Virtual Machine (JVM)
Web storage
Web Workers

Server-side Functionality
Server-Side Includes (SSI)
Dynamic page generation (ASP, PHP, Python, Ruby, etc.)
Common Gateway Interface (CGI)
Database middleware
Interfacing to back-office systems
Server-sent events

Maintaining a session
Private browsing
Shopping carts
Multi-page transactions
State transition diagrams and state tables

Importance of user interface
General usability testing
Screen size and resolution
Printer friendly pages
Help systems
Usability guidelines
Use case analysis
Performing usability tests
Multivariate testing
Guidelines for usability testing
Usability metrics

Legal aspects
Colour confusion
Components of Web accessibility
Web Accessibility Initiative (WAI)
WAI guidelines and techniques
Web Content Accessibility Guidelines (WCAG)
Conformance requirements
Evaluating websites for accessibility

Web Architecture and Communications
The big picture - end to end communication
Client Internet access (fixed)
Wired local area networks, Ethernet
Wireless local area networks
Client internet access (mobile), 4G and 5G
ISP backbones

Performance Test Specification
Performance degradation
Prerequisites to performance testing
The general process, when to start performance testing
Categories of performance tests
Single-shot/smoke testing
Load testing, stress and hot spot testing
Spike and bounce testing, integrity testing
Defining and selecting test objectives
Response time requirements
User interface responsiveness
Defining the workload, think times
Site arrival rates, concurrency
ISP tiers, user geographic locations
Background loads

Developing test scripts and acquiring data
Specifying the test environment, selecting loads to run
Load generation options
Network considerations
Load generators, calibration of load generators
Choosing a performance testing tool

Running the tests, specifying the number of runs
Measuring the load, white-box and black-box measurements
Monitoring server parameters
Full-blown and focused testing
Phased load testing
Component level stress tests
Infrastructure and architectural load tests
End to end load tests

Response time graphs, margins of error
Diagnosing performance problems
Website performance issues
Page download times
Example analysis data from load testing tools

Testing Security
How big is the problem, where is the problem
Vulnerability likelihoods
Security policies, building a policy
Security testing techniques
Manual inspections & reviews - gap analysis
Threat modelling - attack trees
A framework for testing

Networks and Security
Internet Protocol v4 and v6
Transmission Control Protocol
Wired networks, wireless networks, IP spoofing
Secure Sockets Layer and Transport Layer Security
Encryption, Public Key Infrastructure (PKI)
SSL sessions
Wireless encryption

Information Gathering
Mapping out the network topology
Scope of the testing effort
IP address inventory, ping sweeps
Service/socket inventory, port scanning
Hardening the system software
Spiders, robots and crawlers
Web application fingerprinting
Testing for error code
Testing for weak cipher levels
Testing SSL certificate validity
Testing for file extension handling
Old, backup and unreferenced files, server logs
Evaluating intruder detection
Intruder detection systems

Authentication Testing
Testing the registration process
Credentials transport testing
Parameter modification
Testing for user enumeration
Default or guessable user accounts, brute force
Weak lockout mechanism
Password remember and reset
Social engineering and insiders
Authorisation testing
Direct page requests
Logout testing
Cached pages

Business Logic Testing
Testing integrity checks
Circumvention of workflows
Testing process timing
Multiple function use
Testing defences against application misuse
Uploading unexpected file types
Uploading malicious files

Session Management
Hidden fields
Manipulating CGI parameters
Analysis of session management
Cookie poisoning
Cookie reverse engineering
Cookie manipulation by guessing and brute force
Session IDs in URLs
Session timeout
Session hijacking and session fixation
Exposed session tokens

Data Validation Testing
SQL Injection
Relational databases, structured query language
Testing for SQL Injection
Testing for authorisation bypass attacks
Testing for SELECT statement attacks
URL based SQL Injection
Testing for INSERT statement attacks
Cross Site Scripting, Phishing
Reflective and persistent Cross Site Scripting
Cross Site Request Forgery
HTTP verb tampering and Cross Site Tracing
Code and command injection
File inclusion
Buffer overflows

Virtual Courses

ALL of our courses can be delivered virtually. And our Bath public schedule of courses are now available as live virtual sessions, using the popular Zoom Virtual Classroom and remote labs. Delegates can test their access at:

Public Courses

On-Site Courses

Can't attend one of our public classes? Booking for multiple people?

All our courses are available on your site! Delivered for your staff, at your premises.

Contact us to find out more...