TLDR; Testing driven by technical understanding seeks to observe at multiple levels of the application stack and the testing conducted is informed by identifying risks in a model built by observing the application below the GUI.
I created a short live exploratory testing video using Orange HRM
The video is on YouTube and ad free via Patreon (along with many more exclusive videos and content).
About The Exploratory Testing Session
I picked Orange HRM because:
- I haven’t tested it before
- seemed fairly simple technology
- user admin screen seemed similar to one I had just raised a live issue with
I mainly picked it because the User Admin screen had a form that would allow me to explain some of the approaches that I used to find a live issue in a Bug Bounty app that I was testing at the weekend.
Risk: Forms with JavaScript validation may have different, or no, validation on server side.
In the video I show:
- using the application to build a model of its functionality
- recognising the limits of what I can observe and model at the GUI
- using the browser dev tools to expand my observation
- expanding my observation allows me to increase the scope of my model
- I gain new test ideas by observing the HTML
- I gain new test ideas by observing the HTTP
- I spot a difference in behaviour by viewing HTTP responses that I might easily have missed at the GUI level
- I explore the system further based on the different behaviour
- I manipulate the HTML to allow me to feed in out of bounds data and bypass GUI validation
- I manipulate the HTTP messages to feed in data that the GUI does not allow
- I discover the limits of my observation when the system seems to accept invalid data that I can’t view via the GUI
Throughout the video I try to:
- explain my thought processes and observations
- justify the tools I use
- explore and explain the observations I’m making
- describe the model of the application that I’m building mentally and how it helps me test
Hope the video helps. You can find it embedded below.
Video of Technical Risk Based Exploratory Testing In Action
Links:
- https://www.turnkeylinux.org/orangehrm
- https://eviltester.github.io/TestingApp/apps/counterstrings/counterstrings.html
- https://www.virtualbox.org/
You will see:
- Thought processes involved in building a model of an application for testing
- explanations of examples of Technical Risk based testing
- explanations of exploratory testing thought processes
- Turnkeylinux VM as a test environment
- Orange HRM Application
- Use of BurpSuite Repeater
- Use of BurpSuite Intercept
- Use of Proxy tools for exploratory testing
- Use of BurpSuite to view HTTP requests and responses
- Use of Firefox to view HTTP Requests and responses
- Use of Firefox to check JavaScript Event handlers
- Use of Firefox to amend the DOM prior to sending messages
- Use of CounterStrings in Testing
- Technical Exploratory Web Testing in Action