Mozillians/TestPlan
From MozillaWiki
Contents
Mozillians Test Plan
Tools
- HTML5 Validator
- Xenu Link Slueth
- Firefox 3.6 and up, IE 7 and up, Chrome 10 and up, Safari 5 and Opera 10 and up
Test Coverage
- Layout tests in browsers mentioned under the Tools section of this page
- Search functionality across the website
- Login/Logout and user permissions
- Edits to user profiles
- Test for correct error messages when invalid content is entered
- Vouching of users by accounts with permissions to vouch
- Test invite process
- Test steps to required to successfully invite a community member
- Test scenarios that possibly break the invite process
- Test registration process
- Is there going to be a CAPTCHA to prevent spam account creating
- Test login with Mozilla LDAP accounts (@mozilla.com, etc)
- Test account deletion
- Positive case
- Negative case
- CSRF token on the field
- Test password reset function
- CSRF token on the field
- Test some basic security flaws (XSS, SQL injection, ...) --Tobbi 20:04, 18 August 2011 (PDT)
- Test entering junk (string consisting of all kinds of random Non-UTF8 string) input into the form fields, make sure we bail out with an error message in that case.
- What kind of junk input?
- If there's a string fuzzer, couldn't we maybe use this one? Otherwise, try all UTF-8 and non-UTF-8 characters, foreign characters, for XSS and other vulnerabilities, see above.
- What kind of junk input?
Automation Coverage
https://wiki.mozilla.org/Mozillians/AutomationStrategy
Test Plan (Tobbi)
General:
Cross-browser testing for all accessible pages within mozillians.org -> Specifically look for format issues and differences processing form data (if there are any?) Fuzzing using NetSparker/Powerfuzzer
Form field validation tests (the following approaches should fail, display error messages, not expose security issues):
XSS and SQL injection tests For login fields: Entering invalid credentials for both registered email addresses and “unknown” mail addresses For password verification fields, enter two different passwords Leaving required fields blank Entering long, random strings Name fields: Invalid characters, like numbers (do we want this?) For email fields: Invalid email address for multiline text fields: Entering long, random input, verifying page layout and making sure the app didn’t break
Start page:
Verify basic page format (footer links leading to the appropriate sites, basic page layout) Language selection in footer Verify Create profile button takes you to create profile page
Create profile:
Form field validation tests (see above) Creating a profile for an already existing email address Trying to create a profile without checking the “Privacy policy” checkbox Make sure create profile page redirects to User profile page for registered and logged in users (redirection tests)
Edit your profile page (second step after creating a profile):
Validation tests for all form fields Verify uploading a profile photo that then shows in the designated spaces Verify uploading a bogus profile photo (a file which isn’t a photo), make sure app denies integration into profile page Make sure Change password link works Make sure Cancel, Next and Delete buttons work Modifying strings in the URL to try editing another user’s profile page (Bug 680312)
Step 3:
Verify page layout Make sure link to your profile works correctly Make sure link in header says “Logout”
Unvouched profile page:
Make sure status is Pending..., heading should say “Pending Profile” Also verify text explaining pending status is present Verify that “Vouch for me” link is not present on own profile for unvouched users
Profile page:
Verify photo is present Verify edit my profile link works Basic information, link to the user who vouched for you should be present, together with a Vouched icon. email address should be present Verify no format issues present even with long “Bio” text
Search:
Validation tests for search fields
Make sure that search field and /search is only present for registered (and approved?) users Make sure that search field doesn’t show “The Mozillian you’re looking for is not available” when opening the page on its own. (Bug 680469) Verify searching for (part of/full) name, email address, IRC nick -> make sure that you get more than 0 results make sure that “Pending” is shown for non-vouched users, “Mozillian” for accepted users
Login page:
Verify login with LDAP account (if possible) Validation tests Verify that we get an error message when submitting invalid credentials Verify login page redirects to profile page for logged in users
Invite page:
Validation tests Make sure it fails for mail addresses already in the database Make sure that the mail addresses on the Invitation Sent! page matches the one entered.
About Mozillians page:
Verify presence and functionality of “Create Profile” link, also presence of the Privacy first and Get Involved sections