Skip to main content
blog title image

4 minute read - Exploratory Testing Technical Testing

What does a technical exploratory test session look like?

Mar 6, 2013

I wanted to provide an example of what an exploratory test session with additional “Technical” focus might look like, at the same time demonstrating some of the capabilities of modern browsers whilst comparing them to proxy servers.

Phew, a bit of a mouthful, and you can see the resulting video below.

I uploaded the video to Youtube, as well as it forming part of the course “Technical Web Testing 101”, because I think it has interesting elements that can stand alone. And I don’t see many examples of exploratory testing on the web. I wanted to try and provide an example of ‘doing’ exploratory testing, and the type of notes I took.

As testers we can provide harsh criticism but I won’t let that stop me sharing. If you don’t think this provides a good example then I encourage you to share your own. I do welcome constructive comments and critique.

I’m getting better at thinking aloud as I test, so my verbal narration actually makes sense in this video.

A few things I want to point out.

  • I try to explain the thought processes and decisions I’m making

  • You can hear me verbally describe risks that I want to investigate

  • You see me spin off track a little to investigate some ‘interesting’ ideas and then get back on track

  • Modern browsers have a lot of impressive functionality built in that we used to have to use proxy servers to achieve the same effect

  • I’m “Tool Augmented” not “Tool Driven” so the tool helps me do what I identify I want to do, not what the tool allows me to do

  • I’m testing http://google-gruyere.appspot.com/

  • I’m using the “Edit This Cookie” chrome plugin

  • I did this as two sessions. The first was to get my bearings - and I made notes during it, which you can read below. The second was to record the video. The second session was slightly different as you can see if you compare the video with the notes, which shows that even when we repeat sessions, we learn additional things and do the testing differently.

Regarding the notes

  • This was an informal session so I didn’t timestamp anything - which I would do if I was testing on site professionally.
  • The notes were mainly to guide me in replay so aren’t formatted with any annotations e.g. @Bug or headings

And here are the notes in all their glory. I used Evernote as my note taking repository.

Testing with Gruyere with Google Chrome
Create a new account
“bob” “bob”
I can see the new account is created with a “GET”?!?
http://google-gruyere.appspot.com/804259209683/saveprofile?action=new&uid=bob&pw=bob&is_author=True

perhaps I can use different actions?
Perhaps I can amend? and change password?
Perhaps is_author has other alternatives
e.g. is_admin?
Having created an account - check storage
And I have a cookie - have I logged in automatically? I have I’d like to amend the cookie and check if the name can allow me to login as someone else, or the permission field can change - but I can’t do that out of the box with Chrome
Technique - means I have to look for a tool to do that - fortunately I already have one installed, but if I didn’t - this would prompt me to do so.
Try changing the cookie value to admin, refresh, and I no longer appear to be logged in
Perhaps that is a key? to the ID?
Repeat the get request and see what happens
http://google-gruyere.appspot.com/804259209683/saveprofile?action=new&uid=bob&pw=bob&is_author=True

User already exists - ok fine.
Try and use the url for different actions e.g. “amend” gives me an invalid action
Let’s see what profile does
I’ll inspect the form and I can see an update value and it is a get request again
So instead of “amend” try “update” in the url
incorrect password? But it is the same one?
Ah - perhaps it is looking for the validation password as seen in the profile update form
for update it probably needs oldpw as well
If I take out pw then what happens? request accepted
but presumeably didn’t update anything
what about the is_admin risk?
hmm nothing seemed to happen, - what if I logout and login again?
Woohoo admin