Checklist for testing a new site

Question

What are the most common things to test in a new site?

For instance to prevent exploits by bots, malicious users, massive load, etc.?

And just as importantly, what tools and approaches should you use?

(some stress test tools are really expensive/had to use, do you write your own? etc)

Common exploits that should be checked for.

Edit: the reason for this question is partially from being in SO beta, however please refrain from SO beta discussion, SO beta got me thinking about my own site and good thing too. This is meant to be a checklist for things that I, you, or someone else hasn't thought of before.

Answer 1

Try and break your own site before someone else does. Your web site is basically a publicly accessible API that allows access to a database and other backend systems. Test the URLs as if they were any other API. I like to start by cataloging all URLs that have some sort of permenant affect on the state of the system - this is easy if you are doing Ruby on Rails development or trying to follow a RESTful design pattern. For each of those URLs, try running a GET, POST, PUT or DELETE HTTP methods with different parameters so that you can ensure that you're only giving access to what you want to give access to.

This of course is in addition to obvious: Functional testing, Load Testing, SQL Injection, XSS etc.

Answer 2

Turn off javascript and make sure your site can still be navigated.

Even if you want to ignore the small but significant number of people who have it disabled, this will impact search engines as well.

Answer 3

YSlow can give you a quick analysis of different metrics.

Answer 4

• What do friendly bots see (eg: Google); check using Google Webmaster Tools;

Answer 5

Regarding tools for running functional tests of a web pages, I've found that Selenium IDE to be useful.

The Firefox (version 2 only compatible at the moment) plug in lets your capture almost all web events, and save them and replay them in the same browser.

In conjunction with another Firefox https://addons.mozilla.org/en-US/firefox/addon/1843"> Firebug you can create some very powerful tests.

If you want to set up Selenium Remote Control you can then convert the Selenium IDE tests into nUnit tests, which you can run automatically.

I use cruise control and run these web tests as part of a daily build.

The nice thing about using Selenium remote control is that it can run the same functional tests on multiple browsers and operating systems, something that you can't do with the IDE.

Although the web tests will take ages to run, there is an version of Selenium called Selenium Grid that lets you use any old hardware you have spare to run the tests in parallel as part of a computing grid. Not tried this myself, but it sounds interesting.

All of the above is open source and free which helped me convince management to use if :-)

Answer 6

For checking the cross browser and cross platform look of your site, browershots.org is maybe the best free tool that can safe a lot of time and costs.

Answer 7

There's seperate stages for this one.

Firstly there's the technical testing, where you check all technical functionality:

• SQL injections
• Cross-site Scripting (XSS)
• load times
• stress levels

Then there's the phase where you have someone completely computer-illiterate sit down and ask them to find something. Not only does it show you where there's flaws in your navigational logic (I find that developers look upon things way differently than 'other people') but they're also guaranteed to find some way to break your site.