- All mandatory fields should be validated and indicated by asterisk (*) symbol
- Validation error messages should be displayed properly at correct position
- All error messages should be displayed in same CSS style (e.g. using red color)
- General confirmation messages should be displayed using CSS style other than error messages style (e.g. using green color)
- Tool tips text should be meaningful
- Dropdown fields should have first entry as blank or text like ‘Select’
- Delete functionality for any record on page should ask for confirmation
- Select/deselect all records options should be provided if page supports record add/delete/update functionality
- Amount values should be displayed with correct currency symbols
- Default page sorting should be provided
- Reset button functionality should set default values for all fields
- All numeric values should be formatted properly
- Input fields should be checked for max field value. Input values greater than specified max limit should not be accepted or stored in database
- Check all input fields for special characters
- Field labels should be standard e.g. field accepting user’s first name should be labeled properly as ‘First Name’
- Check page sorting functionality after add/edit/delete operations on any record
- Check for timeout functionality. Timeout values should be configurable. Check application behavior after operation timeout
- Check cookies used in an application
- Check if downloadable files are pointing to correct file paths
- All resource keys should be configurable in config files or database instead of hard coding
- Standard conventions should be followed throughout for naming resource keys
- Validate markup for all web pages (validate HTML and CSS for syntax errors) to make sure it is compliant with the standards
- Application crash or unavailable pages should be redirected to error page
- Check text on all pages for spelling and grammatical errors
- Check numeric input fields with character input values. Proper validation message should appear
- Check for negative numbers if allowed for numeric fields
- Check amount fields with decimal number values
- Check functionality of buttons available on all pages
- User should not be able to submit page twice by pressing submit button in quick succession.
- Divide by zero errors should be handled for any calculations
- Input data with first and last position blank should be handled correctly
- All fields on page (e.g. text box, radio options, dropdown lists) should be aligned properly
- Numeric values should be right justified unless specified otherwise
- Enough space should be provided between field labels, columns, rows, error messages etc.
- Scroll bar should be enabled only when necessary
- Font size, style and color for headline, description text, labels, infield data, and grid info should be standard as specified in SRS
- Description text box should be multi-line
- Disabled fields should be grayed out and user should not be able to set focus on these fields
- Upon click of any input text field, mouse arrow pointer should get changed to cursor
- User should not be able to type in drop down select lists
- Information filled by users should remain intact when there is error message on page submit. User should be able to submit the form again by correcting the errors
- Check if proper field labels are used in error messages
- Dropdown field values should be displayed in defined sort order
- Tab and Shift+Tab order should work properly
- Default radio options should be pre-selected on page load
- Field specific and page level help messages should be available
- Check if correct fields are highlighted in case of errors
- Check if dropdown list options are readable and not truncated due to field size limit
- All buttons on page should be accessible by keyboard shortcuts and user should be able to perform all operations using keyboard
- Check all pages for broken images
- Check all pages for broken links
- All pages should have title
- Confirmation messages should be displayed before performing any update or delete operation
- Hour glass should be displayed when application is busy
- Page text should be left justified
- User should be able to select only one radio option and any combination for check boxes.
- User should be able to filter results using all parameters on the page
- Refine search functionality should load search page with all user selected search parameters
- When there is at least one filter criteria is required to perform search operation, make sure proper error message is displayed when user submits the page without selecting any filter criteria.
- When at least one filter criteria selection is not compulsory user should be able to submit page and default search criteria should get used to query results
- Proper validation messages should be displayed for invalid values for filter criteria
- Page loading symbol should be displayed when it’s taking more than default time to load the result page
- Check if all search parameters are used to fetch data shown on result grid
- Total number of results should be displayed on result grid
- Search criteria used for searching should be displayed on result grid
- Result grid values should be sorted by default column.
- Sorted columns should be displayed with sorting icon
- Result grids should include all specified columns with correct values
- Ascending and descending sorting functionality should work for columns supported with data sorting
- Result grids should be displayed with proper column and row spacing
- Pagination should be enabled when there are more results than the default result count per page
- Check for Next, Previous, First and Last page pagination functionality
- Duplicate records should not be displayed in result grid
- Check if all columns are visible and horizontal scroll bar is enabled if necessary
- Check data for dynamic columns (columns whose values are calculated dynamically based on the other column values)
- For result grids showing reports check ‘Totals’ row and verify total for every column
- For result grids showing reports check ‘Totals’ row data when pagination is enabled and user navigates to next page
- Check if proper symbols are used for displaying column values e.g. % symbol should be displayed for percentage calculation
- Check result grid data if date range is enabled
- Check if default window size is correct
- Check if child window size is correct
- Check if there is any field on page with default focus (in general, the focus should be set on first input field of the screen)
- Check if child windows are getting closed on closing parent/opener window
- If child window is opened, user should not be able to use or update any field on background or parent window
- Check window minimize, maximize and close functionality
- Check if window is re-sizable
- Check scroll bar functionality for parent and child windows
- Check cancel button functionality for child window
- Check if correct data is getting saved in database upon successful page submit
- Check values for columns which are not accepting null values
- Check for data integrity. Data should be stored in single or multiple tables based on design
- Index names should be given as per the standards e.g. IND__
- Tables should have primary key column
- Table columns should have description information available (except for audit columns like created date, created by etc.)
- For every database add/update operation log should be added
- Required table indexes should be created
- Check if data is committed to database only when the operation is successfully completed
- Data should be rolled back in case of failed transactions
- Database name should be given as per the application type i.e. test, UAT, sandbox, live (though this is not a standard it is helpful for database maintenance)
- Database logical names should be given according to database name (again this is not standard but helpful for DB maintenance)
- Stored procedures should not be named with prefix “sp_”
- Check is values for table audit columns (like createddate, createdby, updatedate, updatedby, isdeleted, deleteddate, deletedby etc.) are populated properly
- Check if input data is not truncated while saving. Field length shown to user on page and in database schema should be same
- Check numeric fields with minimum, maximum, and float values
- Check numeric fields with negative values (for both acceptance and non-acceptance)
- Check if radio button and dropdown list options are saved correctly in database
- Check if database fields are designed with correct data type and data length
- Check if all table constraints like Primary key, Foreign key etc. are implemented correctly
- Test stored procedures and triggers with sample input data
- Input field leading and trailing spaces should be truncated before committing data to database
- Null values should not be allowed for Primary key column
(Also applicable for other file upload functionality)
- Check for uploaded image path
- Check image upload and change functionality
- Check image upload functionality with image files of different extensions (e.g. JPEG, PNG, BMP etc.)
- Check image upload functionality with images having space or any other allowed special character in file name
- Check duplicate name image upload
- Check image upload with image size greater than the max allowed size. Proper error message should be displayed.
- Check image upload functionality with file types other than images (e.g. txt, doc, pdf, exe etc.). Proper error message should be displayed
- Check if images of specified height and width (if defined) are accepted otherwise rejected
- Image upload progress bar should appear for large size images
- Check if cancel button functionality is working in between upload process
- Check if file selection dialog shows only supported files listed
- Check multiple images upload functionality
- Check image quality after upload. Image quality should not be changed after upload
- Check if user is able to use/view the uploaded images
(Test cases for composing or validating emails are not included) (Make sure to use dummy email addresses before executing email related tests)
- Email template should use standard CSS for all emails
- Email addresses should be validated before sending emails
- Special characters in email body template should be handled properly
- Language specific characters (e.g. Russian, Chinese or German language characters) should be handled properly in email body template
- Email subject should not be blank
- Placeholder fields used in email template should be replaced with actual values e.g. {Firstname} {Lastname} should be replaced with individuals first and last name properly for all recipients
- If reports with dynamic values are included in email body, report data should be calculated correctly
- Email sender name should not be blank
- Emails should be checked in different email clients like Outlook, Gmail, Hotmail, Yahoo! mail etc.
- Check send email functionality using TO, CC and BCC fields
- Check plain text emails
- Check HTML format emails
- Check email header and footer for company logo, privacy policy and other links
- Check emails with attachments
- Check send email functionality to single, multiple or distribution list recipients
- Check if reply to email address is correct
- Check sending high volume of emails
- File should get exported in proper file extension
- File name for the exported Excel file should be as per the standards e.g. if file name is using timestamp, it should get replaced properly with actual timestamp at the time of exporting the file
- Check for date format if exported Excel file contains date columns
- Check number formatting for numeric or currency values. Formatting should be same as shown on page
- Exported file should have columns with proper column names
- Default page sorting should be carried in exported file as well
- Excel file data should be formatted properly with header and footer text, date, page numbers etc. values for all pages
- Check if data displayed on page and exported Excel file is same
- Check export functionality when pagination is enabled
- Check if export button is showing proper icon according to exported file type e.g. Excel file icon for xls files
- Check export functionality for files with very large size
- Check export functionality for pages containing special characters. Check if these special characters are exported properly in Excel file
- Check if page load time is within acceptable range
- Check page load on slow connections
- Check response time for any action under light, normal, moderate and heavy load conditions
- Check performance of database stored procedures and triggers
- Check database query execution time
- Check for load testing of application
- Check for stress testing of application
- Check CPU and memory usage under peak load condition
- Check for SQL injection attacks
- Secure pages should use HTTPS protocol
- Page crash should not reveal application or server info. Error page should be displayed for this
- Escape special characters in input
- Error messages should not reveal any sensitive information
- All credentials should be transferred over an encrypted channel
- Test password security and password policy enforcement
- Check application logout functionality
- Check for Brute Force Attacks
- Cookie information should be stored in encrypted format only
- Check session cookie duration and session termination after timeout or logout
- Session tokens should be transmitted over secured channel
- Password should not be stored in cookies
- Test for Denial of Service attacks
- Test for memory leakage
- Test unauthorized application access by manipulating variable values in browser address bar
- Test file extension handing so that exe files are not uploaded and executed on server
- Sensitive fields like passwords and credit card information should not have auto complete enabled
- File upload functionality should use file type restrictions and also anti-virus for scanning uploaded files
- Check if directory listing is prohibited
- Password and other sensitive fields should be masked while typing
- Check if forgot password functionality is secured with features like temporary password expiry after specified hours and security question is asked before changing or requesting new password
- Verify CAPTCHA functionality
- Check if important events are logged in log files
- Check if access privileges are implemented correctly
- Check if web application is able to identify spam attacks on contact forms used in the website.
- Proxy server – Check if network traffic is monitored by proxy appliances. Proxy server make it difficult for hackers to get internal details of the network thus protecting the system from external attacks.
- Spam email filters – Verify if incoming and outgoing email traffic is filtered and unsolicited emails are blocked. Many email clients come with in-build spam filters which needs to be configured as per your needs. These configuration rules can be applied on email headers, subject or body.
- Firewall – Make sure entire network or computers are protected with Firewall. Firewall can be a software or hardware to block unauthorized access to system. Firewall can prevent sending data outside the network without your permission.
- Try to exploit all servers, desktop systems, printers and network devices.
- Verify that all usernames and passwords are encrypted and transferred over secured connection like https.
- Verify information stored in website cookies. It should not be in readable format.
- Verify previously found vulnerabilities to check if the fix is working.
- Verify if there is no open port in network.
- Verify all telephone devices.
- Verify WIFI network security.
- Verify all HTTP methods. PUT and Delete methods should not be enabled on web server .
- Password should be at least 8 character long containing at least one number and one special character.
- Username should not be like “admin” or “administrator”.
- Application login page should be locked upon few unsuccessful login attempts.
- Error messages should be generic and should not mention specific error details like “Invalid username” or “Invalid password”.
- Verify if special characters, html tags and scripts are handled properly as an input value.
- Internal system details should not be revealed in any of the error or alert messages.
- Custom error messages should be displayed to end user in case of web page crash.
- Verify use of registry entries. Sensitive information should not be kept in registry.
- All files must be scanned before uploading to server.
- Sensitive data should not be passed in urls while communicating with different internal modules of the web application.
- There should not be any hard coded username or password in the system.
- Verify all input fields with long input string with and without spaces.
- Verify if reset password functionality is secure.
- Verify application for SQL Injection.
- Verify application for Cross Site Scripting.
- Important input validations should be done at server side instead of JavaScript checks at client side.
- Critical resources in the system should be available to authorized persons and services only.
- All access logs should be maintained with proper access permissions.
- Verify user session ends upon log off.
- Verify that directory browsing is disabled on server.
- Verify that all applications and database versions are up to date.
- Verify url manipulation to check if web application is not showing any unwanted information.
- Verify memory leak and buffer overflow.
- Verify if incoming network traffic is scanned to find Trojan attacks.
- Verify if system is safe from Brute Force Attacks – a trial and error method to find sensitive information like passwords.
- Verify if system or network is secured from DoS (denial-of-service) attacks. Hacker can target network or single computer with continuous requests due to which resources on target system gets overloaded resulting in denial of service for legit requests.