obsidian/wiki/testing/web-app-testing-guide.md

---
title: "Web Application Testing — Comprehensive Guide"
aliases: [web-testing, webapp-testing, тестирование-веб-приложений]
tags: [testing, qa, selenium, playwright, cypress, security, performance, tdd, bdd]
sources: [raw/Подробное руководство по тестированию веб-приложений.md]
created: 2026-04-29
updated: 2026-04-29
---

## Overview

Testing is not a "final check" — it's an integral part of development. Web apps differ from desktop apps: multi-layer architecture, network dependency, cross-browser/device matrix, and public internet exposure all demand systematic testing.

---

## Types of Testing

### Functional Testing

| Area | What to Check |
|------|--------------|
| User flows | Registration, login, search, checkout, account management |
| Forms & input | Validation, data types, bad input handling |
| Business logic | Calculations, rules, exception handling |
| Integrations | Payment APIs, partner APIs, analytics, delivery services |

### Performance Testing

| Type | Goal | Business Value |
|------|------|---------------|
| Load | Normal user count | Daily usability |
| Stress | Exceeding normal load | Black Friday readiness |
| Volume | Large data sets | Scalability at growth |
| Stability | Long-running without degradation | 24/7 reliability |

### Security Testing

Key attack vectors to test per **OWASP Top 10**:

- **SQL Injection** — malicious SQL via input fields → test all inputs with special chars/SQL commands
- **XSS (Cross-Site Scripting)** — injected JS executing in browser → check all user-input reflection
- **CSRF** — forced user actions → verify CSRF tokens and request origin validation
- **Man-in-the-Middle** — traffic interception → verify HTTPS and certificate correctness
- **Auth/Authz weaknesses** — session management, access control, privilege escalation

Also check: data encryption, PII handling, regulatory compliance (GDPR etc.)

### UI Testing

- **Cross-browser** — same behavior in Chrome, Firefox, Safari, Edge
- **Responsive** — correct layout across screen sizes (mobile-first matters)
- **Usability** — intuitive navigation, clear controls
- **Accessibility (a11y)** — semantic HTML, screen reader support, keyboard navigation, color contrast, font scaling

---

## Methodologies

### Waterfall vs Agile

| Approach | When Testing Happens | Best For |
|----------|---------------------|----------|
| Waterfall | End of dev cycle | Stable, well-defined requirements |
| Agile/Iterative | Every sprint | Evolving requirements, fast feedback |

### TDD — Test-Driven Development

Cycle: **Red → Green → Refactor**
1. Write a failing test
2. Write minimal code to pass it
3. Refactor without breaking tests

Benefits: better architecture, high coverage, confidence when changing code.

### BDD — Behavior-Driven Development

Uses natural language: **Given / When / Then**
- Bridges communication gap between devs, QA, and business
- Tests become living documentation

### Risk-Based Testing

When resources are limited, prioritize by **probability × business impact**:
- High-risk areas → thorough coverage
- Medium-risk → standard methods
- Low-risk → sampling

---

## Tools

### UI Automation

| Tool | Strengths | Weaknesses |
|------|-----------|-----------|
| **Selenium** | Multi-language, multi-browser, mature ecosystem | Complex setup, steep learning curve |
| **Cypress** | Simple DX, great debugging | Chrome-based only (mostly) |
| **Playwright** | True cross-browser (Chrome/Firefox/Safari), modern API | Newer, smaller ecosystem |

### API Testing
- **Postman** — manual/exploratory API testing
- **REST Assured** — Java-based API automation

### Load Testing
- **JMeter** — open source, widely used
- **k6** — modern, JS-based, CI-friendly
- **Artillery** / **Gatling** — alternatives for smaller projects

### Security Testing
- **OWASP ZAP** — free, good for baseline scanning
- **Burp Suite** — professional-grade, expert features

### Test Management
- **TestRail**, **Xray**, **Azure DevOps** — plan, track, report, link to requirements

### Cloud Cross-Browser
- **BrowserStack**, **Sauce Labs** — access hundreds of browser/device combos without owning hardware

---

## Dynamic Content Testing

- **AJAX** — use explicit waits, test loading states, test network error handling
- **WebSockets** — test connection establishment, message types, graceful disconnect

## Microservices Test Environment

- Use **Docker + Docker Compose** for isolated per-service environments
- **Service mocking** for unavailable dependencies
- **Contract testing** to verify inter-service interfaces

## Bug Report Template

A good bug report must include:
1. Clear problem description
2. Step-by-step reproduction
3. Screenshot or video
4. Environment (browser, OS, app version)
5. Expected vs actual behavior
6. User impact
7. Labels/categories

---

## Key Takeaways

- Testing is part of development, not after it — early detection is 10× cheaper than late fixes
- Web apps need functional + performance + security + UI testing as a minimum
- OWASP Top 10 is the checklist for security testing
- TDD → better architecture; BDD → better team communication
- Tool choice depends on team expertise and project needs — Playwright is the modern default for UI automation
- Cross-browser and mobile testing can be outsourced to BrowserStack/Sauce Labs cheaply
- For microservices: Docker Compose + service mocking + contract testing
- Risk-based testing helps when you can't test everything

---

## Related

- [[wiki/tech-patterns/_index|Tech Patterns]] — FastAPI, React, Next.js stacks that need testing
- [[wiki/architecture/_index|Architecture]] — Docker Compose, microservices patterns
- [[wiki/concepts/_index|Concepts]] — atomic knowledge from dev sessions

---

## Sources

- [Подробное руководство по тестированию веб-приложений](https://workspace.ru/blog/podrobnoe-rukovodstvo-po-testirovaniyu-veb-prilozheniy/) — workspace.ru, 2025-06-27