A good friend of mine who also works in the Quality Assurance sphere sent me the following:
The web is an interesting development paradigm, in the sense that most transactions, ideally, are stateless. This allows for many users to access a server at scattered times and not bring the server to its knees; web servers can be gauged as to how they handle concurrent connections, so being able to test and confirm that applications run as expected while maintaining a high rate of concurrent connections would be a definite positive step. There are various load testing tools that can help simulate high network traffic and provide the ability to simulate a server under varying loads (I would recommend looking at open source options for these; while they may not be exactly transferrable to certain jobs because they don’t use a particular tool, the skills learned and the understanding of the methods most certainly are).
Learning how to do some client side automation would be helpful. A great tool for doing this if you use Firefox is the Selenium IDE. Selenium has a number of tools that are useful in different areas, but the Selenium IDE is a plug-in that goes right into your Firefox browser and gives you a bunch of options to record and modify tests.
The area with the greatest risks and the largest potential for issues is security. Security can be compromised in any number of places; in the client, in the web server, in the database server and even through proxy servers set up to capture data. SQL injection can be used to compromise sites and gain access to databases. Social engineering tricks can be applied to see how to get access to sites and to hack into sites… and yes, to get good at doing web Q.A., you need to learn a few hacker skills and know how to apply them, as well as how to prevent them. A book worth reading is “The Web Application Hacker’s Handbook: Discovering and Exploiting Security Flaws” by Dayfydd Stuttard and Marcus Pinto (Wiley Publishing, 2008). Also, for a good and entertaining primer on the topic of Security, I recommend Randy Rice’s Software Quality Podcast Episode 5 (this was recorded in June of 2006, but the general ideas discussed are still very valid, and Randy does a great job of presenting the ideas and issues).
If you want to build as much knowledge about the web as possible and really cover a lot of different techniques, I would be remiss if I didn’t mention W3Schools site. This is a terrific and comprehensive reference site for web technologies, and it gives the users many opportunities to practice the principles right in the site, and make changes and see how the changes work against the example code. This has been my go-to site for many years, and it has proven to be tremendously helpful to me.
In my opinion, the best way to learn and practice Web Quality Assurance is to get together with a few other people, set up a server or two (you can do this easily in virtualized space with tools like Hyper-V, VMware or Virtual PC if you don’t have spare boxes) and design some applications and pages to interact with. From there, take turns trying to see who can bring the server to its knees. Once you have done so, have a debriefing between you and your friends to determine who did what and how, and then look to see how you can harden the server . Repeat the process, letting someone else attack the server and another person's example applications and setup. Note: do be careful to set this up in a way that potential “over-spill” is contained; it’s not wise to try exploits or use tools on open networks, as your end results may go way beyond your area of testing, affect more than just your target machines, and might get some people really mad at you (not to mention some law enforcement interest if you go really hog wild!).
To TESTHEAD readers, do you have additional suggestions? If so, please feel free to add them to the comments section.