Web application is tested mainly for browser compatibility and operating system compatibility, error handling, static pages, back end load testing, user interface testing, Security testing, browser compatibility testing, and performance testing.
Browser Acceptance Testing:
Objective is to make sure, application looks good and works as expected in all browser which is in scope of testing. Cross-browser testing is about how your website looks across different browsers and versions. How different browser Internet setting options makes difference on page, image and other object to load. Tester has to know about browser related problems, plug-ins, settings, options, video resolution and etc.
There are many tools to test browser compatibility. Such as HTML Validator from w3 school http://validator.w3.org/, form Adobe https://browserlab.adobe.com/index.html#.Found bugs are all compatibility bug.Before cross-browser testing requirement should be clear about which browsers in scope of testing and which are not.
It is all about trying to break security walls of web application. Trying to make an unauthorized access to data, application and information.
User id and password cracking - Trying to access user account by cracking log in and password, testing 'forgot your password' and its emails flow, trying to crack security answer. Multiple log in by same user from different computer and browser.
Session related : Copy session info id and try from another computer. copy URL n paste in another browser, computer. Checking automated session expire is functionality is there or not. If it is, it is as per configured in server.
Cookie related: Cookie should be deleted after session expired or browser closed. Persistent Cookies expires in configured times. Corrupting, deleting cookie, and with different browser option.
Back and forward functionality (back button should be disable in may cases especially after some consent like terms and condition or e-sign).
Terms and conditions check
e-sign and validation numbers
Navigation hole do not exists: Such as there is no link to go certain page and edit user input. Users are not able to access sensitive information.
encrypted data passing :
Encryption encodes plain text into non-readable form providing privacy. Checking log files are sensitive data free. Web browsers will encrypt text automatically when connected to a secure server, evidenced by an address beginning with https.
User Authentication : based on user. like active directory.