What is substitution test?

A substitution test, in the context of software testing, is a type of black-box testing technique where you systematically replace valid inputs with invalid or unexpected inputs to see how the system reacts. The goal is to identify vulnerabilities and weaknesses in the system's input validation and error handling. This helps ensure the system behaves correctly even when presented with incorrect or malicious data.

Here's a breakdown of what makes up a substitution test:

* Black-box testing: The internal workings of the system are not considered. Testers only interact with the system's inputs and outputs.

* Systematic replacement: Inputs are deliberately altered, following a specific plan or strategy. This might involve changing data types, lengths, formats, or ranges of values.

* Invalid/unexpected inputs: This includes things like:

* Incorrect data types: Entering text where a number is expected.

* Values outside allowed ranges: Entering a negative number where only positive numbers are allowed.

* Too long or too short input strings: Exceeding maximum lengths or providing insufficient data.

* Special characters: Testing with characters like `,`, `!`, `@`, `#`, `$`, etc. (Especially important for security testing).

* Null or empty values: Testing with missing data.

* SQL injection attempts (for database systems): Trying to inject malicious SQL code.

* Cross-site scripting (XSS) attempts (for web applications): Injecting JavaScript code to manipulate the website.

* Observation of system reaction: The key is to observe how the system handles these invalid inputs. Does it gracefully handle the error, produce a meaningful error message, or crash? Unexpected behavior indicates a potential bug or security vulnerability.

Example:

Let's say you're testing a form that requires an age input. A substitution test might involve:

* Substituting valid input: Entering "25" (valid age).

* Substituting invalid inputs:

* Entering "-1" (negative age)

* Entering "twenty-five" (text instead of a number)

* Entering "150" (excessively high age)

* Entering special characters like "25@"

* Leaving the field blank (null value).

By observing the system's response to these invalid inputs, you can identify if the input validation is working correctly and if the system can gracefully handle unexpected data.

In short, substitution testing is a crucial part of ensuring software robustness, reliability, and security by proactively identifying how it reacts to incorrect or malicious data.