Posts feitos por Tester News Bot

Have you ever built a tool list?

Yes? Me too. I don’t any more. And in this show I explain why, and what I do instead.

---

This podcast has also been uploaded to facebook:

• Facebook post

Show Notes

Original twitter thread: https://threadreaderapp.com/thread/1098198817726517248.html?refreshed=yes

The Observatron tool

• https://github.com/eviltester/observatron/releases

Exploratory Testing Chrome Extension

• https://chrome.google.com/webstore/detail/exploratory-testing-chrom/khigmghadjljgjpamimgjjmpmlbgmekj

Rapid Reporter, exploratory notetaking

• http://testing.gershon.info/reporter/

Exploratory Test Assistant - autoit script for making notes while engaged in exploratory testing - eviltester/exploratoryTestAssistant

• https://github.com/eviltester/exploratoryTestAssistant

I like tools that augment my process and work together. So I use multiple proxies to observe, interrogate and manipulate HTTP traffic.

I use FreePlane for mind mapping, because I can write Groovy Scripts that allow me to output the information in different ways. Here’s an extract to markdown script that I use regularly when creating conference slides and other written material

Simple scripts for use with Freeplane. Contribute to eviltester/mm-script-repo development by creating an account on GitHub.

• https://github.com/eviltester/mm-script-repo

I write most of my logs as text in markdown format so I can use multiple tools for reporting in different ways, and it is easy to parse for custom tools I write.

I often write scripts to augment my existing tools, or extract information from them, or combine information from multiple tools together. Rather than look for a new tool. Often these are tactical, and just for my use.

I sometimes wonder what other tools I don’t know about, but I don’t maintain a tool list any more. I tend to use a combination of tools, and only look for tools when I have a gap in my modelling, observation, interrogation or manipulation abilities.

It was only as I was writing this extension that I stumbled across @bugreplay which is a commercial cloud tool that captures similar information as the extension I’ve written bugreplay.com

I built this extension because I realised I had a gap in my observation and interrogation abilities… and because I wanted to learn more JavaScript, and experiment with extensions.

Do experiment with multiple note taking approaches and tools to find a way that works for you, based around the process and the software that you test. Caution: spend more time using the tools, than augmenting and looking for new tools. (I’ve fallen into that trap too often)

Actually I wrote it around 2004,2005,2006 but only released it to github in 2012

And I only found it because it was mentioned in the testersio.slack.com channels

Hints:

• Don’t try to find “The one true tool”
• Don’t build a list of tools
• Learn to search well
• Every list of tools you find will be incomplete and out of date
• Look at native, built in OS functionality first
• Learn to search in places where your tool might appear - e.g github, slack channels, forums etc.
• Think like a marketeer - how would the ideal tool you need be marketed? search for that

Go Meta:

• make sure you understand your model of how you work
• I have a meta-model for my work that uses Modelling, Observation, Interrogation, Manipulation as high level categories
• I look for tools within those categories when I identify gaps in my ability to implement those categories for different technology

If I am not observing a particular attribute of a specific technology. Then I go hunting. And my search is more specific.

When choosing a tool:

• Don’t evaluate, experiment: you know what gaps you want to fill When given a choice between tools:
• look for tools that can be combined e.g. ffmpeg, automator
• pick tools that can be augmented e.g. work with their files, APIs, plugins etc.
• we want tools & utilities, not frameworks or funnels
• pick tools that make it easy to work with - cross platform, cloud storage
• do you have to make a choice? identify what they do well, use it when it works best

https://eviltester.com/show/007-finding-tools-2019/

I often talk about automating tactially and strategically. When we automate tactically we do what it takes to get the job done for us. When we automate strategically we build for the long term.

The same is true for programming tools. We can start small and tactical and scale strategically. In this example I create a Counterstring tool.

Counterstrings

I have written about Counterstrings before:

• Counterstring algorithms
• and I implemented it in my Test Tools Hub

And you can find James Bach’s original writing and work on Counterstrings at satisfice.com

Since I don’t have a tool for creating Counterstrings in the Web I set out to create one.

I thought this would be a good simple tutorial for JavaScript, tactical tooling and eventually strategic tooling (by converting it into a Chrome extension).

A Counterstring is a string like this *3*5*7*9*12*15* where the * represent the position in the string of the number immediately proceeding it.

How to write it?

Chrome has “Snippets”

• right click, inspect
• in Sources select the “Snippets” tab
• create a + New Snippet

This is a built in JavaScript Editor within your browser.

To see it work type into the snippet:

console.log("hello");

Click the play icon, and your script should run and you’ll see "hello" written to the console.

To create a Counterstring tool start by creating a function:

function getCounterString(count){
    console.log("hello");
}

If you run this, nothing will happen.

But after running it, if you type into the console getCounterString(5) you should see "hello" written to the console.

We will make it output a counterstring.

Counterstring generation function

function getCounterString(count){
    
    var counterString = "";

    while(count>0){

        var appendThis = "*" + count.toString().split("").reverse().join("");
        
        if(appendThis.length>count){
            appendThis = appendThis.substring(0,count);
        }    

        counterString = counterString + appendThis;

        count = count - appendThis.length;
    }

    return counterString.split("").reverse().join("");
}

If you run this, nothing will happen.

But after running it, if you type into the console getCounterString(5) you should see "*3*5*" written to the console.

How does it work?

Declare a function called getCounterString which takes one parameter called count. That is how we are able to specify the length of the counterstring we want when we call the function getCounterString(5)

function getCounterString(count){

Create a String variable which we will build the counterString in:

    var counterString = "";

We need to loop around all the values in the counterstring e.g. 5, 3, and 1. So I will decrease the count as we process the values and I’ll use a while loop to do this e.g. while count is greater than 0, keep building the counterstring.

    while(count>0){

Each time I process a count value I will create a string like "*5" or "*3" I will append this to the counterString. But I can’t just write "*13" because I’m going to reverse the string later so I reverse the number as I create it e.g "*31" which would be reversed and read from left to right as "13*". The way I reverse a string in JavaScript is to .split("").reverse().join("") which uses split to convert it to an array, reverse to reverse it then join to convert the array back to a String.

        var appendThis = "*" + count.toString().split("").reverse().join("");

Another complication is that I can’t just add the number to the String otherwise I’ll end up with "1*" as my 1 character string, and it isn’t it is two characters. So if the String I want to append is greater than the number of characters left then I only want a part of that string, e.g. a substring.

        if(appendThis.length>count){
            appendThis = appendThis.substring(0,count);
        }    

Then I append my number String to the counterstring.

        counterString = counterString + appendThis;

Then I decrement ‘count’ by the number of characters I just added to the counterstring.

        count = count - appendThis.length;

Then I continue the while loop if count still has characters to process.

    }

Then, finally, I return the reversed counterString.

    return counterString.split("").reverse().join("");
}

Refactoring

Since I have repeated code .split("").reverse().join("") I create a reverseString method

function reverseString(reverseMe){
    return reverseMe.split("").reverse().join("");
}

Which I would call in my getCounterString function by:

var appendThis = "*" + reverseString(count.toString());

And

return reverseString(counterString);

This would give me a getCounterString function which I could run from the console, and I could then copy and paste the counterstring - a very basic tool.

Easier to use

var count = window.prompt("Counterstring Length?", "100");
var counterString = getCounterString(count);
console.log(counterString);

The above code creates an input dialog and asks me “Counterstring Length?”, and I can enter the length I want. It stores the value I enter into a variable called count which it then uses to call the getCounterString method.

And I print the generated Counterstring to the console, using console.log to make it easier to copy and paste.

Even easier to use

I can manipulate the DOM, i.e. the Web Page, from JavaScript.

And if I select an input field before running the script then the I can use document.activeElement to find the input field that I selected and can set the value of that field.

document.activeElement.value=counterString;

If I select an input field, and then run the snippet then the counterstring should be added to the input.

Note: this bypasses HTML max length attribute controls since it injects the text directly into the field Value, and doesn’t type the keys.

Video

I’ve created a video showing all this in action:

Watch on YouTube

Code

And you can find the source code on Github.

• github.com/eviltester/counterstringjs/blob/master/snippets/counterstring.js

https://eviltester.com/blog/eviltester/2019-02-19-counterstring-snippets/

Dia internacional do teste de software Dia 20 de Fevereiro é considerado o dia internacional do teste de software  devido ao lançamento do livro “The art of Software Testing“, do autor Glenford J. Myers, sendo o primeiro livro focado especificamente na disciplina de teste de software. Para comemorar esta data a Escola Talking About Testing está com … Continue lendo Promoção na Escola Talking About Testing

https://talkingabouttesting.com/2019/02/19/promocao-na-escola-talking-about-testing/

No último sábado, 9 de Fevereiro de 2019, rolou o primeiro bate-papo do grupo de mentoria do blog Talking About Testing, onde Alekson Fortes, Henrique de Souza e eu (Walmyr Filho), conversamos sobre DevOps baseado nos 3 caminhos descritos no livro “The DevOps Handbook: How to Create World‑Class Agility, Reliability, and Security in Technology Organizations“, … Continue lendo Bate-papo sobre DevOps – Grupo de mentoria Talking About Testing

https://talkingabouttesting.com/2019/02/14/bate-papo-sobre-devops-grupo-de-mentoria-talking-about-testing/

Q: What is the best fuzzer (automated software testing tool) to find 0-days? Why?

A:

0-day is a very broad statement.

I tend to use the payload fuzzers in BurpSuite and OWasp Zap Proxy, but these require me to identify the target that I’m testing, and the appropriate data scope and range to fuzz.

I suspect you might be more interested in application or file based fuzzers.

Google have introduced a service for fuzzing applications.

github.com/google/oss-fuzz

There are many lists of fuzzers to read through.

• blackarch.org/fuzzer.html
• sectools.org/tag/fuzzers
• secfigo/Awesome-Fuzzing

New tools are being created for this all the time and there is a constant flood of research on fuzzing:

scholar.google.co.uk/scholar?hl=en&as_sdt=0%2C5&q=fuzzing&btnG=

Since the fuzzers all work at different levels and on different technologies you have to be very specific in your research to make sure you don’t overload yourself with tools (with is all too easy to do in Security Testing)

owasp.org/index.php/Fuzzing

https://eviltester.com/blog/eviltester/quora/2019-02-13-what-best-fuzzer/

I like to write little bots from the console to help with with application and game automation. But when the variables and objects I need are created from within anonymous functions I can’t get access. In this post I will explain how to access them.

I’ve tried writing helper code to access the methods within objects and trawl through the DOM to find specifically named objects, and that can help with a large application where the objects are all public.

But when the application is essentially one anonymous function kept alive by event handlers and timers, how do we access the objects.

The short answer is:

• set a breakpoint on the line of code that use the object
• in the console when the breakpoint activates, create a new reference to the object from the window

e.g. if there is a pacman object I want to access, then find a line that uses it, breakpoint the line, then from the console:

window.pacman = pacman

And I now have access to the private pacman object from the console when not in debug mode because the window now has a reference to it.

Manual Step

This requires a manual step before any of my automated bots can be used but if I write down what to ‘search for’ to find the line in the code then it is pretty easy to repeat.

Security by private objects

If we are relying on the objects being private and inaccessible due to the anonymous function then we really shouldn’t because if it is in our browser, the user can gain access to it.

Always have protection on your server side to handle anything thrown at it.

Opens Up New Options

This opens up a bunch of new options for testing and automating modern JavaScript approaches for me.

This can’t really be used for continuous integration automating or fully autonomous code injection since there is a manual step involved. But for automating tactically where the user is present, this opens up more possibilities.

Want to see it in action?

Using the simple open source Pacman clone from platzh1rsch.ch where all the code is wrapped and called from anonymous function. I show the steps and thought processes for gaining console access to the main game and pacman objects to allow me to write infinite life cheats.

• http://pacman.platzh1rsch.ch/
• https://github.com/platzhersh/pacman-canvas
• http://platzh1rsch.ch/

Watch on YouTube

Where to learn more?

I have some material covering this topic:

• https://www.eviltester.com/page/onlinetraining/techwebtesting101/
• https://www.eviltester.com/page/onlinetraining/protectthesquare/
• https://nordictestingdays.eu/files/files/09-sigma-alan-richardson_just_enough_javascript_to_be_dangerous-05-06.pdf
• https://www.youtube.com/user/EviltesterVideos/search?query=javascript

https://eviltester.com/2019/02/hacking-javascript-private-variables.html

No ano de 2019 a Escola Talking About Testing está fechando uma parceria com a organização Patas Dadas e 10% do valor pago por cada curso será doado à tal organização. A Patas Dadas tem a missão de resgatar animais em situação de abandono, proporcionando o atendimento veterinário necessário até estarem prontos para a adoção, buscando … Continue lendo Talking About Testing & Patas Dadas

https://talkingabouttesting.com/2019/02/12/talking-about-testing-patas-dadas/

Mais um post da série qualidade de código em teste de software Se você está chegando neste post agora e ainda não leu os conteúdos anteriores, recomendo começar por eles. Seguem os links: Escreva pequenas unidades de código Escreva simples unidades de código Agora se você já leu o primeiro e segundo post da série, vamos … Continue lendo Escreva código uma só vez

https://talkingabouttesting.com/2019/02/11/escreva-codigo-uma-so-vez/

Good pipelines are stable and can support frequent and small releases. When building the pipeline you need to include not only the build and unit tests part, but also the e2e tests and even the smoke tests and deploy to all the environments, so you have as minimun as human interation as possible, avoiding releases … Continue reading Automated tests in a CD/CI pipeline →

https://azevedorafaela.com/2019/02/07/automated-tests-in-a-cd-ci-pipeline/

One way I practice my Software Testing, improve my JavaScript programming and practice my automating is by ‘hacking’ JavaScript games.

One of my bots scored 282010 on https://phoboslab.org/xtype/ This ‘bot’ is JavaScript code that runs from the Browser Dev Tools and plays the game.

I have a video showing the bot in action below.

To create this I have to learn to use the dev tool to inspect the Dom, and the running memory space, and read the JavaScript. All of this is modelling the application. A recon step that helps me with my Software Testing.

As I recon the app I look at the network tab to see what files are loaded and what API calls are issued. This also informs my model. And makes me think about Injection and Manipulation points.

Perhaps I can use a proxy to trap and amend those requests? Perhaps my proxy can respond with a different file or data automatically?

These are thought process and skills that I can apply in my testing. I also learn more about HTTP, Dev tools and Proxies.

When the game is running I have to observe its execution behaviour. I build a model of the software and its functionality. This informs my Software Testing. I have to build models of the application as I test and make decisions about what to target.

To ‘hack’ the game, I have to inspect the objects which have been instantiated by the code. I can do this in the console by typing in the object names.

To learn what these objects are I have to read the game code. This improves my JavaScript because one of the best ways to learn to write code is to read code and try to understand what it does.

I can use the Snippets view in Chrome Sources to write JavaScript. This is a built in mini JavaScript IDE in the browser.

I can write simple code here to manipulate the game objects in memory to help me cheat and hack the game. I don’t need to learn a lot of JavaScript to do this, and most of the JavaScript you need is already in the game source itself.

To write a ‘bot’… code that executes in its own thread periodically to do something, I use the ‘setInterval’ command. This is the fundamental key to writing JavaScript bots. e.g.

var infiniteLivesBot = setInterval(infiniteLives,1000);

The above line calls a function named infiniteLives every second. That infiniteLives function checks if my number of lives have decreased, and if so, increase them. e.g.

function infiniteLives(){
    if(game.lives<3){
        game.lives=3;
    }
}

var infiniteLivesBot = setInterval(infiniteLives,1000);

I can easily stop this bot using the clearInterval command.

clearInterval(infiniteLivesBot);

I can run that code from the snippets view, or paste it into the console, or convert it into a bookmarklet. Whatever is more convenient to help me when I want to hack the game. I do the same thing to support my testing e.g. setup data, delete data etc.

This is a form of ‘tactical’ automating. It won’t scale, it doesn’t go into continuous integration. It supports me. It does a specific task. It automates part of my work. It is a good start to learning to automate more strategically.

To automate xtype I had to learn how to trigger mouse events to initiate the firing functionality. I couldn’t remember how to do this. I copy and pasted a snippet of code from stackoverflow. All professional programmers do this.

• stackoverflow.com/questions/2381572/how-can-i-trigger-a-javascript-event-click

  var event = document.createEvent(“MouseEvents”);
  event.initEvent(“mousedown”, true, true);
  document.getElementById(“canvas”).dispatchEvent(event, true);

Part of learning programming is knowing where to find a general answer. Knowing which part of the answer to isolate. Then having the confidence to bring that into your code and experiment with it.

As I do this, I learn more JavaScript. Which allows me to write scripts in other tools e.g. Postman. And I can inject code into applications e.g. using WebDriver JavaScriptExecutor. The more I practice, the more options I open up.

I take the knowledge and then write small utilities or applications to help me. I write a lot of small JavaScript utilities to help me with data extract activities and reformatting of data from Web applications.

I extended my knowledge by writing JavaScript applications and games which I bundled into:

• github.com/eviltester/TestingApp

If you want to experiment with simple games manipulation and hacking then the games in this app are designed for that purpose.

Doing this also has a knock on effect on how I view web applications. The GUI is no longer a trusted client. The GUI can be manipulated by the user. The messages it sends to the server can be manipulated by the user. The server needs to be robust.

This helps my Software Testing. I have to go deeper when I test. And by practicing I develop the skills to go deeper when I test. I can recognise when requirements need to be tested more deeply than they state on the surface.

This helps my programming. I am very aware that the server needs to validate and approach the input data with caution.

This is one way that I practice my Software Testing, JavaScript programming and automating. The benefit to me has been enormous. I recommend this, or adapt the ideas and create your own practice path.

I cover many of the skills to do this in my online Technical Web Testing 101 course https://www.eviltester.com/page/onlinetraining/techwebtesting101/

Free Video Discussing This Topic

Watch on YouTube

Want to see my XType bot in action?

This was a hard bot to write Xtype is a bullet hell shooter which are challenging to play, let alone automate - and no, I’m not going to show you the code for the bot.

But this is not my first bot.

I’ve written bots to play z-type, Cookie Clicker, 3D Monster Maze

I like these games because they are all well written, I can read the code to improve my programming, and they are fun to play.

Many of my bots are not full playing bots like the x-type bot. They are support tools. And when I started to automate x-type I started with support tools:

• an infinite lives hack
• an auto-aimer so that I didn’t have to keep track of the boss while I was controlling the player
• I added auto firing to the auto-aiming so I only had to concentrate on moving the player
• I combined all three and had a bot that could play the game, although it was cheating with infinite lives.
• only then did I approach the autonomous playing of the game

For 3D Monster Maze I only wrote support tools:

• a heads up display so that a map of the screen was rendered on screen as I played showing me the position of Rex to help me avoid him, and showing me where the exit was
• a trap for Rex, so that if he entered it he couldn’t move
• a chain for Rex so that he never moved from his starting point
• armour so that if Rex caught me, he couldn’t kill me

For many games I try to think how to add extra features to make the game more interesting. I don’t have the skill or patience to write games like these, but I do have the skill and motivation to ‘augment’ them for my learning.

This is analogous to writing ‘tools’ to support our testing, or making applications more ‘testable’.

Note: my games github.com/eviltester/TestingApp are not well written, but they are very easy to understand and hack.

Watch on YouTube

https://eviltester.com/2019/02/practice-javascript-software-testing-automation.html

Quick tips for pretty printing JSON in the Browser.

All examples in this post use the swapi.co API

Where do you find JSON?

In the network tab, I will very often be observing network traffic, and I’ll want to interrogate the message to view it more easily.

So I copy and paste it from the network tab.

I could use an online tool to format it and view it:

• https://jsonformatter.org/
• https://jsonformatter.curiousconcept.com/
• https://jsonformatter-online.com/

Or I could use the browser itself.

Paste the JSON into the console

Pasting the Json into the console will show an interactive view where I can expand and contract the outline and view the JSON.

Pretty Print it using JavaScript

JavaScript has a built in JSON class and I can use the stringify method to pretty print an object as JSON to the console.

So I first create an object from the JSON:

bob={"name":"Luke Skywalker"}

Then I can pretty print the JSON (4 is the indentation level):

JSON.stringify(bob, null, 4)

e.g

"{
    "name": "Luke Skywalker",
    "height": "172",
    "mass": "77",
    "hair_color": "blond",
    "skin_color": "fair",
    "eye_color": "blue",
    "birth_year": "19BBY",
    "gender": "male",
    "homeworld": "https://swapi.co/api/planets/1/",
    "films": [
        "https://swapi.co/api/films/2/",
        "https://swapi.co/api/films/6/",
        "https://swapi.co/api/films/3/",
        "https://swapi.co/api/films/1/",
        "https://swapi.co/api/films/7/"
    ],
    "species": [
        "https://swapi.co/api/species/1/"
    ],
    "vehicles": [
        "https://swapi.co/api/vehicles/14/",
        "https://swapi.co/api/vehicles/30/"
    ],
    "starships": [
        "https://swapi.co/api/starships/12/",
        "https://swapi.co/api/starships/22/"
    ],
    "created": "2014-12-09T13:50:51.644000Z",
    "edited": "2014-12-20T21:17:56.891000Z",
    "url": "https://swapi.co/api/people/1/"
}"

Free Video Showing How to Pretty Print JSON

Watch on YouTube

https://eviltester.com/2019/02/pretty-print-json-using-dev-tools.html

Just because a site says we can’t paste into a field, doesn’t mean we have to believe it.

Inspired by this blog post:

dev.to/claireparker/how-to-prevent-pasting-into-input-fields-nn

Clair Parker-Jones shows how to prevent people pasting into input fields. This is common code and you’ll see it on StackOverflow a lot. Claire’s post seemed to receive a lot of flack comments but, people do this and she just wanted to learn how it was done and shared that knowledge. She also put the time into creating a codepen example which you can explore and experiment with.

I forked the example code in here:

https://codepen.io/eviltester/pen/WPpJGo

This is terrible UX pattern but we see it all the time. And as testers we have to work with it, or workaround it.

How to bypass no paste code?

So how do we bypass it?

• inspect and remove listener in the dev tools

• with code from the console:

  document.getElementById(“paste-no”).onpaste={};

  document.getElementById(“paste-no”).onpaste=null;

  document.getElementById(“paste-no”).onpaste=new function(){};

If it wasn’t in a frame it would be easy to create a bookmarklet. Creating a bookmarklet can be done, but it is a little bit more complicated than if it wasn’t in a frame. For information on bookmarklets and frames see https://www.irt.org/articles/js170/

Everything in the GUI is ours to observe, interrogate and manipulate. Which is why as testers, the more we understand the technology and the tools, the more we open up possibilities and options in our testing. And we should not limit our testing to the obvious ‘happy’ paths in the GUI.

If you are interested in learning this type of thing then I have an online course:

https://eviltester.com/techwebtest101

I have a follow on exclusive video for Patreons showing another way to bypass the pasting and discussing this in more detail in relation to Software Testing, Risk and Bug & UX Advocacy.

https://www.patreon.com/posts/24482175

Free Video Showing How to Paste into No Paste Fields

Watch on YouTube

https://eviltester.com/2019/02/bypassing-no-paste-fields.html

Hello guys, just came here quickly to share with you this link containing AWS presentantions for this year, some of them already happened, but you can register and watch the next ones for free, the link is below: https://aws.amazon.com/about-aws/events/monthlywebinarseries/

https://azevedorafaela.com/2019/02/03/aws-online-tech-talks-2019/

How do you keep motivated and accountable to improving your testing and technical skills?

Where do you find small regular chunks of Software Testing and Development experience?

This is what I was thinking when I setup the Evil Tester Patreon.

Since then I realised that knowing Patreons are there, pushes me harder to think about my testing and my own improvement, and that drives content that I put on Patreon to help other people.

I put a lot of stuff on YouTube, but only the ‘obvious’ content really gains traction. The content that I think is really valuable and which I learned most from creating doesn’t do as well. I started putting that content in Patreon where people who are really serious about their professional development can learn from it.

Behind the Scenes Video

Watch on YouTube

How do I know it is worth the money?

$5 a month. How much is your learning worth to you?

You can gain access to daily information, videos, tips and motivation. And access to exclusive online courses and recorded conference talks.

The price is there so that you recognise that you are committing time and money behind your growth and development.

Patreon allows you to drop in and out so you can sign up, learn, then back off for a little while and come back.

I’m trying to support that more by creating collated monthly pdfs of all the content.

If you are tuning in every day then you’ll probably be able to keep up with the daily posts, but if you drop out for a few months then you need a way to catch up when you come back and re-commit to learning. No other Patron program has this. I’ve had to write custom code to do this (and I explain how I did it in a few Patreon videos).

If you need to give something up in order to commit the funds to your learning then consider:

• For less than the price of two Starbucks Latte (a month).
• For less than 17 cents per day.

You can augment your other learning approaches with this and give yourself an edge that other people don’t have.

Is it a community?

It is as much of a community as you make it.

I interact on comments, IMs, and on the Discord chat server.

The more you ask questions, the more I create content that is tailored towards the needs of the people in Patreon.

I use Patreon as my accountability partner. Knowing people are there keeps me concentrated on distilling what I learn in small chunks. Seeing content on a daily basis is a reminder to keep learning and pushing yourself to improve.

If you want to improve and stay motivated to improving your testing and development skills.

Try it out. You gain access to everything as soon as you pledge.

Sign up here at patreon.com/eviltester.

https://eviltester.com/2019/02/behind-the-scenes-january-patreon-content.html

Olá e seja bem vindo a mais um post da série qualidade de código em teste de software do blog Talking About Testing No primeiro post da série falei sobre a importância de escrevermos pequenas unidades de código, baseado na primeira guideline do Better Code Hub (BCH). No post de hoje irei falar sobre uma perspectiva … Continue lendo Escreva simples unidades de código

https://talkingabouttesting.com/2019/01/28/escreva-simples-unidades-de-codigo/

Por que todo mundo odeia os bugs?

Ao contrário do que muitos pensam, alguns QAs também detestam eles! A metodologia ágil nos ensinou que fazemos parte da equipe e que a qualidade e sucesso do software é mérito de todos nós. Ás vezes encontrar bugs pode ser extremamente desmotivador pra todos e acabamos nos sentindo mal por esse papel, porém, ele é necessário.

Primeiro, vamos entender isso do ponto de vista do programador: você passou um bom tempo desenvolvendo aquele sistema, passou por bons e maus momentos e criou uma relação tão forte pelo seu código que você poderia casar com ele. 
Então, o seu programa cai nas mãos QA e com o primeiro bug encontrado vem a primeira grande decepção, depois essa decepção vai se transformando em raiva após cada erro apontado. O problema é: essa raiva é de você mesmo por ter errado ou do QA?

“O QA é tipo aquela tia chata que você encontra nas festas de família que gosta de apontar todos os seus erros, você já sente desânimo em encontrar ela e ouvir novamente que você está ficando gordo, careca e que ainda não se casou.”

O ponto de vista do tester: aguardamos ansiosamente a nova versão do sistema, e como na maioria dos projetos ela atrasou um pouco durante o desenvolvimento, agora faltam poucos dias para os testes. Você começa a testar e a rezar para que não encontre nenhum bug e possa ir cedo pra casa. Mas aí vem a vida e diz “Não!”. Você encontra o dito cujo, anuncia a descoberta, sente o rancor de todo o resto da equipe, abre um novo ciclo de testes e se prepara para passar a noite toda testando o sistema.

“O programador é tipo aquele amigo chato que atrasa em todos os compromissos. Você sempre acaba esperando muito tempo até ele chegar, e quando ele chega está tão tarde que você vai ter que engolir a comida/perder o começo do filme/chegar atrasado na festa. Se você reclamar, provavelmente vai ouvir um monte de desculpas esfarrapadas porque ele nunca assume os erros.”

Por que isso acontece? Talvez porque a interpretação do que deveria ser o teste de software não seja feita da melhor maneira.

Veja alguns (maus) exemplos:

- Testes só servem pra encontrar bugs.
Testes devem ajudar a agregar valor, aumentar a qualidade e a confiabilidade do sistema. Encontrar erros não diminui a qualidade do sistema, mas deixar que eles continuem lá, sim!

- Meu programa está 100% livre de bugs.
Aceite que o programa pode conter erros, ele não é perfeito, e nem você. Não leve pro lado pessoal.
Além disso, é preciso considerar, o erro existe quando o sistema não faz aquilo que deveria fazer e também quando ele faz aquilo que não deveria fazer. Nem sempre os erros são encontrados testando exatamente o que está especificado na documentação.

- Este programa foi 100% testado.
No mundo ideal nós queremos testar o sistema inteiro com todas as combinações possíveis, mas na maioria das vezes isso é impossível e inviável. Então saia dessa paranóia e foque nos testes que realmente importam. Estamos mais interessados em qualidade e não quantidade.
É preciso tomar cuidado também com o foco dos testes. Como eu disse no começo, não é a coisa mais legal do mundo achar um bug quando você já estava pronto pra ir embora. Mas você faz os testes com a intenção de encontrar bugs ou de mostrar que o sistema está funcionando corretamente? Essa pergunta parece não fazer sentido, mas pense que, quanto mais cansado e com pressa de terminar os testes, maior a chance de você apenas querer mostrar que o sistema está funcionando e pular testes importantes. 
Quanto maior a vontade de encontrar bugs, maior a vontade de “destruir” o sistema antes que ele seja liberado. E essa é uma das razões do porque o tester encontra muito mais erros no sistema do que o programador, que não se importa em “destruir” o sistema.

- Este sistema fracassou na fase de testes.
Outro problema de ponto de vista. O que é fracasso pra você? Achar 10 bugs na fase de testes ou 5 clientes reclamarem de bugs em produção? (Dica: os bugs em produção são os piores).
Quando executamos um teste e um bug é encontrado, a execução é apontada como “mal sucedida”, como se fosse algo indesejada. Mas para o QA deveria ser exatamente o contrário. Afinal, se o objetivo era encontrar erros o quanto antes, esse teste não deveria ter sido “bem sucedido”.

O livro “The art of software testing” (Glenford J. Myers), faz um analogia muito boa sobre fracasso e sucesso dos testes: imagine uma pessoa indo ao médico por estar com mal-estar a dias. O médico pede alguns exames e o laboratório não encontra nada. Esse exame foi bem sucedido ou mal sucedido? O paciente pagou pelos exames, continua doente e o médico não sabe como diagnosticar. Porém, se o exame do laboratório acusar que este paciente tem dengue, o exame pode ser considerado como bem-sucedido, já que agora o médico pode tratar o paciente da forma correta e antes que ele piore. Nesse caso, considere que o paciente é o nosso programa a ser testado.

http://www.thebugfeed.com/2016/11/todo-mundo-odeia-os-bugs.html

TLDR; Downloading a file with RestAssured is as simple as taking the body of a request as a byte array and writing it to a file.

When automating I often have to download files. One very common FAQ for WebDriver is “How do I download a file with WebDriver?”.

How to download a file with WebDriver

Answer: Don’t, use an HTTP Library instead.

You can, by configuring the browser session to not prompt for location dialogs, and then click download button. But usually that is more pain that it is worth so, if I have to download a file, I’ll use an HTTP library.

RestAssured is an HTTP library

RestAssured is marketed as an API testing library. And I do use it to test APIs, as I documented in my book “Automating and Testing a REST API”. I also use it as a general purpose HTTP library, and that is really how I am describing it here.

Basic code to download a file

I’ve extracted the following code from an actual set of Tactical Automated Execution code that I wrote recently.

private void writeImageIfNotExists(
                final PostDetails postDetails, 
                final File outputImagePath,
                final String image_url,
                final String fileNameMain,
                final String fileNamePostExtDetails) throws IOException {
                
    File outputImageFile = new File(outputImagePath.getPath(), 
                            fileNameMain + fileNamePostExtDetails);
                            
    if (!outputImageFile.exists()) {
    
        Map<String, String> cookies = new HashMap();
        cookies.put("session_id", Secret.SESSION_ID);

        byte[] image = RestAssured.given().
                        cookies(cookies).
                        when().get(image_url).
                        asByteArray();
                        
        // output image to file
        OutputStream outStream = new FileOutputStream(outputImageFile);
        outStream.write(image);
        outStream.close();
    }
}

The above is pretty hacky (but it is tactical, which means I wrote it for a specific purpose and may be short lived).

It basically creates a File object from a path, and file name Strings.

If the file doesn’t already exist then.

I create a HashMap of cookies. Then I add one cookie, a session_id because I’m bypassing the login process to rip out data from the system. If I was download a file during GUI Automating then I might rip the cookie from the WebDriver session and inject the details into my RestAssured session. In the above example I copy and pasted the session id from the browser becuase it was tactically supporting me doing some work.

Then I make a call using RestAssured

byte[] image = RestAssured.given().
                cookies(cookies).
                when().get(image_url).
                asByteArray();

This makes a GET request and returns the body as a byte array.

Which I can then write to the output file.

OutputStream outStream = new FileOutputStream(outputImageFile);
outStream.write(image);
outStream.close();

This is the basic code to download a file but isn’t necessarily the best example.

A Better Example of How to Download a File

I have created a slightly longer example and added it to my LibraryExamples project on Github

• Download Example Code

You can read the code to see full details, or watch the explanatory video.

Summary though (see sample code below the summary):

• I pass in a map of cookies and headers to allow me to authenticate easily

• rather than return the body asByteArray I return the response,

  • this allows me to check if the url actually exists first with a 200 status, this makes the whole process more reliable long term

• I can still convert the body to a byte array when I know it exists

  • response.getBody().asByteArray()

• If I wanted a very flexible solution, I wouldn’t assume an extension and I would use the Contenty-Type header to assign an extension, but in this example I just output the header to the console so you can see how to get it

  • response.getHeader("Content-Type")

• The output file writing is a little more robust in that it catches any exceptions and reports the error.

• If I was automating strategically I would use code more like the following, and gradually refactor it into a library to ever more generically support my strategic automating approach. e.g.

  • paramaterise whether to delete file or not
  • add extension based on content type
  • return a boolean if it downloaded correctly
  • support finding out if an exception happened if it did not download correctly
  • etc.

  private void downloadUrlAsFile(
  final Map<String,String> cookies,
  final Map<String,String> headers,
  final String urlToDownload,
  final File outputPath,
  final String filename) throws IOException {

  File outputFile = new File(outputPath.getPath(), filename);
  
  
  final Response response = RestAssured.given().
                              headers(headers).
                              cookies(cookies).
                              when().
                              get(urlToDownload).
                              andReturn();
  
  // check if the URL actually exists
  if(response.getStatusCode() == 200){
  
      if (outputFile.exists()) {
          outputFile.delete();
      }
  
      System.out.println("Downloaded an " + response.getHeader("Content-Type"));
  
      byte[] fileContents = response.getBody().asByteArray();
  
      // output contents to file
      OutputStream outStream=null;
  
      try {
          outStream = new FileOutputStream(outputFile);
          outStream.write(fileContents);
      }catch(Exception e){
          System.out.println("Error writing file " + outputFile.getAbsolutePath());
      }finally {
          if(outStream!=null){
              outStream.close();
          }
      }
  }
  

  }

Step By Step Video Explaining the Code

Watch on YouTube

https://eviltester.com/2019/01/how-to-download-a-file-with-rest-assured.html

TLDR; Boundary Value Analysis is a simple technique and with additional exploration can add value in the real world.

Boundary Value Analysis (BVA) is one of the most basic test techniques that we learn.

Often taught at the same time as Equivalence Partitioning.

In this post I explain the technique and use it it find a bug in Chrome and Firefox.

Boundary Value Analysis Technique

BVA if often applied to input fields or anywhere that ranges of input are used where there is some maximum and minimum validation.

e.g. if I have an input field which accepts values from 10 to 100 then 10 would be the minimum, 100 would be the maximum.

I can model that as. a Set of Ordered sets:

{ x <= 9}{10 -> 100}{101 to infinity}

Above is a model containing 3 sets, the first set

• all the values less than 10

The second set:

• values from 10 to 100 inclusive

The third set

• values greater than 100

The values on the boundaries between the sets are (9,10) and (100,101) and they are the basic values that BVA would give me when applied as a technique.

Another way to consider this is as -1,0 and +1 for the valid boundary maximum and minimum range values.

The maximum and minimum values are 10 and 100 which gives me:

• 10 -1 = 9
• 10 + 0 = 10
• 10 + 1 = 11 (optional extension)
• 100 -1 = 99 (optional extension)
• 100 + 0 = 100
• 100 + 1 = 101

The additional values within the same equivalence class are optional and are an extension i.e. 11 (+1 on the minimum range value) and 99 (-1 on the maximum range value).

Traditional Boundary Value Analysis Demonstrated

Watch on YouTube

Real World Application of Boundary Value Analysis

In the real world we use Boundary Value Analysis as a starting point, but we also have to consider:

• input validation
• server side validation
• use of the value by later processing
• formatting and representation of values
• assumptions in the BVA model
• implementation

When I was looking at the sample application in the Chrome I discovered that some of my assumptions were incorrect.

Not all non-numeric characters were excluded, I could type “e”, “-”, “+”, and “.”

This led me to explore other representations of my valid boundery values, which might have caused an error in a downstream system:

• “10.0”
• “2e1” (which is 2 exponential 1, i.e. 2 * 10^1 = 20)
• “100.0000000000000001” which is invalid, but reported as valid in Chrome and Firefox

This is demonstrated in the following video where the exploration around BVA found a defect in Chrome and Firefox.

Watch on YouTube

Boundary Value Analysis is a Heuristic

Boundary Value Analysis is technique driven from the Heuristics:

• errors happen at the edges

• watch out for off by one errors

The technique concentrates on the off by one errors.

The heuristic of errors at edges is much more generic and applies to any model involving bordering.

I created a video explaining the heuristic nature of boundary value analysis on Patreon.

https://www.patreon.com/posts/24196729

The page I used to demonstrate the technique has been uploaded here

https://eviltester.com/2019/01/what-is-boundary-value-analysis.html

Hello guys, I have been working with kubernetes, docker, postman and newman a lot lately due some tests on internal microservices. To test these internal microservices I am running postman scripts in the same kubernetes cluster where the services are running. Kubernetes is an open source container orchestrator, which means you can group together all … Continue reading How to test internal microservices in a kubernetes cluster →

https://azevedorafaela.com/2018/12/18/how-to-test-internal-microservices-in-a-kubernetes-cluster/

O que é o CasperJS? O CasperJS é uma ferramenta escrita em JavaScript que permite a geração de scripts de navegação e testes para o PhantomJS.  O PhantomJS funciona como um browser headless. O que é um headless browser? Um headless browser é um navegador web que não possui interface gráfica. Assim, não conseguimos ver o conteúdo […]

O post CasperJS: testes de aceitação automatizados com JavaScript apareceu primeiro em Code a Test.

http://www.codeatest.com/casperjs-testes-de-aceitacao-javascript/