Master performance testing, security testing, and accessibility to build robust, secure applications
Performance testing is like stress-testing a bridge - you need to know how many cars it can handle before it breaks. Can your app handle 1000 users? 10,000? Let's find out!
Load Testing
Test with expected number of users
Stress Testing
Push beyond limits to find breaking point
Spike Testing
Sudden increase in users (Black Friday)
Endurance Testing
Long-term performance (memory leaks)
k6 is a modern, developer-friendly load testing tool. Write tests in JavaScript and get beautiful results!
# Install k6
brew install k6 # macOS
choco install k6 # Windows
// load-test.js
import http from 'k6/http';
import { check, sleep } from 'k6';
export const options = {
vus: 10, // 10 virtual users
duration: '30s' // Run for 30 seconds
};
export default function() {
const res = http.get('https://api.example.com/users');
// Verify response
check(res, {
'status is 200': (r) => r.status =>= 200,
'response time < 500ms': (r) => r.timings.duration < 500
});
sleep(1); // Wait 1 second between requests
}
# Run test
k6 run load-test.js
// Ramping users (gradual increase)
export const options = {
stages: [
{ duration: '2m', target: 100 }, // Ramp up to 100 users
{ duration: '5m', target: 100 }, // Stay at 100 users
{ duration: '2m', target: 0 }, // Ramp down to 0
],
thresholds: {
http_req_duration: ['p(95)<500'], // 95% of requests < 500ms
http_req_failed: ['rate<0.01'], // Error rate < 1%
}
};
// Complete user flow
export default function() {
// 1. Login
const loginRes = http.post('https://api.example.com/login', {
email: 'test@email.com',
password: 'password123'
});
const token = loginRes.json('token');
// 2. Get products
http.get('https://api.example.com/products', {
headers: { Authorization: `Bearer ${token} ` }
});
// 3. Add to cart
http.post('https://api.example.com/cart', {
productId: 123,
quantity: 1
}, {
headers: { Authorization: `Bearer ${token} ` }
});
sleep(1);
}
JMeter is the industry standard for performance testing. GUI-based tool with powerful features.
# Run JMeter test
jmeter -n -t test-plan.jmx -l results.jtl -e -o report/
# Parameters:
# -n: Non-GUI mode
# -t: Test plan file
# -l: Results file
# -e: Generate HTML report
# -o: Output folder
# With variables
jmeter -n -t test.jmx \
-Jusers=100 \
-Jduration=300 \
-l results.jtl
Security testing finds vulnerabilities before hackers do. Think of it as hiring a friendly burglar to test your locks!
Vulnerability Scanning
Automated tools find known vulnerabilities
Penetration Testing
Manual testing to exploit vulnerabilities
Security Audits
Review code and configurations
OWASP Top 10 is the list of most critical web application security risks. Every QA engineer should know these!
1. Broken Access Control
Users can access unauthorized resources
// Test: Try accessing admin page as regular user
await page.goto('/admin');
await expect(page).toHaveURL('/login'); // Should redirect
2. Cryptographic Failures
Sensitive data exposed due to weak encryption
// Test: Check if passwords are hashed
const user = await db.users.findOne();
expect(user.password).not.toBe('plaintext');
3. Injection (SQL, XSS)
Malicious code injected into application
// Test: Try SQL injection
await page.fill('#username', "admin' OR '1'= '1");
await page.click('#login');
await expect(page).not.toHaveURL('/dashboard');
4. Insecure Design
Fundamental security flaws in architecture
5. Security Misconfiguration
Default passwords, unnecessary features enabled
// Test: Check for default credentials
await login('admin', 'admin');
await expect(page).not.toHaveURL('/dashboard');
6-10. Other Critical Risks
Vulnerable components, authentication failures, data integrity failures, logging failures, SSRF
OWASP ZAP is a free security scanner that finds vulnerabilities automatically.
# Install ZAP
docker pull owasp/zap2docker-stable
# Run baseline scan
docker run -t owasp/zap2docker-stable \
zap-baseline.py \
-t https://example.com \
-r report.html
# Full scan
docker run -t owasp/zap2docker-stable \
zap-full-scan.py \
-t https://example.com \
-r report.html
# Integrate with CI/CD
- name: ZAP Scan
run: |
docker run -v $(pwd):/zap/wrk/:rw \
owasp/zap2docker-stable \
zap-baseline.py \
-t ${{ secrets.APP_URL }} \
-r zap-report.html
Accessibility ensures everyone can use your app, including people with disabilities. It's not just good practice - it's often required by law!
# Install axe-core
npm install --save-dev @axe-core/playwright
// accessibility.spec.ts
import { test, expect } from '@playwright/test';
import AxeBuilder from '@axe-core/playwright';
test('should not have accessibility violations', async ({ page }) => {
await page.goto('https://example.com');
// Run accessibility scan
const accessibilityScanResults = await new AxeBuilder({ page })
.analyze();
// Verify no violations
expect(accessibilityScanResults.violations).toEqual([]);
});
// Test specific rules
test('should have proper heading structure', async ({ page }) => {
await page.goto('https://example.com');
const results = await new AxeBuilder({ page })
.include('.main-content')
.withTags(['wcag2a', 'wcag2aa'])
.analyze();
expect(results.violations).toEqual([]);
});
Build a comprehensive testing strategy that covers functional, performance, security, and accessibility testing.
// Project Structure
tests/
├── functional/
│ ├── e2e/
│ ├── api/
│ └── unit/
├── performance/
│ ├── load-tests/
│ └── stress-tests/
├── security/
│ ├── owasp-tests/
│ └── penetration-tests/
└── accessibility/
└── a11y-tests/
// package.json scripts
{
"scripts": {
"test": "npm run test:all",
"test:all": "npm run test:unit && npm run test:e2e",
"test:unit": "jest",
"test:e2e": "playwright test",
"test:api": "jest tests/api",
"test:perf": "k6 run tests/performance/load-test.js",
"test:security": "npm run zap-scan",
"test:a11y": "playwright test tests/accessibility"
}
}
# Run complete test suite
npm run test:all
npm run test:perf
npm run test:security
npm run test:a11y
Congratulations! You've completed the QA Automation learning path:
You're now ready to work as a QA Automation Engineer! Keep practicing, build your portfolio, and start applying for jobs. The demand for automation engineers is high!