Module 7: Performance & Security Testing

Master performance testing, security testing, and accessibility to build robust, secure applications

⚡ Performance Testing Fundamentals

Performance testing is like stress-testing a bridge - you need to know how many cars it can handle before it breaks. Can your app handle 1000 users? 10,000? Let's find out!

Types of Performance Testing

Load Testing

Test with expected number of users

Stress Testing

Push beyond limits to find breaking point

Spike Testing

Sudden increase in users (Black Friday)

Endurance Testing

Long-term performance (memory leaks)

Key Metrics

• Response Time - How fast does the app respond?
• Throughput - How many requests per second?
• Error Rate - How many requests fail?
• CPU Usage - Server resource consumption
• Memory Usage - RAM consumption
• Concurrent Users - How many users simultaneously?

🚀 Load Testing with k6

k6 is a modern, developer-friendly load testing tool. Write tests in JavaScript and get beautiful results!

Installation & Basic Test

# Install k6

brew install k6 # macOS

choco install k6 # Windows

// load-test.js

import http from 'k6/http';

import { check, sleep } from 'k6';

export const options = {

vus: 10, // 10 virtual users

duration: '30s' // Run for 30 seconds

};

export default function() {

const res = http.get('https://api.example.com/users');

// Verify response

check(res, {

'status is 200': (r) => r.status =>= 200,

'response time < 500ms': (r) => r.timings.duration < 500

});

sleep(1); // Wait 1 second between requests

}

# Run test

k6 run load-test.js

Advanced Scenarios

// Ramping users (gradual increase)

export const options = {

stages: [

{ duration: '2m', target: 100 }, // Ramp up to 100 users

{ duration: '5m', target: 100 }, // Stay at 100 users

{ duration: '2m', target: 0 }, // Ramp down to 0

thresholds: {

http_req_duration: ['p(95)<500'], // 95% of requests < 500ms

http_req_failed: ['rate<0.01'], // Error rate < 1%

}

};

// Complete user flow

export default function() {

// 1. Login

const loginRes = http.post('https://api.example.com/login', {

email: 'test@email.com',

password: 'password123'

});

const token = loginRes.json('token');

// 2. Get products

http.get('https://api.example.com/products', {

headers: { Authorization: `Bearer ${token} ` }

});

// 3. Add to cart

http.post('https://api.example.com/cart', {

productId: 123,

quantity: 1

}, {

headers: { Authorization: `Bearer ${token} ` }

});

sleep(1);

}

📊 JMeter for Performance Testing

JMeter is the industry standard for performance testing. GUI-based tool with powerful features.

Key Components

• Thread Group - Simulates users
• HTTP Request - API calls
• Listeners - View results
• Assertions - Verify responses
• Timers - Add delays
• Config Elements - Variables and data

Running from Command Line

# Run JMeter test

jmeter -n -t test-plan.jmx -l results.jtl -e -o report/

# Parameters:

# -n: Non-GUI mode

# -t: Test plan file

# -l: Results file

# -e: Generate HTML report

# -o: Output folder

# With variables

jmeter -n -t test.jmx \

-Jusers=100 \

-Jduration=300 \

-l results.jtl

🔒 Security Testing Basics

Security testing finds vulnerabilities before hackers do. Think of it as hiring a friendly burglar to test your locks!

Types of Security Testing

Vulnerability Scanning

Automated tools find known vulnerabilities

Penetration Testing

Manual testing to exploit vulnerabilities

Security Audits

Review code and configurations

🛡️ OWASP Top 10 Vulnerabilities

OWASP Top 10 is the list of most critical web application security risks. Every QA engineer should know these!

1. Broken Access Control

Users can access unauthorized resources

// Test: Try accessing admin page as regular user

await page.goto('/admin');

await expect(page).toHaveURL('/login'); // Should redirect

2. Cryptographic Failures

Sensitive data exposed due to weak encryption

// Test: Check if passwords are hashed

const user = await db.users.findOne();

expect(user.password).not.toBe('plaintext');

3. Injection (SQL, XSS)

Malicious code injected into application

// Test: Try SQL injection

await page.fill('#username', "admin' OR '1'= '1");

await page.click('#login');

await expect(page).not.toHaveURL('/dashboard');

4. Insecure Design

Fundamental security flaws in architecture

5. Security Misconfiguration

Default passwords, unnecessary features enabled

// Test: Check for default credentials

await login('admin', 'admin');

await expect(page).not.toHaveURL('/dashboard');

6-10. Other Critical Risks

Vulnerable components, authentication failures, data integrity failures, logging failures, SSRF

🕷️ Automated Security Scanning with OWASP ZAP

OWASP ZAP is a free security scanner that finds vulnerabilities automatically.

# Install ZAP

docker pull owasp/zap2docker-stable

# Run baseline scan

docker run -t owasp/zap2docker-stable \

zap-baseline.py \

-t https://example.com \

-r report.html

# Full scan

docker run -t owasp/zap2docker-stable \

zap-full-scan.py \

-t https://example.com \

-r report.html

# Integrate with CI/CD

- name: ZAP Scan

run: |

docker run -v $(pwd):/zap/wrk/:rw \

owasp/zap2docker-stable \

zap-baseline.py \

-t ${{ secrets.APP_URL }} \

-r zap-report.html

♿ Accessibility Testing (a11y)

Accessibility ensures everyone can use your app, including people with disabilities. It's not just good practice - it's often required by law!

Using axe-core with Playwright

# Install axe-core

npm install --save-dev @axe-core/playwright

// accessibility.spec.ts

import { test, expect } from '@playwright/test';

import AxeBuilder from '@axe-core/playwright';

test('should not have accessibility violations', async ({ page }) => {

await page.goto('https://example.com');

// Run accessibility scan

const accessibilityScanResults = await new AxeBuilder({ page })

.analyze();

// Verify no violations

expect(accessibilityScanResults.violations).toEqual([]);

});

// Test specific rules

test('should have proper heading structure', async ({ page }) => {

await page.goto('https://example.com');

const results = await new AxeBuilder({ page })

.include('.main-content')

.withTags(['wcag2a', 'wcag2aa'])

.analyze();

expect(results.violations).toEqual([]);

});

Common Accessibility Issues

• Missing alt text on images
• Poor color contrast
• Missing form labels
• Keyboard navigation issues
• Missing ARIA attributes
• Improper heading hierarchy

🎯 Complete Testing Strategy Project

Build a comprehensive testing strategy that covers functional, performance, security, and accessibility testing.

// Project Structure

tests/

├── functional/

│ ├── e2e/

│ ├── api/

│ └── unit/

├── performance/

│ ├── load-tests/

│ └── stress-tests/

├── security/

│ ├── owasp-tests/

│ └── penetration-tests/

└── accessibility/

└── a11y-tests/

// package.json scripts

{

"scripts": {

"test": "npm run test:all",

"test:all": "npm run test:unit && npm run test:e2e",

"test:unit": "jest",

"test:e2e": "playwright test",

"test:api": "jest tests/api",

"test:perf": "k6 run tests/performance/load-test.js",

"test:security": "npm run zap-scan",

"test:a11y": "playwright test tests/accessibility"

}

# Run complete test suite

npm run test:all

npm run test:perf

npm run test:security

npm run test:a11y

🎯 Module Summary

Congratulations! You've completed the QA Automation learning path:

✓ Performance testing fundamentals
✓ Load testing with k6
✓ JMeter for performance testing
✓ Security testing basics
✓ OWASP Top 10 vulnerabilities
✓ Automated security scanning with OWASP ZAP
✓ Accessibility testing with axe-core
✓ Complete testing strategy

You're now ready to work as a QA Automation Engineer! Keep practicing, build your portfolio, and start applying for jobs. The demand for automation engineers is high!

Back to Overview Get Career Guidance

Previous: CI/CD Integration Back to Overview