testing tools

• Selenium (software)

Selenium is a portable software testing framework for web applications.
Selenium provides a record/playback tool for authoring tests without learning a test scripting language (Selenium IDE)
It also provides a test domain-specific language (Selenese) [1] to write tests in a number of popular programming languages, including Java, C#, Groovy, Perl, PHP, Python and Ruby.
The tests can then be run against most modern web browsers. Selenium deploys on Windows, Linux, and Macintosh platforms.
Selenium IDE is a complete integrated development environment (IDE) for Selenium tests.
It is implemented as a Firefox extension, and allows recording, editing, and debugging tests.
It was previously known as Selenium Recorder.
http://en.wikipedia.org/wiki/Selenium_%28software%29

What is Selenium?
Selenium automates browsers. That's it. What you do with that power is entirely up to you. Primarily it is for automating web applications for testing purposes, but is certainly not limited to just that. Boring web-based administration tasks can (and should!) also be automated as well.
http://seleniumhq.org/

• What is Winium:

Winium is wrapper over a Selenium-Webdriver which we can use to automate Native/Hybrid applications on windows-based platforms like Windows 8/Windows 10 mobiles as well as windows desktop machines.
https://www.linkedin.com/pulse/selenium-windows-applicationswinium-tools-pranoday-dingare

• DbUnit

dbunit.sourceforge.net
A JUnit extension that puts a database into a known state between test runs. It can export and import a database (or parts) to and from XML datasets

• HttpUnit

what if you want to test a web application? Or what if you simply want to use a web-site as part of a distributed application?
In either case, you need to be able to bypass the browser and access your site from a program.
HttpUnit makes this easy.
Written in Java, HttpUnit emulates the relevant portions of browser behavior, including form submission, JavaScript, basic http authentication, cookies and automatic page redirection, and allows Java test code to examine returned pages either as text, an XML DOM, or containers of forms, tables, and links.
When combined with a framework such as JUnit, it is fairly easy to write tests that very quickly verify the functioning of a web site
Automated testing is a great way to ensure that code being maintained works. The Extreme Programming (XP) methodology relies heavily on it, and practitioners have available to them a range of testing frameworks, most of which work by making direct calls to the code being tested. But what if you want to test a web application? Or what if you simply want to use a web-site as part of a distributed application?

In either case, you need to be able to bypass the browser and access your site from a program. HttpUnit makes this easy. Written in Java, HttpUnit emulates the relevant portions of browser behavior, including form submission, JavaScript, basic http authentication, cookies and automatic page redirection, and allows Java test code to examine returned pages either as text, an XML DOM, or containers of forms, tables, and links. When combined with a framework such as JUnit, it is fairly easy to write tests that very quickly verify the functioning of a web site.

The same techniques used to test web sites can be used to test and develop servlets without a servlet container using ServletUnit, included in the download.
http://httpunit.sourceforge.net/

• Cactus

Cactus is a simple test framework for unit testing server-side java code (Servlets, EJBs, Tag Libs, Filters, ...).
The intent of Cactus is to lower the cost of writing tests for server-side code. It uses JUnit and extends it.
Cactus implements an in-container strategy, meaning that tests are executed inside the container.
http://jakarta.apache.org/cactus/

• Apache JMeter

Apache JMeter is open source software, a 100% pure Java desktop application designed to load test functional behavior and measure performance. It was originally designed for testing Web Applications but has since expanded to other test functions.
http://jakarta.apache.org/jmeter/

• What is Locust?

Locust is an easy-to-use, distributed, user load testing tool. It is intended for load-testing web sites (or other systems) and figuring out how many concurrent users a system can handle.
https://docs.locust.io/en/stable/what-is-locust.html

• Gatling

WHAT DOES "LOAD TESTING" MEAN?
Load testing for web applications consists in:
1/ simulating a large number of users with complex behaviors
2/ collecting and aggregating all the requests' response times
3/ creating reports & analyzing data
We developed our own Domain Specific Language (DSL), in order to make your scenarios easy-to-read for everyone.
https://gatling.io/load-testing-and-continuous-integration/

• Canoo WebTest

Canoo WebTest is a free Open Source tool for automated testing of web applications in a very effective way. Look at for a features' overview.
webtest.canoo.com

• JUnit 

This site is dedicated to software developers and testers using the JUnit testing framework
automated testing, tools and extensions for JUnit, and articles on Test Driven Development and other testing topics.

http://www.junit.org/

• Chai is a BDD / TDD assertion library for node and the browser that can be delightfully paired with any javascript testing framework.

https://www.chaijs.com/

• TestNG

TestNG is a testing framework inspired from JUnit and NUnit but introducing some new functionalities that make it more powerful and easier to use
http://testng.org/doc/index.html

TestNg Tutorials
http://www.mkyong.com/tutorials/testng-tutorials/

• Arquillian Guides

Designed exclusively to teach you how to use Arquillian to write real tests.Testing Java Microservices
http://arquillian.org/

• Reduce the programming skill required and make load testing of Web 2.0 and mobile web applications faster, easier, and more comprehensive by using interactive recording and scripting.

http://www8.hp.com/us/en/software-solutions/loadrunner-load-testing/

• Infinitest

Infinitest is a Continuous Testing plugin for Eclipse and IntelliJ. Each time a change is made on the source code, Infinitest runs all the tests that might fail

infinitest.github.io

• BackTrack

BackTrack) was a distribution based on the Debian GNU/Linux distribution aimed at digital forensics and penetration testing use.
It was named after backtracking, a search algorithm. In March 2013 the BackTrack team later replaced it with a successor product, Kali Linux.
http://en.wikipedia.org/wiki/BackTrack

• ixia BreakingPoint VE

Virtualized security resilience testing for enterprise-wide networks
https://www.ixiacom.com/products/breakingpoint-ve

• Security Testing and Vendor Selection with BreakingPoint

Ixia-S-WP-Product-Review_Ixia


enterprise traffic simulation tool that
helps networking teams ensure their equipment is prime-time ready
helps security teams simulate adversarial attacks
multifaceted tool that provides actionable data for network security testing and infrastructure validation.
BreakingPoint works by simulating traffic aimed at your network appliances and applications.
Because BreakingPoint initiates the flow of traffic, security teams can measure network saturation and endpoint responsiveness under extreme load
Having the ability to thoroughly test equipment during a proof-of-concept (PoC) phase
Integration with  a DevOps Continuous Integration (CI)/Continuous Deployment (CD) pipeline can be handled via the REST API and tweaked via the scripting options built into the device.
The virtual appliance consists of two OVA files: a virtual blade and a virtual controller.
We deployed the virtual appliance using VMware ESXi and proceeded to configure the virtual blades.
Analysts can use BreakingPoint to test the networking capabilities and capacity of other enterprise appliances by simulating malware, DDoS, application fuzzing and legitimate
packets.
We spent more than a month with BreakingPoint, and as our familiarity with the tool increased, we identified three business objectives that use of the tool contributed to:
security assessments, technology/vendor selection and as an agent of change.
businesses do not typically test for DoS during penetration testing.
We found that BreakingPoint fits into the vulnerability management and penetration testing area as a complementary assessment too.
“Quick Test” options to explore fuzzing capabilities to test applications and the web application firewall’s (WAF) ability to detect and block malicious traffic.
We wanted to use the tool to send malicious payloads and verify that the target device/application successfully blocked the attacks.

From a security assessment perspective, another use case we wanted to test was leveraging BreakingPoint to test device patch level or otherwise identify
vulnerable systems. At first blush, it didn’t seem that BreakingPoint was the right tool for the job in terms of running
vulnerability scans. Interestingly, however, we used BreakingPoint to do exactly that, and this is how it works.
Initially setting up BreakingPoint to identify whether a system is vulnerable to Heartbleed, for example, is similar
to configuring the tool to tackle any other type of test: Define the criteria to test for and the targets to test and save
them to easily run future tests. The results of testing provided in Figure 5 quickly showed that the target systems did not, in fact, “pass the test.”
At this point, we had done enough testing to develop a level of confidence that BreakingPoint can help identify how well a WAF is tuned and even identify
vulnerable assets not protected by the WAF.
In addition, we wanted to use this tool to perform application simulation for token randomization, brute force attacks,
dynamic file generation and other such attacks to assist with some components of web app pen testing.
we test web applications that are mature and in scope for the likes of PCI or are otherwise required to be tested and, conversely, applications
that are pre-production or in various stages of the software development life cycle.
for new applications, or at least applications that are not on well-defined networks, we needed to manually define targets on a case-by-case basis.
This is relevant because it takes tuning the DevOps process to ensure a group of static networks and IPs for consistent testing with BreakingPoint as
applications moved through the pipeline.
The “Strike List” was a good starting point, but with no matches for Open Web Application Security Project (OWASP) and a multitude of vulnerability-
specific exploit codes, the list was not ideal for session fuzzing, account brute forcing or logic attacks.
Regardless of OWASP not specifically being called out by name in the various strikes, several OWASP Top 10 vulnerability
categories are present and custom strike lists can be crafted or uploaded.
One of the strong points of BreakingPoint is that it allows the tester to synthesize real-world traffic and real-world conditions customized to the environment in which the devices will
be operating.This concept is relevant in situations where a business has identified the need to purchase hardware and has one or more solutions in the PoC phase actively
deployed on the network.Most enterprises in a PoC phase don’t have the ability to failover a production load to an untested device.
From within the BreakingPoint interface, we configured a test applicable to what the firewall would encounter in the live
environment and simply turned up the data rate and configured the “Target Minimum Simultaneous Super Flows” to serve as the criteria to define pass/fail.

Specifically, we wanted to make sure that these database activity monitoring devices are capable of handling the amount of throughput currently being gathered in production.
As a rule of thumb, users should determine how much capacity is needed and then test for at least one and half times that amount. At this point, we knew by looking at NetFlow
data and local packet capture information that we could expect a baseline of 300Mbps of raw SQL logs. Thus, we wanted to configure BreakingPoint to test for this.
There are cases in which traffic is unique, such as proprietary protocols, and you can account for this by using BreakingPoint’s “re-create” feature, which
essentially allows you to upload a pcap with the exact traffic you want to simulate, as illustrated.This complements the built-in options for
sending application- and protocol-specific traffic.

Let’s shift the discussion to measuring the performance impact of turning on SSL “HTTPS Everywhere” or only allowing TLS 1.2 for PCI standards on devices responsible for
the encryption overhead.we found BreakingPoint to be close to ideal as a solution to help us understand the performance impact of
enforcing TLS 1.2 across the network.

BreakingPoint can help as an agent of change as part of the DevOps process by verifying that infrastructure changes don’t degrade performance and validating that
new application implementations are ready for production.
there are two primary ways of interacting with BreakingPoint that lend themselves to DevOps norms.The first is a RESTful API, which is simple to use and consists of about two dozen different
tasks that can be implemented with POST and GET requests utilizing JSON.The second is the Enhanced Shell.

• The UI Automator testing framework provides a set of APIs to build UI tests that perform interactions on user apps and system apps. The UI Automator APIs allows you to perform operations such as opening the Settings menu or the app launcher in a test device

https://developer.android.com/training/testing/ui-automator

• Serenity is an Open Source project. Source code is hosted on GitHub, and the binaries are published to JCenter and the Maven Central Repository.

Serenity BDD helps you write better, more effective automated acceptance tests, and use these acceptance tests to produce world-class test reports and living documentation
http://www.thucydides.info/#/

• JUnit 5 is the next generation of JUnit. The goal is to create an up-to-date foundation for developer-side testing on the JVM. This includes focusing on Java 8 and above, as well as enabling many different styles of testing.

https://junit.org/junit5/

• Taurus improves experience of JMeter, Selenium and others.

Automation-friendly framework for Continuous Testing
Taurus tool is an Open Source test automation framework, providing simple YAML-based configuration format with DSL
https://gettaurus.org/

• The main goal for Karma is to bring a productive testing environment to developers. The environment being one where they don't have to set up loads of configurations, but rather a place where developers can just write the code and get instant feedback from their tests.

https://karma-runner.github.io/latest/index.html

• Robot Framework is a generic test automation framework for acceptance testing and acceptance test-driven development (ATDD). It has easy-to-use tabular test data syntax and it utilizes the keyword-driven testing approach.

http://robotframework.org/

• ScalaTest is the most flexible and most popular testing tool in the Scala ecosystem. With ScalaTest, you can test Scala, Scala.js (JavaScript), and Java code. By offering deep integration with tools such as JUnit, TestNG, Ant, Maven, sbt, ScalaCheck, JMock, EasyMock, Mockito, ScalaMock, Selenium, Eclipse, NetBeans, and IntelliJ, ScalaTest makes it easy to take your testing to a higher, more productive level in new or existing Scala, Scala.js, or Java projects.

http://www.scalatest.org/

• Appium is an open source test automation framework for use with native, hybrid and mobile web apps.It drives iOS, Android, and Windows apps using the WebDriver protocol.

http://appium.io

• Use Espresso to write concise, beautiful, and reliable Android UI tests.

https://developer.android.com/training/testing/espresso

Family of Open Test Framework for Android App Automation

Appium vs Espresso and XCUI Test

Continuous testing on emulators using the espresso test automation framework

Top 5 Android UI Frameworks for Automation Testing

• Key Differentiators

Espresso is inside the application, and is written by Google for the sole purpose of functional testing of an Android UI. In terms of testing style, the Espresso description mentions “white box testing.” As Espresso is inside the application, it has access to and knows how to use the code that actually runs the application for more thorough testing of each element.

Appium is designed to be a cross-platform test platform. As such, one of the trade-offs focuses on “black box testing” which only tests what has been exposed externally to the application. Using the Android UIAutomator framework, Appium can access all the UI elements that a user will see
https://saucelabs.com/blog/appium-vs-espresso

• OWASP Mobile Security Testing Guide

Mobile Security Testing Guide (MSTG)
the MSTG is a comprehensive manual for mobile app security testing and reverse engineering for iOS and Android mobile security testers with the following content:
Mobile platform internals
Security testing in the mobile app development lifecycle
Basic static and dynamic security testing
Mobile app reverse engineering and tampering
Assessing software protections
Detailed test cases that map to the requirements in the MASVS.

https://www.owasp.org/index.php/OWASP_Mobile_Security_Testing_Guide

• Built on the top of Selenium and Appium, Katalon Studio is a free and powerful automated testing tool for Web testing, API testing, and Mobile testing

https://www.katalon.com/