Using Bug Magnet to test APIs

I get extremely irritated when people ask me the toolset I use to test without trying to understand/learn what I am testing and how I intend to use a specific tool.
My choice of tool and how I use it very much depends on the testing objective and the context.

Below is one such example when I used Bug Magnet, a chrome/firefox extension to test APIs.

Test objective/mission: Explore the email field added to the JSON payload.

I started off the test session with a 5 min brainstorming. I mostly use mind map for this.

  • what regex is used in the code?
  • what inputs can break it?
  • what inputs are business critical?
  • response code when it fails? 400?
  • error message returned on failure?
  • min/max length?
  • multiple email addresses?
  • duplicates? does it matter?
  • do we care if it is a *valid/fake email address? 
  • what about domains such as mailinator?
  • (Context:) Given we are not going gung-ho on validation. What could be useful at this moment?

From the brainstorming session I decided to break my test session into two.

  1. I wanted to first focus on just the validation around regex and 
  2. a follow up session to gain information on questions outside validation

So refactored the test objective to - Test the email field in the JSON payload for validation.

Started off the session by defining my test data

  • Business critical test data, the email addresses that should definitely be accepted. 
  • Pairing with the dev helped me learn the regex used to validate email address. This helped me add more tests around the boundaries of the regex. 
  • Also, I was aware and wanted to make use of the amazing list in Bug Magent for email valid/invalid addresses. I had previously used it for testing a UI functionality.

Yes, bug magnet from its webpage is an exploratory testing assistant for Chrome and Firefox. But I wanted to make use of it's email valid/invalid addresses to validate a field in JSON payload.

Navigating to the bug magnet installed folder path revealed the below list in config.json

"E-mail addresses": {
    "Valid" :{
      "Simple": "",
      "Dot in the address": "",
      "Subdomain": "",
      "Plus in address": "",
      "Numeric domain": "email@",
      "Square bracket around IP address": "email@[]",
      "Unnecessary quotes around address": "\"email\"",
      "Necessary quotes around address": "\"\"",
      "Numeric address": "",
      "Dash in domain": "",
      "Underscore": "",
      ">3 char TLD": "",
      "2 char TLD": "",
      "Dash in address": "",
      "Intranet": "name@localhost",
      "Non-ascii Email" : "nathan@学生优惠.com"
    "Invalid": {
      "No @ or domain": "plainaddress",
      "Missing @": "",
      "Missing address": "",
      "Garbage": "#@%^%#$@#$",
      "Copy/paste from address book with name": "Joe Smith ",
      "Superfluous text": " (Joe Smith)",
      "Two @": "",
      "Leading dot in address": "",
      "Trailing dot in address": "",
      "Multiple dots": "",
      "Unicode chars in address": "あいうえお",
      "Leading dash in domain": "",
      "Leading dot in domain": "",
      "Invalid IP format": "email@111.222.333.44444",
      "Multiple dots in the domain": ""

I then added the email addresses (business critical and regex boundaries) to the above list and converted it into a CSV file. A small sample below


The next step was to turn the email field in the JSON payload into a variable and run it via postman collection.


The test revealed many inconsistencies, some values were validated to return 400 but some just threw 500. The generic error message was not helpful either.

--------------------------------------------end of session-------------------------------------------

So, yes a tester could give you any of the below tools plus more if you ask them just their toolset

- Mindmup
- Bug Magnet
- Big list of naughty strings >>
- Atom
- Postman
- Fiddler
- Insomnia
- J-meter
- Charles Proxy
- pyresttest
- dev tools
- newman, etc

but you will never learn how they use it!


Popular posts from this blog

Exploratory testing, Session based testing, Scripted testing…concertedly

Regression Checks + Regression testing = Regression testing?!

My first talk at a College