Trying out Postman

One of the tools that we’ve used in our project is Postman. It’s a Google Chrome App wherein we can send the web service request and then view the response in a prettier, much readable style.

In one of our user stories for this Sprint, we needed to come up with the list of profiles that needs to be deactivated because the employee had become inactive. To verify whether the employee had become inactive, we had to check against an employee database. To check, you can go visit a search site, search for that user, and view the search result. Using their provided API, you can pretty much do the same with Postman. Submit the request with the email passed as parameter and evaluate the result.


But then, sometimes you have to check several employees at a time and it turns out we can use Postman to test in batches. To accomplish that what I did was the following:

1. Whether you run it one at a time or in batches, I defined my tests. Below is the snippets I used in my tests which checks for a 200 status being returned, and for whether the employee status field has value not equal to Active.

tests["Status code is 200"] = responseCode.code === 200;

try {
    var responseJSON = JSON.parse(responseBody);
    tests["Employee is NOT Active"] = "Active" != responseJSON.result[0].empStatus;
catch (e) { }

2. I used a variable for the parameter e.g., {{email}}.


3. I saved the parameter values in .csv format where the first line (treated as the header) use the variable used as parameter, in this case “email”.

4. I saved the request (with the tests and params) into a collection.

5. Then I used the Collection Runner to select the collection I want to run, the csv file with the data to pass as parameter values, and to indicate the number of iterations. Results are then displayed at the rightmost panel.


So there. I probably haven’t even scratched the surface of how else Postman can be used. But it’s been pretty nifty for this particular use case.

WTANZ03 and my toolkit

Last Sunday’s weekend testing session was quite unlike the previous two that I’ve joined. Usually, the session is split into two parts wherein we do testing at the first half and then have the discussion at the second half. This time, we spent the entire two hours on a sharing session on tools. There a 21-page chat transcript of the session, and alternatively there’s my summary which I approximate to be around 2 to 3 pages long. The summary’s not comprehensive, of course… I simply listed out the tools that had been mentioned.

Anyway, the session’s topic also had me thinking of the bare minimum set of tools that I’d want in my workstation. Just a couple of months ago, I got a new laptop for work and right after the required installations I went on to install or download the apps/tools that I felt I couldn’t do without. They’re listed out below, along with other handy stuff from my home laptop  (well, only those at the top of my head).

  • Tiddlywiki – I’ve been keeping a personal wiki for my notes, to-do’s, etc. It’s my paste bin for ideas and links to revisit later on. Initially, I wanted to use OneNote, but back then I only had it on my home laptop and not on my work PC. Plus, I wanted something easily portable.
  • Notepad++ – My preferred text editor. It also has syntax highlighting and has a tabbed layout, and you can configure it to run applications e.g., i can run ruby scripts directly from n++.
  • Gadwin Printscreen – A screen capture tool so that I won’t have to use Print Screen + Paste to Paint. It automatically names and saves the screenshot into your directory of choice.
  • Winmerge – Used for comparing files. Notepad++ also has a compare function but I guess I’m just more used to Winmerge.
  • 7zip – For file compression; It has better handling of files with Chinese characters than the default in Windows.
  • Wordweb (free version) – An English dictionary and thesaurus. Its advantage is that it can be used offline.
  • Firefox add-ons like Firebug and Web Developer Toolbar had been helpful when I wanted to play around with form data. Fireshot is another screen capture tool, and it allows one to capture the entire page including those that can only be seen by scrolling down). Echofon, I use for following tweets. Delicious, for my bookmarks.
  • Other stuff… I’d most likely tag them as nifty stuff if I posted them here. 🙂

Need a nearly full disc?

In the past, I’ve had to simulate cases wherein a drive (or a folder) was nearly or already full. To do so, one would have to load several files onto the drive but that would be quite tedious if you’ve got gigabytes of free space. So I either used the trusty 512mb thumb drive (from a previous project) or the very small partition I created on my machine.

Another alternative was shared by an officemate earlier just in case you don’t have a thumb drive, or if you don’t want to mess around with your disc’s partitions. The tool is called TrueCrypt. It allows you to create a volume with your preferred capacity. After creating it, you can mount it and then you’d be able to copy or save files onto it just as you would with any normal disc

In need of a virus

Back when I was picking up on the requirements of the function I’m testing, one of the things that kinda stood out is the part wherein our program is supposed to handle virus-infected files.  My first thought was how exactly would I do that without getting into trouble with the sysads.  By the time I started testing, the third-party anti-virus program that we’ll be using hasn’t been finalized yet.  My dev provided a temporary function to simulate the detection of an infected file. Though eventually — and inevitably — I will have to try using our program with the selected anti-virus, and I will have simulate having an infected file.  When that time comes, I’ll probably use an EICAR virus.

I first heard about the EICAR virus when I asked my dev if he knew a safe way of simulating the said case.  I also heard one other team mate already had a pseudo-infected file already, but he said he had lost it when his PC’s anti-virus zapped it out of existence.  I’ve nearly forgotten about it until I came across a blog feed on testing virus recognition.

To get a pseudo-infected file, either:

(a) Download it from, or

(b) Make one yourself by saving this 68-character string into a text file:  X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*


Web developer firefox plugin

A few days back, an officemate shared some firefox plugins which were shared to him by yet another officemate. This then reminded me of one of the plugins I’ve stumbled upon before. It’s called Web Developer. The build I have on my work pc is about a year old though, and I haven’t gotten around to check for updates especially since we have no internet connection at work. Anyway, it’s a toolbar swamped with a lot of functions to tinker with.


Just a few of these functions on the top of my head:

  • easily enable/disable java, javascript; clear your cache without having to go thru Firefox’s Tools -> Options dialog
  • resize your browser to preset dimensions e.g., 800×600, 1024×786
  • display some lines to help you check alignment of screen objects
  • view element information; you can select an item from the screen and view its properties
  • display tab indexes, alt messages of images, etc.

It also allows you to play around with forms.  Take, for instance, the following example.  I’ve added before and after images to help illustrate.

Before and after shots - using our online timesheet

Before and after shots - using our online time sheet as an example

Basically in this example, with web developer, I was able to do several items with the form. 

  1. Display the values in the password field.
  2. Enable a previously disabled item.  In this case, it’s the login button.  This led me to find out that the system will let you time-in again even if you’re already logged in.  This explains why my logged time-in for a certain date was past 8PM.
  3. Make a read-only field write-able.  I tried editing the Log-out Time field to include parts which aren’t time components.  On save, nothing bad seemed to have happened. 😛
  4. Convert select elements or combo boxes to text input fields.  This allows you to enter values other than what’s available from the combo box.
  5. Remove the maxlength properties that restrict the number of characters that can be entered into the edit boxes.  Normally, you can only specify a 4-digit year value and select a valid month before clicking <view monthly attendance>.  But with (4) and (5), I was able to specify a numeric value with more than 4 digits for the year and an invalid month value.  On click of <view monthly attendance>, there was no server-side validation so no error was raised.


A bookmarklet is a small application that you can save and run as a bookmark or a favorite in your browser. Initially, I thought it got called ‘bookmarklet’ since it’s like a mini-bookmark. I found out it’s actually a portmanteau of ‘bookmark’ and ‘applet’. Anyway, it’s usually some JavaScript code that you can use to extract some info from the web page that you are viewing or modify the appearance of the page among many other things.

For instance, here’s a very simple example… of course, there are other bookmarklets out there which are more informative… you can try running the following from the browser’s address bar:


Here’s another example — it raises an alert for each password value:


One of the first bookmarklets I’ve stumbled upon retrieved all edit boxes and their corresponding maxlengths, and raised an alert containing this info. I then thought that this was something that I can actually use since using the bookmarklets might be easier than using view source or counting the number of characters that can be typed in.

I played around with it a bit and used it to extract other attributes. By chance, it then led me to discover a security bug in one website. Without even being logged in, I was able to get my password (and other people’s passwords too if i wanted to). Just yesterday, I shared this bug to some of my teammates, and this prompted two of them to change their passwords to something less personal (I suppose).

Anyway, just to summarize my points… (1) bookmarklets have a potential for being used as a testing tool, and (2) be careful when choosing your password.

Some nifty tools – bugshooting, pixie, jruler

Here are some nifty tools. Their usage is not limited to testing though.

Bug Shooting. It’s another screen capture tool which has a more catchy name than what I normally use i.e., Gadwin PrintScreen. Its edge over Gadwin is that if you intend to make some edits (e.g., add some arrows, circles, or some text), it has those functions immediately available after taking the screenshot. Whereas in Gadwin, you’d still need to open some image editing tool like Paint. With Gadwin, your screenshots are automatically saved into your capture folder. With Bug Shooting, you’d still need to save the file manually. But alternatively, Bug Shooting has an option of automatically sending the screenshot to an application. E.g., after taking a screenshot, you can send it to your email application and the image gets automatically attached.

Pixie. This tool acts like a color picker. So while it’s running, you’d just have to point your mouse over any part of the screen and Pixie returns the color you’re pointing at in hex, rgb and other formats. It also gives out the x and y positions.

JR Screen Ruler. If I remember correctly, this one was shared by Tats a long time ago. It offers a better alternative to using your “man-calipers” (as Chry puts it), or resizing some other window to use as a make-shift ruler. With this you can measure the length or width of certain screen objects in pixels, inches or centimeters.

Discontinuous selection in firefox 3

This is pretty nifty. Using Firefox 3, you can select separate blocks of text from the page (ergo discontinuous selection). First, select some text like you normally do. Then, press the CTRL key, and make another text selection on the page.

Another thing to try out:  Type “about:robots” in Firefox 3’s address bar.