Training Scenario¶

Objective¶

A guided journey to train learners in performance and chaos engineering concepts in a progressive way.

Typical program (half a day)¶

Module 1 — Introduction (30 min)¶

Presentation of PerfShop and its architecture
Tour of the monitoring and Grafana
Nominal metrics: understand what we measure

Module 2 — CPU & Memory (45 min)¶

Enable CPU Burn at 25%, 50%, 75%, 100%
Observe the CPU → latency correlation
Enable Memory Leak: observe heap rise and GC cycles
Discussion: what to do in production?

Module 3 — Concurrency & DB (45 min)¶

Thread Pool: progressive saturation of the Tomcat threads
DB Pool: HikariCP exhaustion
Slow Query: impact on the p95/p99 percentiles
Deadlock: 503 errors and blocked threads

Module 4 — Frontend (30 min)¶

Browser CPU Burn: FPS and Long Tasks
JS Memory Leak: browser heap
Fetch Flood: client/server network correlation

Module 5 — Business Chaos (30 min)¶

Objective: identify silent functional anomalies in an e-commerce journey.

Golden rule: with the right test data, an order must always go through whatever level is active. The anomalies are to be observed and noted, not fixed.

Junior Level — A1, A2, A3 (10 min)

Enable level 1 in the 💼 Business Chaos tab of chaos-admin
Place an order and record the displayed total including tax — compare it with net_amount × 1.20
Check the stock of an ordered product — it remains unchanged (A3)
Compare the cart price with the catalog price — rounded to the lower integer (A2)

Confirmed Level — +A4, A5, A6, A7 (10 min)

Double-click quickly on "Order" — two orders appear (A5)
Enter an invalid promo code — accepted without error or discount (A6)
Observe the confirmation email — shipping fees are missing (A4)

Expert Level — +A8, A9, A10, A11 (10 min)

Observe the total shown in "My orders" — does not match the real sum (A10)
After a logout, call the API within 30 seconds — token still valid (A11)
Check the container logs: docker logs perfshop-app | grep '\[BusinessChaos\]'
Observe the 🎯 Business tab of the monitoring — counters and logs per anomaly in real time

Module 6 — Scripting Chaos (45 min)¶

Objective: learn to script in an environment where tokens are mandatory.

Junior Level (15 min) - Enable Level 1 in the Scripting tab of Chaos Admin - Show live that a call without a token receives a 400 - Learners modify their JMeter/k6 script to extract X-Session-Token from the login and inject it - Validation: the login → cart → order scenario passes with 200/201

Confirmed Level (15 min) - Enable Level 2 - Introduce X-Action-Token and the 30s expiration - Learners implement an automatic re-login in their script - Discussion: how to handle expiration under load?

Expert Level (15 min) - Enable Level 3 - Present CSRF/Step/Signature rotation and the step1 → step2 sequence - Decode the cryptic errors together: E-CSRF-01, E-STEP-04, E-SIG-07, E-TKN-99 - The most advanced learners solve the Expert level on their own

Module 7 — Security Chaos (45 min)¶

Objective: identify and exploit OWASP web vulnerabilities in a controlled environment.

Ethical reminder

These techniques apply only to this isolated pedagogical environment. Any exploitation on third-party systems is illegal.

Junior Level — S1, S2, S3 (15 min)

Enable level 1 in the 🔒 Security Chaos tab of chaos-admin
S2 IDOR: note the ID of your order, try to access another user's order (/api/orders/1, /api/orders/2, ...) — observe whether the 403 is indeed missing
S3 Exposed hash: call GET /api/auth/me — observe the password field with its BCrypt hash $2a$...
S1 SQLi: test GET /api/products/search?q=' then ?q=' OR '1'='1 — compare the number of products returned

Confirmed Level — +S4, S5, S6 (15 min)

Enable level 2
S5 Price tampering: intercept a POST /api/orders (Burp Suite / DevTools), change unitPrice to 0.01 — check the totalAmount in the response
S4 Stored XSS: submit an order with <script>alert('XSS')</script> in shippingAddress — observe that the tag is stored unescaped
S6 Timing attack: script several login calls with known vs unknown emails, measure the δt (~300ms if the account exists)

Expert Level — +S7, S8, S9 (15 min)

Enable level 3
S9 Mass Assignment: send email and password in the body of PUT /api/auth/me — check whether the email changed by calling /api/auth/me
S7 HMAC token: capture the X-Debug-Token header, decode the left part in Base64url, re-sign with the key "secret123" to forge an admin token
S8 Path Traversal: test GET /api/orders/1/invoice?format=../../etc/passwd — observe the simulated content returned
Observe the 🔐 Security tab of the monitoring — counters and logs per flaw in real time

Master Level — Chained scenario S10, S11, S12 (15 min)

Advanced scenario — Bac+4/5 audience

This scenario requires chaining 3 flaws to reach a complete privilege escalation.

Enable level 4 in the 🔒 Security Chaos tab of chaos-admin
Discovery: inspect the JS bundle in the DevTools (Sources) or fuzz the routes — find /admin
S10: GET /api/admin/portal/stats (no token) — retrieve the adminContact email exposed without authentication
S11: POST /api/admin/portal/login with {"email": "admin' OR '1'='1' --", "password": "x"} — retrieve the adminToken
S12: PUT /api/admin/portal/accounts/1/promote with header X-Admin-Token: <token> — observe isSuperAdmin: true in the response
Use the obtained token to access chaos-admin and the monitoring — demonstrate full access

Module 8 — Self-directed exercise (30 min)¶

Learners receive a scenario to diagnose (simplified hackathon mode).

Key takeaways¶

Each anomaly has a signature recognizable in the metrics
Anomalies combine and create unexpected side effects
The monitoring is essential — without metrics, diagnosis is impossible
The p95/p99 percentiles reveal problems invisible in the median
Frontend ≠ Backend — both have their own degradation axes
Security flaws are silent — no visible error on the user side, hence the importance of logs and dedicated monitoring