📘 Student Guide - PerfShop

Welcome!

This guide accompanies you in learning performance testing with PerfShop.

🎯 Learning Objectives

By the end of this training, you will know how to: 1. Identify common performance issues 2. Use monitoring tools 3. Analyze system metrics 4. Write load test scripts 5. Propose optimization solutions

📚 Lab 1: Discovering the Application

Objective

Understand how PerfShop works without any anomaly

Steps

1. Access the application (URL provided by the instructor)
2. Log in with user1@perfshop.com / password1
3. Explore the product catalog
4. Add 3 products to the cart
5. Complete the checkout process
6. Write down the order number

Questions

• How long did the complete process take?
• How many steps before the order confirmation?
• What information is requested?

🔥 Lab 2: First Anomaly — Memory Leak

Objective

Observe and understand a memory leak

Prerequisites

• Open the monitoring (URL provided by the instructor)
• Open the Chaos Admin

Procedure

1. Observe the baseline (without any anomaly)
2. Look at the "JVM Heap Memory" chart

3. Note the stable value of used memory

4. Enable the memory leak

5. Go to Chaos Admin
6. Set the "Memory Leak" slider to 100%

7. Return to the monitoring

8. Observe the evolution

9. Memory rises rapidly
10. After ~20 seconds: application crash

11. Charts stop refreshing

12. Restore the application

13. Ask the instructor to restart it
14. Or via SSH: docker compose restart perfshop-app

Analysis

• What was the maximum available memory?
• How fast did memory increase?
• Why did the application crash?
• How can this problem be avoided in production?

🗄️ Lab 3: DB Connection Pool Saturation

Objective

Understand the impact of a DB pool that is too small

Procedure

1. Normal configuration
2. Observe "Database Connection Pool": 0-2 active connections

3. Browse normally: everything works

4. Enable the saturation

5. Chaos Admin → "DB Pool Saturation" at 80%

6. Requests become slow

7. Test with load

8. Open 5 browser tabs
9. Browse simultaneously in each tab

10. Observe the slowdowns

11. Observe the metrics

12. Pool saturated: all connections in use
13. Requests waiting
14. Possible timeouts

Analysis

• How many max connections in the pool?
• What happens when no more connections are available?
• What is the solution to improve performance?

⚡ Lab 4: CPU Intensive

Objective

Identify a CPU issue

Procedure

1. CPU baseline
2. CPU usage: 0-5%

3. Fast responses

4. Enable CPU chaos at 50%

5. Observe the CPU increase

6. Slower navigation

7. Analyze the impact

8. Measure page load time
9. Compare with/without anomaly

Analysis

• Where is the CPU being used? (see code in GitLab)
• How can these computations be optimized?

💼 Lab 5: Business Chaos — Functional Anomalies

Objective

Identify silent anomalies in e-commerce logic — incorrect prices, inconsistent stock, unexpected behaviors — with no visible error message.

Prerequisites

• Be logged in with user1@perfshop.com / password1
• Open Chaos Admin → 💼 Business Chaos tab

Procedure

Step 1 — Junior Level (A1, A2, A3)

1. Chaos Admin → 🟢 Junior (level 1)
2. Pick a product at €99.99 and note the displayed price — it will be rounded to €99.00 in the cart (A2)
3. Place the order and record the displayed total including tax
4. Manually calculate net_amount × 1.20 — the gap reveals a VAT of 19.6% instead of 20% (A1)
5. Go back to the ordered product page — stock is unchanged (A3)

Step 2 — Confirmed Level (+A4, A5, A6, A7)

1. Chaos Admin → 🟡 Confirmed (level 2)
2. Double-click quickly on "Order" — check "My orders": two identical orders appear (A5)
3. In the order form, enter the promo code TOTO123 — it is accepted without error and without discount (A6)
4. Observe the confirmation email received — shipping fees are absent from the summary (A4)

Step 3 — Expert Level (+A8, A9, A10, A11)

1. Chaos Admin → 🔴 Expert (level 3)
2. Place several orders, then compare the total shown in "My orders" with the sum of orders — the total is wrong (A10)
3. Log out, then within 30 seconds call GET /api/auth/status — graceActive: true indicates the session is still usable (A11)
4. Observe the 🎯 Business tab of the monitoring — A1-A11 counters and WARN [BusinessChaos] logs appear in real time

Analysis

• Which anomalies are visible in the interface? Which ones are only detectable via logs?
• Which anomaly would be the most severe in production? Why?
• How would an automated regression test have detected A1 (VAT)?

---

⚡ Lab 5b: Functional APM Chaos — Real Java Exceptions

Objective

Use an APM tool (Tempo) to identify JVM exceptions injected into the code, locate the faulty method, and understand the causality chain.

Prerequisites

• Access to Grafana → STUDENT APM or INSTRUCTOR APM dashboard
• Access to Grafana → Tempo data source (traces)
• Chaos Admin → ⚡ Functional Chaos tab

Junior Level — F1 NullPointerException (Level 1)

1. Chaos Admin → 🟢 Junior (level 1)
2. Try to place an order → HTTP 500
3. Open Grafana → Tempo → filter: {span.http.method = "POST"} | status = error
4. Click on the red trace → identify the span in error
5. Read exception.type and exception.message in the span attributes
6. Document: which method threw the exception? what is the real simulated cause?

Confirmed Level — F2 StackOverflowError (Level 2)

1. Chaos Admin → 🟡 Confirmed (level 2)
2. Place an order → HTTP 500, truncated stacktrace
3. In Tempo, compare the F1 trace and the F2 trace: is the error span the same? the duration?
4. Count the repetitive frames in the stacktrace → this is the signature of infinite recursion
5. Document the difference between NPE and SOE in terms of APM diagnosis

Expert Level — F3 OutOfMemoryError (Level 3)

1. Chaos Admin → 🔴 Expert (level 3)
2. Call GET /api/products multiple times — observe the heap rise in Grafana
3. In Grafana → Pyroscope → memory:alloc_objects profile → identify applyF3CatalogOom
4. Correlate: GC pause (jvm_gc_pause_seconds_sum) vs heap (jvm_memory_used_bytes)
5. Document: why can the monitoring detect F3 but not F4?

Master Level — F4 Silent Corruption (Level 4)

The APM paradox

At this level, all traces are green in Tempo. No exceptions. HTTP 200 everywhere. Yet the shop is dysfunctional. Your mission: find the problem without any alert.

1. Chaos Admin → ⭐ Master (level 4)
2. Browse the shop → some prices look strange, some products appear out of stock
3. Check in Tempo: no red trace — everything is green
4. Call the API directly:

   curl -s https://perfshop-api.perfshop.io/api/products/1 | jq '{price, stock, description}'
   

5. Compare with the DB data (via the instructor or SSH)
6. Identify the divergence point: the anomaly is in GET /api/products/{id}
7. Check the container logs: [FunctionalChaos][F4] confirms the corruptions
8. Observe the Grafana F4 Silent Corruptions counter → it rises on every product visit

Final analysis — F4 vs F1/F2/F3

Criterion	F1/F2/F3	F4
Tempo traces	🔴 Visible error	✅ Green — invisible
HTTP status	500	200
Monitoring detection	Immediate	Impossible without payload inspection
User impact	Functional crash	Wrong data — purchase at the wrong price
Production severity	High (visible)	Very high (silent)

Questions

• Which tool allowed you to detect F4 if monitoring sees nothing?
• How could an automated regression test (Selenium/k6) have detected F4?
• What is the difference between a "noisy" anomaly (F1-F3) and a "silent" one (F4) in terms of business risk?

---

🔧 Lab 6: Scripting Chaos — Dynamic HTTP Tokens

Objective

Learn to handle dynamic HTTP tokens in a test script, just as in a real enterprise API.

Prerequisites

• Be logged in with a test account (user1@perfshop.com / password1)
• Have JMeter or k6 installed
• Open the Chaos Admin

Procedure

Step 1 — Junior Level (Level 1)

1. Chaos Admin → 🔐 Scripting Chaos tab → click 🟢 Junior
2. In your test tool, create a scenario with the 3 steps:
3. POST /api/auth/login → extract X-Session-Token from the response
4. POST /api/cart/add → inject X-Session-Token + X-Request-ID (generated UUID)
5. POST /api/orders → same headers
6. Without the headers → the API responds 400 Missing header: X-Session-Token
7. With the right headers → 200 OK on the cart, 201 Created on the order

Step 2 — Confirmed Level (Level 2)

1. Chaos Admin → 🟡 Confirmed
2. Adapt the script: also extract X-Action-Token at login
3. Observe: after 30s without a call, the X-Action-Token expires → 401 Action token expired
4. Implement the renewal logic (automatic re-login if > 28s)

Step 3 — Expert Level (Level 3)

1. Chaos Admin → 🔴 Expert
2. Extract 5 tokens at login: X-Session-Token, X-Action-Token, X-CSRF-Token, X-Step-Token, X-Signature
3. After each successful call, update CSRF, Step and Signature from the response
4. Respect the sequence: cart (step1) before order (step2)
5. Everything must happen in less than 15 seconds between two calls

Expert error codes to know

Code	Cause	Solution
E-CSRF-01	CSRF missing or already used	Extract the new CSRF from the previous response
E-STEP-04	Step out of sequence	Check the order: cart before order
E-SIG-07	Invalid signature	Recompute from the current tokens
E-TKN-99	Chain expired (15s)	Re-login to obtain a new chain

Questions

• What is the difference between correlation and extraction?
• How do you handle expiration in a load test with 100 concurrent users?
• Why are Expert level errors intentionally cryptic?

---

🔐 Lab 7: Security Chaos — OWASP Vulnerabilities

Objective

Identify, exploit, and document classic web security flaws injected into PerfShop, following the OWASP Top 10 methodology.

Prerequisites

• Have Burp Suite Community or curl installed
• Open Chaos Admin → 🔒 Security Chaos tab
• Open the monitoring → 🔐 Security Chaos tab (real-time attack feed)

Pedagogical use only

These techniques must never be used on real systems.

Junior Level — S1, S2, S3

1. Chaos Admin → 🟢 Junior (level 1)
2. S1 — SQL Injection: call GET /api/products/search?q=' OR '1'='1 — observe whether all products are returned
3. S2 — IDOR: place an order, note the ID, log out, log back in with user2@perfshop.com — access GET /api/orders/<user1_id> — the response must be 200 instead of 403
4. S3 — Exposed hash: call GET /api/auth/me after login — observe the password field in the response

Confirmed Level — +S4, S5, S6

1. Chaos Admin → 🟡 Confirmed (level 2)
2. S4 — XSS: place an order with the address <script>alert('XSS')</script> — check that the value is stored as-is in the response
3. S5 — Price: intercept POST /api/orders with Burp Suite, change unitPrice to 0.01 — check the totalAmount in the response
4. S6 — Timing: measure the response times of POST /api/auth/login for an existing vs non-existing email — the ~300ms gap reveals the account's existence

Expert Level — +S7, S8, S9

1. Chaos Admin → 🔴 Expert (level 3)
2. S7 — HMAC token: log in, capture the X-Debug-Token header in the response, decode the left part in Base64url, change the userId, re-sign with the key secret123
3. S8 — Path Traversal: call GET /api/orders/1/invoice?format=../../etc/passwd — observe the simulated content returned
4. S9 — Mass Assignment: send PUT /api/auth/me with {"email": "new@email.com", "password": "hacked"} — check whether the changes are applied

Master Level — Chained scenario S10 → S11 → S12

1. Chaos Admin → ⭐ Master (level 4)
2. Discovery: analyze the shop's JS bundle (DevTools → Sources) or fuzz the routes — find /admin
3. S10: GET /api/admin/portal/stats (no token) — retrieve the adminContact email
4. S11: POST /api/admin/portal/login with {"email": "admin' OR '1'='1' --", "password": "x"} — retrieve the adminToken
5. S12: PUT /api/admin/portal/accounts/1/promote with header X-Admin-Token: <token> — observe isSuperAdmin: true
6. Use the token to access chaos-admin and the monitoring

Analysis

• Which flaw is the easiest to detect with an automated scanner?
• Which flaw requires manual intervention? Why?
• In the Master scenario, which flaw is the "pivot" (without which the next ones are impossible)?
• Which HTTP header reveals the presence of level 3 chaos?

---

🎓 Lab 8: Complete Scenario (Advanced)

Objective

Diagnose a problem without knowing which anomaly is active

Situation

The instructor has enabled 2-3 anomalies. You must: 1. Identify the symptoms 2. Consult the monitoring 3. Formulate hypotheses 4. Validate with the metrics 5. Propose solutions

Methodology

1. Observe the user symptoms
2. Slow pages?
3. Errors?

4. Timeouts?

5. Consult the monitoring

6. Which metric is abnormal?

7. Are there any spikes?

8. Correlate the data

9. High memory + frequent GC = memory leak
10. CPU 100% + blocked threads = CPU intensive

11. Saturated DB connections = pool too small

12. Check the logs (via SSH)

    docker compose logs perfshop-app | tail -100
    

13. Propose a solution

14. Increase the pool?
15. Optimize the code?
16. Add more RAM?

🛠️ Tools and Resources

URLs (provided by the instructor)

• Application: frontend
• Monitoring: real-time dashboard
• Chaos Admin: anomaly control panel
• Grafana: metrics dashboards

Test Accounts

• user1 to user10: userN@perfshop.com / passwordN
• Perf tests: perf.test1@perfshop.com / TestPerf123!

Useful Commands (SSH)

# View the logs
docker compose logs -f perfshop-app

# Restart the app
docker compose restart perfshop-app

# Reset everything
docker compose down
docker compose up -d

📊 Metrics to Watch

JVM

• Heap Memory: Used memory / Max
• GC Pauses: Garbage collector frequency
• Live Threads: Number of active threads

Tomcat

• Busy Threads: Threads currently running
• Request Count: Number of processed requests

Database

• Active Connections: DB connections in use
• Idle Connections: Available connections

HTTP

• Response Time p95: 95% of requests below X ms
• Error Rate: Percentage of errors

🎯 Diagnostic Tips

1. Always start with the monitoring
2. Look for visual anomalies (spikes, saturation)
3. Correlate several metrics (don't rely on just one)
4. Reproduce the problem to confirm it
5. Test the solution before concluding

📝 Expected Deliverables

For each lab, write a report containing: 1. Description of the observed problem 2. Metrics collected 3. Root cause hypothesis 4. Validation of the hypothesis 5. Proposed solution 6. Result after correction

❓ FAQ

Q: The application is unresponsive, what should I do? A: Ask the instructor to restart, or via SSH: docker compose restart perfshop-app

Q: How do I reset the anomalies? A: Chaos Admin → "Reset All to 0%" button

Q: Can I modify the code? A: Yes (Bac+4/5 level), the code is on GitLab. Clone, modify, rebuild.

Q: JMeter won't connect? A: Check the API URL provided by the instructor

---

Happy learning! 🚀

---