Using ChatGPT to Generate Password‑Recovery Test Cases and Scripts
The article demonstrates how to prompt ChatGPT to produce comprehensive password‑recovery test cases and corresponding automation scripts—both API‑based with Python unittest and GUI‑based with Playwright‑pytest—covering normal flows, error conditions, security checks, and XSS vulnerabilities.
This piece shows how to leverage ChatGPT for creating test cases and automation scripts for a password‑recovery feature.
1. Prompting ChatGPT
A prompt describing the password‑recovery workflow (email/phone input, verification code, new password rules, SHA‑256 hashing) is fed to ChatGPT, which returns a list of test scenarios covering valid and invalid inputs.
Test scenarios generated
TC‑001: Valid registered phone number.
TC‑002: Valid registered email.
TC‑003: Unregistered email.
TC‑004: Unregistered phone.
TC‑005: Incorrect verification code.
TC‑006: New password and confirmation mismatch.
TC‑007: Password does not meet complexity requirements.
TC‑008: Password length outside 5‑30 characters.
TC‑009: Password already used.
TC‑010: Password correctly hashed with SHA‑256.
TC‑011: Empty password fields.
TC‑012: Invalid phone format.
TC‑013: Invalid email format.
2. API‑based test script (Python unittest)
The script uses requests and unittest to call two endpoints:
VERICODE_URL = "http://127.0.0.1:8080/CharGPTEbusiness/jsp/VeriCodePage.jsp"
RECOVER_URL = "http://127.0.0.1:8080/CharGPTEbusiness/jsp/RecoverPage.jsp"Key functions: send_verification_code(contact) – posts the contact (email or phone) and expects a success or error message.
reset_password(identifying_code, new_password, confirm_password)– hashes the new password with hashlib.sha256 and posts it together with the verification code.
Test methods (e.g., test_vaild_phone, test_unregistered_email, test_incorrect_verification_code) assert the presence of expected strings such as "验证码已发送", "邮箱未注册", "验证码错误", etc.
3. GUI‑based test script (Playwright + pytest)
Playwright is launched with headless=False for visual debugging. Selectors like #identifyingCode, #newPassword, #confirmPassword are used.
def test_password_mismatch(page):
page.goto("http://127.0.0.1:8080/CharGPTEbusiness/jsp/RecoverPage.jsp")
page.fill("#identifyingCode", "123456")
page.fill("#newPassword", "Abc@123")
page.fill("#confirmPassword", "Abc@124")
page.click("button[type='submit']")
error_message = page.inner_text("#recoverError")
assert "新密码和确认密码不一致" in error_messageSimilar tests cover password complexity, length, invalid phone/email formats, and XSS injection via URL parameters.
4. Security note – XSS in URLs
Both RecoverPage.jsp and VeriCodePage.jsp are shown to be vulnerable to reflected XSS when an error query parameter contains malicious payload (e.g., ?error=alert('XSS')). Tests verify that the injected script appears in the error element.
5. Regression and summary
All generated API and GUI tests are run together to ensure the password‑recovery module remains robust. The article reports a total of 17 test cases (10 API, 9 GUI, with 2 overlapping) and provides a table image summarising them.
6. Final comment
According to the author, the bottleneck for AI development is knowledge updating; timely AI‑driven test generation could help keep software security and functionality in step with rapid changes.
Signed-in readers can open the original source through BestHub's protected redirect.
This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactand we will review it promptly.
Woodpecker Software Testing
The Woodpecker Software Testing public account shares software testing knowledge, connects testing enthusiasts, founded by Gu Xiang, website: www.3testing.com. Author of five books, including "Mastering JMeter Through Case Studies".
How this landed with the community
Was this worth your time?
0 Comments
Thoughtful readers leave field notes, pushback, and hard-won operational detail here.