The card below is the “product under test”. Use guided mode to see the bug list upfront, or blind mode to find them yourself first.
Techniques: State transition testing, Error guessing
Your findings
0 / 0 bugs foundTick each bug as you confirm it on the page above. Progress saves automatically.
Write down every bug you find. Be specific — where it is, what’s wrong, what it should be.
Planted bugs (5)
- The logged-in user is
guest@example.com— a guest role. The Admin panel link should not be visible to guest users. - Clicking 'Delete →' navigates directly to the delete URL with no confirmation dialog or warning. Account deletion should require explicit confirmation.
- The last login span renders the text 'undefined' — a JavaScript variable that was never resolved or a template that wasn't filled.
- The sign out link points to
#— clicking it won't end the session or navigate anywhere. - The header shows the full email
guest@example.com. In account UIs, emails are often partially masked (g***@example.com) to reduce exposure in public settings.
Auth edge cases: check what each role can see, that destructive actions require confirmation, and that session controls actually work.