Free QA practice sites for automation testing

• ›Form authentication: login with tomsmith / SuperSecretPassword!
• ›Dynamic loading: handle elements that appear only after a delay
• ›File upload: drag-and-drop and classic input[type=file]
• ›JavaScript alerts: accept, dismiss, send keys to a prompt

Every scenario is small, isolated, and has a permalink. Easy to write a focused test against one page and move on.

• ›Login as standard_user / secret_sauce; checkout with a saved item
• ›Login as problem_user; spot the visual and behavioural bugs
• ›Login as performance_glitch_user; assert on perceived load time

Sauce ships intentionally-broken user accounts. Great for learning to write tests that surface bugs rather than just pass-or-fail flows.

• ›Practice Form: fill every field, submit, validate the modal output
• ›Elements > Web Tables: add a row, edit it, delete it, search
• ›Widgets > Date Picker: open the picker and select a future date

Covers the awkward UI patterns (frames, alerts, file pickers) that real apps still have but tutorials skip.

• ›GET /posts/1 and assert on a JSONPath into the body
• ›POST a new post; verify the response echoes your body with a new id
• ›Chain three requests in a Postman collection runner

Zero setup, zero auth, predictable shape. The default first stop for any API testing tutorial.

• ›GET /api/users?delay=3 and assert that your client times out at 2 seconds
• ›Hit /api/users/23 (returns 404) and confirm your code handles it
• ›Paginate through GET /api/users?page=2&per_page=3

The delay query parameter is the easiest way to exercise timeout and retry tests without spinning up your own slow server.

• ›Create an account and verify the confirmation email screen
• ›Filter products by size, colour, and price; assert the result count
• ›Add three items to cart, apply a promo code, validate the totals

Closer to a real production e-commerce app than any single-page demo. Good for full end-to-end suites.

• ›Use document.evaluate or driver.find_elements with every locator strategy
• ›Run the same script across multiple browser engines

Built and maintained by the people who write Selenium. Most stable practice surface in the category.

• ›POST /auth to get a token, then PUT /booking/{id} with it
• ›Find the silent failures: where the API claims success but data is wrong
• ›Write a contract test that fails the day the response shape changes

Built specifically for teaching API testing, including the parts (auth flow, partial updates, error handling) that tutorials skip.

• ›Read the existing Cypress tests and recognise the patterns
• ›Fork and rewrite one user flow in Playwright
• ›Add a regression test for a bug you find while exploring

You learn more from reading professional tests than from writing your own from scratch.

• ›UI: register, browse, filter, add to cart, checkout
• ›API: hit /api/products and validate pagination metadata
• ›Mixed: use the API to seed an order, then verify it shows in the UI

The only practice site we have found that comes with both a polished UI and a documented public API of the same product.

• ›Find the SQL injection in the login form
• ›Trigger broken access control by changing the user id in the URL
• ›Inject script into a product review and steal a session cookie

The reference target for learning security testing. Industry-recognised; finishing the scoreboard is a real CV signal.

• ›Lab: SQL injection vulnerability allowing login bypass
• ›Lab: stored XSS into HTML context with nothing encoded
• ›Lab: blind SSRF with out-of-band detection

Best free security training in the industry. Each lab has a working answer if you get stuck and a write-up explaining why.