Index
Introduction To API’s
API Testing Approach
Useful Checklist To Follow
Common Mistakes To Avoid
Best Practices
Real-Time Example
Prerequisite:
Before diving deeply. First, we have to make sure these three things are there in our hands
API’s functionality documentation
Tool to test an API (Postman/Swagger/Fiddler)
Dedicated environment
API’s functionality documentation helps us to understand the business logic and also the importance of the API. Having this document, we get an idea as to what are the different technologies used for particular SUT(System Under Test).
Tools to test an API One should have knowledge of the tool and what varieties of features it offers that makes it the perfect tool for testing the API. Choose the tool wisely based on your comfort (Personally I recommend Postman).
Dedicated Environment This is important as the changes/issues don’t affect the QA environment and the teams working on it.
Introduction to API’s
An API stands for Application Programming Interface.
An API will simply state the set of rules for the communication to happen between the systems/services.
API Testing
The purpose of API Testing is to check the functionality, reliability, performance, and security of application programming interfaces.
It mainly concentrates on the business logic layer. API testing helps us to find more vulnerabilities that can be missed in the functional testing (UI level).
Why do we have vulnerabilities in API?
Flaws in the Business logic
No A to Z validation
Unhandled Exceptions
Not filtering the user input
API testing approach
API Testing Approach is a predefined strategy or a method that the QA team will perform.
This helps to better understand the functionalities, testing techniques, input parameters, and the execution of test cases and also will help testers for better coverage.
The following points will help tester for API testing approach
Understanding the business logic and functionalities of each and every API
Determining the testing techniques
Preparing the checklist to cover every test technique which was determined
Writing the test cases based on the checklist prepared
Executing the test cases and compare the expected and the actual result
Test Design and Coverage
What To Test
How To Test
What To Test
API testing helps in better understanding the core logic of an application and functionalities.
Each test consists of test actions. These are the individual actions a test needs to take per API test flow.
For each API request, the test would need to take the following actions
Verifying the Http status code
Verifying the Request and Response payload
Verifying the content-type and request payload size limit
Verifying the basic performance of an API
Security checks (Includes Injections, data tampering, Session Management)
Validating the Request/Response payload mandatory params with UI elements
Validating the API endpoints for different Http verbs and manipulating the query/path parameter values.
Verifying the status codes for the CRUD operations
Endpoints
Each endpoint need to be tested
Manipulation the Query/Path parameters data type in the endpoint
Verifying the Http verbs a specific endpoint works on
How to Test
API testing should cover at least the following testing techniques:
Functional testing: This testing involved validating the functionality of an API according to the business logic
Validating the Request/Response with various inputs: This includes productivity, Behavior, the efficiency of an API while validating the user inputs and handling the exceptions and limiting the request payload size
Usability testing: Verifying whether an API affiliate well with another platform as well and check whether the error logging is happening or not. (For shared APIs)
Security testing: This testing includes what type of authentication is required and whether sensitive data is encrypted over HTTP(s). What level of encryption is done can also be a part of this and also includes Pentesting, Fuzz testing.
Performance testing: API performance will have a major impact on the app responsiveness. So testers have to make sure that the average response time for an API should be within the limits under various circumstances.
API design test: As a part of the design test we should validate whether the APIs have been developed with the REST principles or not.
CheckList
Maintaining a checklist is one of the most important practices as it helps us to be on track and also to determine the more test cases for good coverage.
Here is the checklist for some of the most important testing techniques mentioned above.
Functional testing:
Testing the API as per the business logic
API endpoint validation and content-type validation
Validating the headers
Endpoint validations as per the CRUD operations
Verifying the API’s functionality at various network speeds.
Validating the Headers: HTTP headers play a key role in the API world. Headers guide the application & server to understand the request and response and also headers help to prevent hacking.
Headers are mostly classified into two types — Response and Request headers.
As a part of header validation, we have to make sure how an API behaves with/without headers and by manipulating the values of the headers. when sending the request for testing an API, will have to set the assertion against the response headers to ensure that the right headers are being returned.
Here is the sneak-peak of some of the secure headers which help to prevent the APIs from the major cyber attacks.
X-XSS-Protection
Clear-Site-Date
Upgrade-Insecure-Requests
X-Frame-Options
Content-Security-Policy
HTTP-Strict-Transport-Security
X-Content-Type-Options
Validating the Request/Response with various inputs:
Parameter validations — which includes tampering the data type, passing the invalid data type, character length, passing null values.
Unhandled exceptions
Comparing the request/response mandatory parameters with UI
Security Test:
As discussed earlier securing an API is the most critical and important one.
Of all the components that consist of an application,(APIs) provide the easiest access point for a hacker.
Here is the checklist for the API security testing.
Maintaining authentication for most of the app side APIs
SSL — Recommending an HTTP & HTTP(s) or Exclusively HTTP(s) based on the API criticality
Filtering the user's malicious input data — SQL injection, HTML injection
Rate limit and Request payload size limit — prevent throttling/DOS
Authorization level validations and session expiry validations
Maintaining the User level of access
Protecting the sensitive API endpoints with some encryption technique
Content Negotiation — Validating the type of content being sent
Verifying if any auto-incrementing is happening for Id’s being used
Verify by accessing the API’s from the blacklisted network
API design test:
Statelessness - Keeping application servers state-free so that they can be easily and painlessly scaled.
Versioning - Removing the old endpoints which are pointed to sensitive data
Pagination - This has two big advantages, It reduces the amount of data to be retrieved by maintaining the pagination and also helps in improving the API performance.
Error logging - Extremely useful to track down the issues happening based on the user input or due to software bug.
Performance Testing:
Average request and response time took at various circumstances
Validating from UI level how quickly the page loads with the data
Common Mistakes to Avoid:
Lack of anticipation about threats and attacks
Ignoring intermittent problems
Missing validating the headers
No cross verifying the Authorization at the API level
Unsecured communication for Internal APIs (Using HTTP)
Ignoring the old endpoints when any API changes have happened
Not knowing the difference between Authorization and Authentication
Neglecting the Cookies
Best Practices
There is always room for improvement.
Here are some of the best practices that we can follow to improve our skills in API testing for better coverage.
Prioritize APIs so that it will be easy for testers to test
Choose the right tool
Treat the API and test like how a customer would
Maintaining the checklist before writing the test cases
Go through/Refer to the real-world API issues.
To ensure complete test coverage, create API test cases for all possible input combinations of the API
Real-world Examples:
JustDial 📞
The company redesigned its apps, the old API was left running, unprotected, and with access to the user database.
— — — — — — — — — — — — — End — — — — — — — — — — — — — — —
I hope this story helps you to understand and improve the test coverage for API testing.
Important Note: Please stay at home and maintain good hygiene. Do not step out without a mask and sanitizer and help fight against this pandemic.
Happy Learning!