top of page

Test Design & Coverage for REST-API

Updated: Jun 14, 2021


Index

  • Introduction To API’s

  • API Testing Approach

  • Useful Checklist To Follow

  • Common Mistakes To Avoid

  • Best Practices

  • Real-Time Example

Prerequisite:

Before diving deeply. First, we have to make sure these three things are there in our hands

  • API’s functionality documentation

  • Tool to test an API (Postman/Swagger/Fiddler)

  • Dedicated environment

API’s functionality documentation helps us to understand the business logic and also the importance of the API. Having this document, we get an idea as to what are the different technologies used for particular SUT(System Under Test).


Tools to test an API One should have knowledge of the tool and what varieties of features it offers that makes it the perfect tool for testing the API. Choose the tool wisely based on your comfort (Personally I recommend Postman).


Dedicated Environment This is important as the changes/issues don’t affect the QA environment and the teams working on it.


Introduction to API’s


An API stands for Application Programming Interface.


An API will simply state the set of rules for the communication to happen between the systems/services.


API Testing


The purpose of API Testing is to check the functionality, reliability, performance, and security of application programming interfaces.


It mainly concentrates on the business logic layer. API testing helps us to find more vulnerabilities that can be missed in the functional testing (UI level).


Why do we have vulnerabilities in API?

  • Flaws in the Business logic

  • No A to Z validation

  • Unhandled Exceptions

  • Not filtering the user input


API testing approach


API Testing Approach is a predefined strategy or a method that the QA team will perform.


This helps to better understand the functionalities, testing techniques, input parameters, and the execution of test cases and also will help testers for better coverage.


The following points will help tester for API testing approach

  • Understanding the business logic and functionalities of each and every API

  • Determining the testing techniques

  • Preparing the checklist to cover every test technique which was determined

  • Writing the test cases based on the checklist prepared

  • Executing the test cases and compare the expected and the actual result


Test Design and Coverage

  • What To Test

  • How To Test


What To Test


API testing helps in better understanding the core logic of an application and functionalities.


Each test consists of test actions. These are the individual actions a test needs to take per API test flow.





For each API request, the test would need to take the following actions

  • Verifying the Http status code

  • Verifying the Request and Response payload

  • Verifying the content-type and request payload size limit

  • Verifying the basic performance of an API

  • Security checks (Includes Injections, data tampering, Session Management)

  • Validating the Request/Response payload mandatory params with UI elements

  • Validating the API endpoints for different Http verbs and manipulating the query/path parameter values.

  • Verifying the status codes for the CRUD operations


Endpoints

  • Each endpoint need to be tested

  • Manipulation the Query/Path parameters data type in the endpoint

  • Verifying the Http verbs a specific endpoint works on


How to Test

API testing should cover at least the following testing techniques:


Functional testing: This testing involved validating the functionality of an API according to the business logic


Validating the Request/Response with various inputs: This includes productivity, Behavior, the efficiency of an API while validating the user inputs and handling the exceptions and limiting the request payload size


Usability testing: Verifying whether an API affiliate well with another platform as well and check whether the error logging is happening or not. (For shared APIs)


Security testing: This testing includes what type of authentication is required and whether sensitive data is encrypted over HTTP(s). What level of encryption is done can also be a part of this and also includes Pentesting, Fuzz testing.


Performance testing: API performance will have a major impact on the app responsiveness. So testers have to make sure that the average response time for an API should be within the limits under various circumstances.


API design test: As a part of the design test we should validate whether the APIs have been developed with the REST principles or not.


CheckList


Maintaining a checklist is one of the most important practices as it helps us to be on track and also to determine the more test cases for good coverage.


Here is the checklist for some of the most important testing techniques mentioned above.





Functional testing:

  • Testing the API as per the business logic

  • API endpoint validation and content-type validation

  • Validating the headers

  • Endpoint validations as per the CRUD operations

  • Verifying the API’s functionality at various network speeds.


Validating the Headers: HTTP headers play a key role in the API world. Headers guide the application & server to understand the request and response and also headers help to prevent hacking.


Headers are mostly classified into two types — Response and Request headers.


As a part of header validation, we have to make sure how an API behaves with/without headers and by manipulating the values of the headers. when sending the request for testing an API, will have to set the assertion against the response headers to ensure that the right headers are being returned.


Here is the sneak-peak of some of the secure headers which help to prevent the APIs from the major cyber attacks.

  • X-XSS-Protection

  • Clear-Site-Date

  • Upgrade-Insecure-Requests

  • X-Frame-Options

  • Content-Security-Policy

  • HTTP-Strict-Transport-Security

  • X-Content-Type-Options


Validating the Request/Response with various inputs:

  • Parameter validations — which includes tampering the data type, passing the invalid data type, character length, passing null values.

  • Unhandled exceptions

  • Comparing the request/response mandatory parameters with UI


Security Test:


As discussed earlier securing an API is the most critical and important one.


Of all the components that consist of an application,(APIs) provide the easiest access point for a hacker.



Here is the checklist for the API security testing.

  • Maintaining authentication for most of the app side APIs

  • SSL — Recommending an HTTP & HTTP(s) or Exclusively HTTP(s) based on the API criticality

  • Filtering the user's malicious input data — SQL injection, HTML injection

  • Rate limit and Request payload size limit — prevent throttling/DOS

  • Authorization level validations and session expiry validations

  • Maintaining the User level of access

  • Protecting the sensitive API endpoints with some encryption technique

  • Content Negotiation — Validating the type of content being sent

  • Verifying if any auto-incrementing is happening for Id’s being used

  • Verify by accessing the API’s from the blacklisted network

API design test:

  • Statelessness - Keeping application servers state-free so that they can be easily and painlessly scaled.

  • Versioning - Removing the old endpoints which are pointed to sensitive data

  • Pagination - This has two big advantages, It reduces the amount of data to be retrieved by maintaining the pagination and also helps in improving the API performance.

  • Error logging - Extremely useful to track down the issues happening based on the user input or due to software bug.



Performance Testing:

  • Average request and response time took at various circumstances

  • Validating from UI level how quickly the page loads with the data


Common Mistakes to Avoid:

  • Lack of anticipation about threats and attacks

  • Ignoring intermittent problems

  • Missing validating the headers

  • No cross verifying the Authorization at the API level

  • Unsecured communication for Internal APIs (Using HTTP)

  • Ignoring the old endpoints when any API changes have happened

  • Not knowing the difference between Authorization and Authentication

  • Neglecting the Cookies

Best Practices


There is always room for improvement.


Here are some of the best practices that we can follow to improve our skills in API testing for better coverage.

  • Prioritize APIs so that it will be easy for testers to test

  • Choose the right tool

  • Treat the API and test like how a customer would

  • Maintaining the checklist before writing the test cases

  • Go through/Refer to the real-world API issues.

  • To ensure complete test coverage, create API test cases for all possible input combinations of the API


Real-world Examples:


JustDial 📞


The company redesigned its apps, the old API was left running, unprotected, and with access to the user database.


— — — — — — — — — — — — — End — — — — — — — — — — — — — — —


I hope this story helps you to understand and improve the test coverage for API testing.


Important Note: Please stay at home and maintain good hygiene. Do not step out without a mask and sanitizer and help fight against this pandemic.


Happy Learning!

243 views4 comments

Recent Posts

See All
bottom of page