REST API testing

Designing Tests and Coverage for APIs (Application Programming Interfaces) to Ensure Business Applications Interact Flawlessly

  • API Testing, Automation, Quality
  • No Comments
  • Qapitol QA

Application Programming Interfaces (APIs) enable business applications to interact with each other. Whatever be the platform or technology the applications are built upon, APIs facilitate the exchange of data between them. APIs are playing a leading role in accelerating application integrations and digital transformations. While development of APIs assumes business-critical importance, testing the APIs on time is equally important to ensure product release velocity.

In this article, Sai Dinesh, Software Test Engineer, Qapitol QA introduces the concepts of API testing, provides an insight into the approaches, identifies some best practices and concludes with an example of the risks involved in not performing API testing efficiently.

Learning about APIs

  • Introduction to API’s
  • API testing approach
  • Useful checklist to follow
  • Common mistakes to avoid
  • Best practices
  • Real-time example

Prerequisites for working with APIs

Before diving deep, we have to make sure that we are prepared with the following three things:

  • Functional documentation of the API’s
  • Tool to test the API (Postman/Swagger/Fiddler)
  • Dedicated testing environment

Functional documentation of the API

The API documentation helps us understand the business logic and also the importance of the API. This document provides an idea as to what are the different technologies used for the particular SUT (System Under Test).

Tools to test the API

One should have knowledge of the tool and what features it offers that makes it the perfect tool for testing the API.  Choose the tool wisely based on your analysis. (Personally, I recommend Postman).

Dedicated testing environment

It is safe to have a separate test environment so the changes/issues don’t affect the QA environment and the teams working on it.

Introduction to APIs

An API stands for Application Programming Interface. An API simply states the set of rules for the communication between systems/services.

API Testing

The purpose of API Testing is to check the functionality, reliability, performance, and security of application programming interfaces. It mainly concerns with the business logic layer. API testing helps find vulnerabilities that may be missed in functional testing (UI level).

Why do we have vulnerabilities in an API?

  • Flaws in the business logic
  • No end to end validation
  • Unhandled exceptions
  • Not filtering the user input

API testing approach

An API testing approach is a predefined strategy or a method that the QA team will perform. This helps to better understand the functionalities, testing techniques, input parameters, and the execution of test cases and also will help testers with better coverage.

The following points will help the tester to design the API testing approach:

  • Understanding the business logic and functionalities of every API
  • Determining the testing techniques
  • Preparing the checklist to cover every test technique that was determined
  • Writing the test cases based on the checklist prepared
  • Executing the test cases and comparing the expected and the actual result

Test design and coverage

  • What to test
  • How to test

What to test

API testing helps in better understanding of the core logic of an application and its functionalities. Each test consists of test actions. These are the individual actions a test needs to follow as per the API test flow.

For each API request, the test would need to perform the following actions:

  • Verifying the Http status code
  • Verifying the Request and Response payload
  • Verifying the content-type and request payload size limit
  • Verifying the basic performance of an API
  • Security checks (Includes Injections, data tampering, Session Management)
  • Validating the Request/Response payload mandatory params with UI elements
  • Validating the API endpoints for different Http verbs and manipulating the query/path parameter values.
  • Verifying the status codes for the CRUD operations

Endpoints

  • Each endpoint needs to be tested
  • Manipulating the Query/Path parameters data type in the endpoint
  • Verifying the Http verbs a specific endpoint works on

How to test

API testing should cover at least the following testing techniques:

Functional testing: This testing involves validating the functionality of an API according to the business logic.

Validating the Request/Response with various inputs: This includes productivity, behavior, and the efficiency of an API, while validating the user inputs and handling the exceptions and limiting the request payload size.

Usability testing: Verifying whether an API affiliate works well with another platform as well and check if error logging is happening or not. (For shared APIs)

Security testing: This testing includes what type of authentication is required and whether sensitive data is encrypted over HTTP(s). Understanding what level of encryption is performed may also be a part of this and includes Pentesting & Fuzz testing.

Performance testing: API performance will have a major impact on the application responsiveness. So testers have to make sure that the average response time for an API must be within designed limits under various circumstances.

API design test: As a part of the design test, one should validate whether the APIs have been developed with the REST principles or not.

Checklist for API testing

Maintaining a checklist is one of the most important practices as it helps to be on track and also to determine additional test cases for good coverage. Here is a checklist for some of the most important testing techniques mentioned above.

Functional testing

  • Testing the API as per the business logic
  • API endpoint validation and content-type validation
  • Validating the headers
  • Endpoint validations as per the CRUD operations
  • Verifying the API’s functionality at various network speeds.

Validating the headers

HTTP headers play a key role in the API world. Headers guide the application & server to understand the Request and Response. Headers also help to prevent hacking.

Headers are mostly classified into two types — Response and Request headers.

As a part of Header validation, we have to analyze how an API behaves with/without Headers and by manipulating the values of the Headers. when sending the request for testing an API, will have to set the Assertion against the response Headers to ensure that the right Headers are being returned.

Here is the sneak-peak of some of the secure Headers that help to prevent the APIs from the major cyber-attacks.

  • X-XSS-Protection
  • Clear-Site-Date
  • Upgrade-Insecure-Requests
  • X-Frame-Options
  • Content-Security-Policy
  • HTTP-Strict-Transport-Security
  • X-Content-Type-Options

Validating the Request/Response with various inputs

  • Parameter validations — which includes tampering the data type, passing the invalid data type, character length, passing null values.
  • Unhandled exceptions
  • Comparing the Request/Response mandatory parameters with UI

Security test

As discussed earlier securing an API is the most critical and important aspect of testing.

Of all the components that make up an application, APIs provide the easiest access point for a hacker.

Here is the checklist for the API security testing:

  • Maintaining authentication for most of the app side APIs
  • SSL — Recommending an HTTP & HTTP(s) or Exclusively HTTP(s) based on the API criticality
  • Filtering a user’s malicious input data — SQL injection, HTML injection
  • Rate limit and Request payload size limit — prevent throttling/DOS
  • Authorization level validations and session expiry validations
  • Maintaining user level access
  • Protecting the sensitive API endpoints with some encryption techniques
  • Content negotiation –  Validating the type of content being sent
  • Verifying if any auto-incrementing is happening for Id’s being used
  • Verify by accessing the API’s from the blacklisted network

API design test

  • Statelessness – Keeping application servers state-free so that they can be easily and painlessly scaled.
  • Versioning – Removing the old endpoints which are pointing to sensitive data
  • Pagination – This has two big advantages: It reduces the amount of data to be retrieved by maintaining the pagination and also helps in improving the API performance.
  • Error logging – Extremely useful to track down the issues based on the user input or due to a software defect.

Performance testing

  • Average Request and Response time at various circumstances
  • Validating from UI level how quickly the page loads with the data

Common mistakes to avoid when testing APIs

  • Lack of anticipation about threats and attacks
  • Ignoring intermittent problems
  • Missing the validating of the Headers
  • Not cross-verifying the authorization aspects at the API level
  • Unsecured communication for internal APIs (Using HTTP)
  • Ignoring the old endpoints when any API changes happen
  • Not knowing the difference between Authorization and Authentication
  • Neglecting the Cookies

Best practices for API testing

There is always room for improvement.

Here are some of the best practices that we can follow to improve our skills in API testing for better coverage.

  • Prioritize APIs so that it is easy for testers to test
  • Choose the right tool
  • Test the API like how a customer would
  • Maintaining the checklist before writing the test cases
  • Refer real-world API issues.
  • To ensure complete test coverage, create API test cases for all possible input combinations of the API

Real-life example

A very popular company that provides local search for different services over the phone and online redesigned its apps, but left the outdated APIs running and unprotected with access to the user databases. When this event got exposed, the company had to face a loss of reputation and experienced a dent in its business.

Write to [email protected] for API testing services and automation strategies.

Author: Qapitol QA