Monday, November 5, 2018

API Testing

  • Thin request wrapper that enables powerful and intuitive API testing.

Works great with any test runner
https://www.npmjs.com/package/hippie


  • API Monitoring
Test for performance as well as behavior—verify that the API is both responding and working as expected.

Design & MockSupport split-stack development with Postman’s mock service, enabling frontend and backend developers to work in parallel

Test Automation

Use Newman to integrate Postman Collections into an existing CI/CD process.
https://www.getpostman.com/tools#test-automation

  • SoapUI is the world's leading Functional Testing tool for SOAP and REST testing. With its easy-to-use graphical interface, and enterprise-class features, SoapUI allows you to easily and rapidly create and execute automated functional, regression, and load tests. In a single test environment, SoapUI provides complete test coverage - from SOAP and REST-based Web services, to JMS enterprise messaging layers, databases, Rich Internet Applications, and much more. And that's just the beginning.
https://www.soapui.org/open-source.html


  • When should we use PUT and when should we use POST?

It's quite possible, valid and even preferred in some occasions, to use PUT to create resources, or use POST to update resources.
Use PUT when you can update a resource completely through a specific resource. For instance, if you know that an article resides at http://example.org/article/1234, you can PUT a new resource representation of this article directly through a PUT on this URL.

If you do not know the actual resource location, for instance, when you add a new article, but do not have any idea where to store it, you can POST it to an URL, and let the server decide the actual URL.
as soon as you know the new resource location, you can use PUT again to do updates to the blue stapler article. But as said before: you CAN add new resources through PUT as well
Caveats
PUT and POST are both unsafe methods. However, PUT is idempotent, while POST is not.
http://restcookbook.com/HTTP%20Methods/put-vs-post/



  • REST – PUT vs POST

If the Request-URI refers to an already existing resource – an update operation will happen, otherwise create operation should happen if Request-URI is a valid resource URI (assuming client is allowed to determine resource identifier).

PUT method is idempotent. So if you send retry a request multiple times, that should be equivalent to single request modification.
POST is NOT idempotent. So if you retry the request N times, you will end up having N resources with N different URIs created on server.

Use PUT when you want to modify a singular resource which is already a part of resources collection. PUT replaces the resource in its entirety. Use PATCH if request updates part of the resource.
Use POST when you want to add a child resource under resources collection.

PUT is idempotent, so you can cache the response.
Responses to this method are not cacheable, unless the response includes appropriate Cache-Control or Expires header fields. However, the 303 (See Other) response can be used to direct the user agent to retrieve a cacheable resource.

Generally, in practice, always use PUT for UPDATE operations.
Always use POST for CREATE operations.

PUT vs POST : An Example
GET /device-management/devices : Get all devices
POST /device-management/devices : Create a new device

GET /device-management/devices/{id} : Get the device information identified by "id"
PUT /device-management/devices/{id} : Update the device information identified by "id"
DELETE /device-management/devices/{id} : Delete device by "id"
https://restfulapi.net/rest-put-vs-post/


  • two popular programming languages that might not immediately spring to mind when you thinking of designing an API. We’ll be doing a side-by-side comparison of Haskell vs. Rust, to determine which language is best for API design.


Rust defaults to writing “safe code,” by allocating memory to objects and not unallocating it until the process has been completed.This eliminates dangling pointers’ which pose a security risk and make the code much less efficient.

https://nordicapis.com/rust-vs-haskell-which-language-is-best-for-api-design


  • IBM API Connect test and monitor

The no-code alternative to writing Postman API tests

Automate and schedule tests
Generate tests automatically and schedule them to run as often you choose. Easily integrate into your CI/CD pipeline to execute tests as part of your deployment.

Gain insights from API quality
Data on API quality can be used as an indicator of API consumption. Analyze the uptime, performance and failures of the API to gain actionable insights and diagnose errors.

https://www.ibm.com/cloud/api-connect/api-test

  • What are the most commonly used HTTP methods supported by REST?


    GET is only used to request data from a specified resource. Get requests can be cached and bookmarked. It remains in the browser history and haS length restrictions. GET requests should never be used when dealing with sensitive data.
    POST is used to send data to a server to create/update a resource. POST requests are never cached and bookmarked and do not remain in the browser history.
    PUT replaces all current representations of the target resource with the request payload.
    DELETE removes the specified resource.
    OPTIONS is used to describe the communication options for the target resource.
    HEAD asks for a response identical to that of a GET request, but without the response body

11. Is there any difference between PUT and POST operations?

PUT and POST operation are quite similar, except the terms of the result generated by them. PUT operation is idempotent, so you can cache the response while the responses to POST operation are not cacheable, and if you retry the request N times, you will end up having N resources with N different URIs created on server.

In a Web API Testing interview, you should give a specific example for PUT and POST operations to make crystal clear to the interviewer. Below is an example:

Scenario: Let’s say we are designing a network application. Let’s list down few URIs and their purpose to get to know when to use POST and when to use PUT operations.

GET /device-management/devices : Get all devices
POST /device-management/devices : Create a new device
GET /device-management/devices/{id} : Get the device information identified by “id”
PUT /device-management/devices/{id} : Update the device information identified by “id”
DELETE /device-management/devices/{id} : Delete device by “id”
https://www.toolsqa.com/blogs/rest-api-interview-questions-answers/

  • 34. What are the core components of an HTTP request?


An HTTP request contains five key elements:

    An action showing HTTP methods like GET, PUT, POST, DELETE.
    Uniform Resource Identifier (URI), which is the identifier for the resource on the server.
    HTTP Version, which indicates HTTP version, for example-HTTP v1.1.
    Request Header, which carries metadata (as key-value pairs) for the HTTP Request message. Metadata could be a client (or browser) type, format supported by the client, format of a message body format, cache settings, and so on.
    Request Body, which indicates the message content or resource representation.

35. What are the most commonly used HTTP methods supported by REST?

    GET is only used to request data from a specified resource. Get requests can be cached and bookmarked. It remains in the browser history and haS length restrictions. GET requests should never be used when dealing with sensitive data.
    POST is used to send data to a server to create/update a resource. POST requests are never cached and bookmarked and do not remain in the browser history.
    PUT replaces all current representations of the target resource with the request payload.
    DELETE removes the specified resource.
    OPTIONS is used to describe the communication options for the target resource.
    HEAD asks for a response identical to that of a GET request, but without the response body.

36. Can GET request to be used instead of PUT to create a resource?
The PUT or POST method should be used to create a resource. GET is only used to request data from a specified resource.

https://www.katalon.com/resources-center/blog/web-api-testing-interview-questions/

What is API Security?
By nature, APIs expose application logic and sensitive data such as Personally Identifiable Information (PII) and because of this have increasingly become a target for attackers. Without secure APIs, rapid innovation would be impossible

How API Based Apps are Different?
    The server is used more as a proxy for data
    The rendering component is the client, not the server
    Clients consume raw data
    APIs expose the underlying implementation of the app
    The user’s state is usually maintained and monitored by the client
    More parameters are sent in each HTTP request (object IDs, filters)

How is API security different from general application security?
Traditional vulnerabilities are less common in API-Based apps
    SQLi – Increasing use of ORMs
    CSRF – Authorization headers instead of cookies
    Path Manipulations – Cloud-Based storage
    Classic IT Security Issues - SaaS


Why is API security important?
API security is important because businesses use APIs to connect services and to transfer data, and so a hacked API can lead to a data breach

What is the OWASP API Security Top 10?
    API1 - Broken Object Level Authorization
    API2- Broken User Authentication
    API3 - Excessive Data Exposure
    API4 - Lack of Resources & Rate Limiting
    API5 - Broken Function Level Authorization
    API6 - Mass AssignmentAPI7 Security Misconfiguration
    API8 - Injection
    API9 - Improper Assets Management
    API10 - Insufficient Logging & Monitoring

https://www.microfocus.com/en-us/what-is/api-security

OWASP API Security Project
APIs are a critical part of modern mobile, SaaS and web applications and can be found in customer-facing, partner-facing and internal applications.
https://owasp.org/www-project-api-security/

1 comment: