Agile Testing Days 2018 USA - API Testing Fundamentals
0 likes359 views
The document provides instructions for an API testing workshop, including opening a Trello board and downloading Postman. It discusses exploring APIs through testing variables, statuses, content types, and functionality by joining requests. Performance and security testing are also covered, such as checking authentication, authorization, and injection points. The workshop emphasizes making API testing fun and integrating it into development pipelines using tools like Newman and Runscope.
Agile Testing Days 2018 USA - API Testing Fundamentals
- 1. •Open the Trello board at https://goo.gl/U8hdro •Download the Postman desktop app from https://www.getpostman.com/ and follow the installation instructions. No dogs were actually washed in the production of these slides. Get a headstart on API Testing FUNdamentals!
- 2. Show of feet (stand up) - who is willing to share their screen (with Postman) with someone? Hands-on for everyone is preferred. Let's self-organize - Screen folk, keep standing. Screenless folk, re-locate to be near a screen. Not enough screens? Follow along with Dan. Move up front and grab a seat near Dan. Screen logistics
- 3. API Testing FUNdamentals JoEllen Carter / Dan Gilkerson
- 4. What’s so fun about testing an Application Programming Interface?
- 7. Do restful APIs take naps?
- 9. When does the fun start?
- 12. Let’s recap….
- 13. Exploratory Testing • Identify the variable bits - things that can/will/might change • Apply Heuristics to the variables • Zero, One, Many • Some, None, All • Beginning, Middle, End • Too Many, Too Few • Relative Position, i.e. content
- 14. Functional, Contract, & Integration • Basic • Correct status codes are generated for invalid inputs • Request/response bodies contain the correct content type and schema • Backwards-compatibility for public APIs • Advanced • Join API requests together to mirror application functionality
- 15. Performance & Security • Performance • Response times under different conditions • Basic Security • Authentication tokens are valid/present • Authorization - account boundaries are not violated • SSL is enforced/warned when not present • Advanced Security • Injection points – headers, parameters, body • Recording tools – what is exposed/available • Rest Security Cheat Sheet; OWASP top 10 security vulnerabilities
- 16. To Infinity and Beyond! • API tests are part of your CI/CD pipeline • Newman - command line runner for Postman collections • Runscope - great for testing incoming requests, a la webhooks • Augment unit tests by crossing component boundaries • Tests are accessible to developers to run locally • Tests are purpose-specific - don’t test everything at one time
- 17. How much fun did we have?
- 18. Links ProgrammableWeb API Security Testing OWASP Top 10 Project List of HTTP Header fields Varonis - Introduction to Oauth Oauth.net Understanding rest and rpc http://kanyerest.xyz/
- 19. Thank you! JoEllen Carter @testacious Dan Gilkerson @dangilkerson