Welcome!
• We’ll use postman for some of our examples. If you would like to follow along,
download postman now. www.getpostman.com.
• Feel free to pair with someone!
• We’ll provide collections at the end of our talk.
• Follow @apidemo_carter onTwitter!

JoEllen Carter / Lisa Crispin

Overview
• What is an API?
• History of API growth
• Current API landscape
• HowAPIs work, including some hands-on demos
• Strategies and tools for testing an API
• API Stories

What is an
Application
Programming
Interface?

!!!

Interfaces
• Touch
• Voice
• Sight

API
Your
application The world !!!

2000 2002 2004 2006 2008

Why RESTful?
• REST: Representational state transfer
• Uniform and predefined set of stateless
operations
• People can “just know things” about an API
that’s RESTful

How does an
Application Programming
Interface
Work?

RPC SOAP HTTP HTTPS CoAP …

HTTPRequest
URL
Method
Headers
Body

URL
https://api.twitter.com/1.1/statuses/update.json?status=testing
{base url} / {version} / {endpoint} ? {query parameters}

GET
• Get some data about an object or
‘resource’
POST • Create a new resource
PUT • Update a resource
DELETE • Delete a resource
Methods

Headers
• Headers are key/value combinations that specify
additional information about the request
• Some common request headers are:
• Content-type
• Authentication
• Accept
• Origin

Body
• Data to send with the
request – usually for a
POST or PUT
• Data format – xml,
json, etc. - is specified
by the content-type
header
{
"location": {
"lat": -33.8669710,
"lng": 151.1958750
},
"accuracy": 50,
"name": "Google Shoes!",
"phone_number": "(02) 9374
4000",
"address": "48 Pirrama Road,
Pyrmont, NSW 2009, Australia",
"types": ["shoe_store"],
"website":
"http://www.google.com.au/",
"language": "en-AU"
}

What about cookies?
• Restful API requests should be self-reliant
• Cookies are session-dependent, so not
independent
• Using cookies to store data means your
API is not Restful

Authentication
• Insecure - Authorization token in url
• https://api.darksky.net/forecast/{{token}}
/39.9026420,-105.0905190
• https://maps.googleapis.com/maps/api/p
lace/nearbysearch/json?key={{googlema
psKey}}
• Basic
• Username:password are concatenated
and encoded
• Sent in Authorization header

Authentication - Oauth
• Oauth1/2 - https://oauth.net/
Service Provider

Authentication - JWT
JSON WebToken https://jwt.io/ - an open standard (RFC 7519)
that defines a compact and self-contained way for securely
transmitting information between parties as a JSON object
• Header – type of token (JWT) and hashing (signing) algorithm
• Payload – contains ‘claims’, or information about the user
• Signature = signature from header-specified algorithm using
encoded Header + encoded payload + secret

Let’s try a GET now…
• We’ll hit the dark sky api to get our current
weather

HTTPResponse
URL
Status Code
Headers
Body

OK200
Bad Request400
Forbidden403
Not Found404
Internal Server Error500
Service Unavailable503
GatewayTimeout504
Common
Status
Codes

Let’s try a POST now…
• We’ll post a tweet from #MHA2017

How do we
test
API’s?

Security
• Basic
• Authentication tokens are valid/present
• Account boundaries are not violated
• SSL is enforced/warned when not present
• Hacker-in-training
• Injection points – headers, parameters, body
• Recording tools – what is exposed/available
• White Hat hacker - OWASP
• Rest Security Cheat Sheet
• OWASP top 10 security vulnerabilities – new
section on Under-protected APIs

Functional
• Basic
• Correct status codes are generated for invalid
inputs
• Request/response bodies contain the correct
content type and schema
• Backwards-compatibility for public APIs -
previous tests continue to pass or breaking
changes are clearly documented – aka
regression testing
• Advanced
• Join API requests together to mirror application
functionality

Exploratory
• Identify the variable bits - things that can/will/might
change
• Requests –
• Method
• Mix/match endpoints
• Parameters
• Headers, especially content type
• ContentType
• Size, Depth - images, json/xml nesting
• Timing & Frequency – what happens with caching?

Heuristics
• Apply Heuristics to the variables
• Zero, One, Many
• Some, None,All
• Beginning, Middle, End
• Too Many,Too Few
• Relative Position, i.e. content

Automation
• Part of your CI/CD pipeline
• Part of development process since tests can be
run in both local and pre-production
environments
• Performance
• Combine tests with monitoring
• Tools
• Postman
• Command line runner that can be integrated
into your CI
• Developer adoption is high
• Runscope
• Powerful code snippets

Supporting an API
Tracker API, rewritten in 2012-13
• Our own client software uses public API, same as customers
• With some private endpoints
• Leading practices: RESTful, JSON in & out,
• Versioning
• Only changes are additions
• Promote new endpoints through various stages
• “edge” version
• Metadata-driven
• Reference doc generated from metadata and unit test outputs

Long-term results
• Few support requests
• Thanks to comprehensive unit tests, comprehensive doc & examples
• Comprehensive doc for devs to introduce new endpoints
• Many new endpoints added
• Mostly without pain – one backwards compatibility issue
• Postman regression tests run in CI in addition to unit tests
• Include performance checks

Questions? Stories?

Take-aways
• APIs are the engine behind the apps we
use every day
• APIs are an integral part of our agile
processes - APIs make apps more testable,
and can be tested!
• APIs add value to your product - maybe
your company/product/team needs an
API?
• You’ve learned some terms about RESTful
web services – go forth and learn more!

Links
• ProgrammableWeb
• API Security Testing
• OWASPTop 10 Project
• List of HTTP Header fields
• Varonis - Introduction to Oauth
• Oauth.net
• Understanding rest and rpc