As you all know API is essentially the “middle man” of the layers and systems within an application or software. And nowadays, API testing and API automation have gained significant importance. But when it comes to testing there are a lot of pitfalls where we tend to fall. Some may be because of a lack of proper foundation, lack of proper strategies, or maybe approaching it in the wrong way. In order to date and fall in love with API testing, there should be some basic level of understanding expected from each of us. So when it is about to kick start API testing journey, ask yourself “have you ever dated with APIs as a tester?” Dating APIs?? The same approach of dating can be applied for whatever things we learn and what I mean here is, how actively you test APIs and is your initial relation giving enough confidence to move towards a long-running one. A date is all about getting to know each other, preparations you do to impress and perform well during the date, some strategies that help to maintain the date/relationship, approaches and techniques which may help you to be stand out. And last but not least to find the solution for the question, will it work in terms of a long relationship? In this talk, I will be sharing about laying a solid foundation for you to kick start API testing journey in co-relation with dating, some insights about concepts, refresh the learnings you already have, and basically how I dated APIs and fell in love with it. This talk will be a collection of byte-sized information based on my learnings and experience with APIs. There are moments we fell in love, we break up and where we faced challenges and overcame those. Key Takeaways: - Get to know the basics of APIs, Requests, Responses. - Tips to kick start your API testing journey as a beginner. - Few insights on the security testing aspects of APIs. - Ideas, approaches & strategies to create and maintain a robust automated API testing infrastructure. - Role of API in continuous testing. This session would be relevant for those who are starting their career in API testing, who wants to know basic concepts of APIs, Responses, Requests, API automation and for middle-level QA Engineers who are looking to enhance their skills by exploring more about API testing scope and proper strategies. Also, for a few who are keen to explore its importance on continuous testing.

1. What to know
before you start
dating with APIs!
Nithin SS / Fave

2. • A passionate tester & blogger
• QA Lead, Fave Malaysia
• Founder - Synapse QA
Hello!
Nithin SS
nithin-ss Nithin_Synapse

3. "I am not being a love guru here, this is a
sharing on how I fell in love with APIs"
@Nithin_Synapse

4. Long lasting relations
depends on how we take our
First Moves
@Nithin_Synapse

5. #4 : Happily
ever after
#2 : Some dates
not look the same
as we expect
#1 : Scary first
meetup
#3 : Abnormal
Dates &
Breakups
Up for a date with
APIs?
@Nithin_Synapse
LET'S
date?

6. @Nithin_Synapse
What is an API?
Application: Interactions of different applications
Programming: Programmatically interact with different
applications / piece of code
Interface: Interface to interact with other piece of codes,
follows the principle of abstraction

7. @Nithin_Synapse
Types of APIs
REST
• REpresentational State Transfer
• Follows a set of guidelines
• REST is a collection of
architectural principles rather
than a protocol like other web
services
SOAP
• Simple Object Access Protocol
• Uses XML as a format to transfer
data
• Main function is to define the
structure of the messages and
methods of communication

8. @Nithin_Synapse
Let's see what an API does...
Imagine a situation of ordering a dish from a restaurant
• Customer (Application) is in a Restaurant and checks the Menu for the
desired dish.
• Then call the Waiter (API) and request that dish.
• Then the Waiter checks the availability of the dish in the Kitchen (Server),
and will get an update from kitchen informing whether the dish is available
or not, the waiter returns to you with the update(Response).
Technically, API is a set of rules that allow programs to talk to each other. The
developer creates the API on the server and allows the client to talk to it

9. @Nithin_Synapse
Request Methods
GET
Used to retrieve data from a server at
the specified resource. For example, say
you have an API with a /users endpoint.
Making a GET request to that endpoint
should return a list of all available users.
POST
Used to send data to the API server to
create or update a resource. The data
sent to the server is stored in the
request body of the HTTP request.
The simplest example is a contact form
on a website.

10. @Nithin_Synapse
Request Methods
PUT
Used to send data to the API to create or
update a resource.
The difference is that PUT requests are
idempotent. That is, calling the same PUT
request multiple times will always produce
the same result. In contrast, calling a POST
request repeatedly have side effects of
creating the same resource multiple times
DELETE
Used to delete the resource at the
specified URL

11. @Nithin_Synapse
Usage
If a new user is created with a POST request to /users, and
it can be retrieved with a GET request to /users/{{userid}},
user details can be updated using a PUT request, and then
making a DELETE request to /users/{{userid}} will
completely remove that user

12. @Nithin_Synapse
Status Codes
2xx (Success)
• 200 OK: Request was successful
• 201 Created: Something new was
created based on request
• 204 No Content: Request success,
but no data send back
4xx (Client Error)
• 400 Bad Request: Server did not understand
the request
• 401 Unauthorised: Client must be
authorised via login
• 403 Forbidden: Client doesn't have
permission to access requested document
• 404 Not Found: Requested document is not
found on the URL given

13. @Nithin_Synapse
Status Codes
5xx (Server Errors)
• 500 Internal Server Error: Generic
Error message meaning that
something broken.
3xx (Redirects)
• 301 Moved Permanently :
Requested document was moved
and response contains the URL of
new location.
• 302 Found: Requested document
temporarily moved to a different
location.

14. @Nithin_Synapse
Authorization and Authentication
Authentication is all about proving who you are.
Authorization is all about proving what you can do.

15. @Nithin_Synapse
GET Method

16. @Nithin_Synapse
POST Method

17. @Nithin_Synapse
PUT Method

18. @Nithin_Synapse
DELETE Method

19. @Nithin_Synapse
API Testing Tips
• Understand API requirements
• Specify the API output status
• Organize API endpoints
• Focus on small functional APIs
• Leverage automation capability
• Choose the right tool
• Define verification methods
• Create positive and negative tests

20. @Nithin_Synapse
Sneak peak into API Security
• Broken object level authorization
• Broken authentication
• Excessive data exposure
• Lack of resources and rate limiting
• Broken function level authorization
• Mass assignment
• Security misconfiguration
• Injection
• Improper assets management
• Insufficient logging and monitoring
Source OWASP API Security Top 10

21. @Nithin_Synapse
Broken object level authorization
Source APIsecurity.io
Attackers substitute the ID of
their own resource in the API call
with an ID of a resource
belonging to another user. The
lack of proper authorization
checks allows attackers to access
the specified resource.

22. @Nithin_Synapse
Broken authentication
Source APIsecurity.io
Poorly implemented API
authentication allows
attackers to assume other
users’ identities.

23. @Nithin_Synapse
Excessive data exposure
Source APIsecurity.io
The API may expose a lot more
data than what the client
legitimately needs, relying on
the client to do the filtering. If
attackers go directly to the API,
they have it all.

24. @Nithin_Synapse
Lack of resources and rate limiting
Source APIsecurity.io
The API is not protected against
an excessive amount of calls or
payload sizes. Attackers can use
this for Denial of Service (DoS)
and authentication flaws like
brute force attacks.

25. @Nithin_Synapse
Broken function level authorization
Source APIsecurity.io
The API relies on the client to
use user level or admin level
APIs as appropriate. Attackers
figure out the “hidden” admin
API methods and invoke them
directly.

26. @Nithin_Synapse
Mass assignment
Source APIsecurity.io
The API takes data that client provides and
stores it without proper filtering for whitelisted
properties. Attackers can try to guess object
properties or provide additional object
properties in their requests, read the
documentation, or check out API endpoints for
clues where to find the openings to modify
properties they are not supposed to on the data
objects stored in the backend.

27. @Nithin_Synapse
Security misconfiguration
Source APIsecurity.io
Poor configuration of the API
servers allows attackers to
exploit them.

28. @Nithin_Synapse
Injection
Source APIsecurity.io
Attackers construct API calls
that include SQL, NoSQL,
LDAP, OS, or other commands
that the API or the backend
behind it blindly executes.

29. @Nithin_Synapse
Improper assets management
Source APIsecurity.io
Attackers find non-production
versions of the API (for example,
staging, testing, beta, or earlier
versions) that are not as well
protected as the production API,
and use those to launch their
attacks.

30. @Nithin_Synapse
Insufficient logging and monitoring
Source APIsecurity.io
Lack of proper logging,
monitoring, and alerting allows
attacks and attackers go
unnoticed.

31. @Nithin_Synapse
Creating and maintaining automated
API tests
https://ibb.co/CQVCcxh

32. Have a wonderful relationship with
APIs
nithin-ss
Nithin_Synapse
Further Read:
https://bit.ly/rest-postman
https://apisecurity.io/
THANK YOU!
nithin.ss@synapse-qa.com
synapse-qa.com