API testing is essential to check the functionality and the security of an application programming interface (API), especially when the API will be used in a production environment. Testing an API helps us find its security vulnerabilities and errors in its functioning. The API can then be rectified in the testing phase. APIs play a crucial role in many applications, including banking and other essential applications. A simple vulnerability or programming error can disrupt the functioning of an application for millions of people. Such issues can even expose sensitive information and thus, poses a serious security risk. Hence, API testing is important for making sure the API is as secure as possible and runs smoothly without roadblocks.
Different Types of API Testing
Here we briefly discuss the different types of API testing methods, and then we’ll move on to implementation.
1) Functional testing verifies if the API functions work as required without throwing any errors. You can achieve this by mimicking typical user inputs and verifying that the output is as expected.
2) Runtime error detection is done while running the API in real-time. It allows you to fix logged errors in real-time. You can then push changes immediately to the latest integration pipeline. This helps prevent security risks and ensures the smooth functioning of the API.
3) Penetration testing continuously monitors for man-in-the-middle attacks. You accomplish this by constantly testing encryption. Implementing industry-recommended key management is a must as it reduces the attack surface and ensures the safety of your API.
4) Load testing involves stress testing certain functions of an API by calling multiple requests to the functions and seeing how your API handles a large number of requests. You can generally perform load testing only via automated testing.
5) Validation testing occurs during the final stage of developing your API when the development team verifies that the API works as per user requirements. You can test the API in a simulated or a real setting.
6) Fuzz testing involves feeding your API a large amount of random data to see if it experiences any forced crashes or errors. This prepares your API for worst-case scenarios and prevents possible security loopholes.
Different Manual Test Cases for API Testing
We assume your API has the endpoint www.exampleapi.net (this is not an actual endpoint). We’ll use a weather forecasting API as our example. It has the following functions:
These take a latitude and longitude as input and the weather data in JSON or XML as output. An example response should look like this: JSON
We can see that our API works for normal test cases. Next, we check error test cases by introducing errors to the API. We’ll send a blank input to the API and see how it responds.
The API should give us an error response but shouldn't crash or stop functioning. We should get a response like this:
"error": "Something went wrong"
You can then test other functions of the API similarly
API security is important when developing an API. Here, we test for man-in-the-middle attacks or other security vulnerabilities with the following steps:
To test the encryption of your API for vulnerabilities, try to intercept the data using a packet analyzer, like Wireshark, to check whether you can view sensitive data like API authentication tokens or API requests and responses. I've created a demo API where you can see that HTTPS is enabled by default on the AWS API gateway.
Test for possible API reverse engineering by verifying whether you can intercept the data at either the client or the server side. Sometimes, malicious parties pose as a verified SSL provider by generating an SSL certificate. We can test for that by creating a fake certificate and see whether you can intercept the API data. In the demo API I created, you can verify the certificate by manually by clicking on the lock icon and then on the "connection is secure" option. You should see something like this:
Ensuring that you implement the best practices for API security, like enforcing HTTPS-only connections and adding authentication methods, helps mitigate security risks by reducing the risk of man-in-the-middle attacks and API reverse engineering attacks, and by reducing the attack surface.
The final stage of development is validation testing, where you perform several verifications before you move the API to production. Does your API work as expected? You will have to simulate user API requests and authentication to check if your API is working as per your client’s requirements and make immediate changes if it is not. Is the backend of your API interacting with the database correctly? If your API follows the model-view-controller architectural pattern, verify that the interaction between the model, the view, and the client works as designed. Is your API optimized? Here, check whether the codebase can be optimized further to improve the speed and the efficiency of the API.
Runtime Error Detection
When you run your API in production, having an error detection mechanism lets you detect errors and rectify them immediately. Then you can test to ensure that the API does not throw the error again under similar use cases. Once you patch and test the API, then you can push changes to the latest integration cycle. You can monitor the logs for errors and should alert the development team as soon as possible about any errors. You can achieve this by setting up a log monitoring system in your codebase. This will alert your team and allow for a timely patch of the error. You can take measures to ensure the error does not show up again by running timely tests on your API and adding precautions to prevent similar errors from showing up in the next integration cycle. Runtime error detection is an important step in API production. It helps find errors in the codebase that escaped testing during development. Patching them prevents the vulnerabilities and errors in the codebase from affecting the API any further.
We’ve described testing that you can perform on your APIs manually. You can also choose to perform load testing and fuzz testing via automated tests. API testing is an important part of the development process and with timely tests and auditing, you can make your API more secure and reliable. Testing is a continuous process that’s updated with every CI/CD cycle.