1. Welcome!
• We’ll use postman for some of our examples. If you would like to follow along,
download postman now. www.getpostman.com.
• Feel free to pair with someone!
• Our Postman demo collection will be available with our presentation materials.
• Follow @apidemo_carter onTwitter!
3. Overview
• What is an API?
• History of API growth
• Current API landscape
• HowAPIs work, including some hands-on demos
• Strategies and tools for testing an API
• API Stories
11. Why RESTful?
• REST: Representational state transfer
• Uniform and predefined set of stateless
operations
• People can “just know things” about an API
that’s RESTful
17. GET
• Get some data about an object or
‘resource’
POST • Create a new resource
PUT • Update a resource
DELETE • Delete a resource
Methods
18. Headers
• Headers are key/value combinations that specify
additional information about the request
• Some common request headers are:
• Content-type
• Authentication
• Accept
• Origin
19. Body
• Data to send with the
request – usually for a
POST or PUT
• Data format – xml,
json, etc. - is specified
by the content-type
header
{
"location": {
"lat": -33.8669710,
"lng": 151.1958750
},
"accuracy": 50,
"name": "Google Shoes!",
"phone_number": "(02) 9374
4000",
"address": "48 Pirrama Road,
Pyrmont, NSW 2009, Australia",
"types": ["shoe_store"],
"website":
"http://www.google.com.au/",
"language": "en-AU"
}
20. What about cookies?
• Restful API requests should be self-reliant
• Cookies are session-dependent, so not
independent
• Using cookies to store data means your
API is not Restful
21. Authentication
• Insecure - Authorization token in url
• https://api.darksky.net/forecast/{{token}}
/39.9026420,-105.0905190
• https://maps.googleapis.com/maps/api/p
lace/nearbysearch/json?key={{googlema
psKey}}
• Basic
• Username:password are concatenated
and encoded
• Sent in Authorization header
24. Authentication - JWT
JSON WebToken https://jwt.io/ - an open standard (RFC 7519)
that defines a compact and self-contained way for securely
transmitting information between parties as a JSON object.
• Header – type of token (JWT) and hashing (signing) algorithm
• Payload – contains ‘claims’, or information about the user
• Signature = signature from header-specified algorithm using
encoded Header + encoded payload + secret
25. Let’s try a GET now…
• We’ll hit the dark sky api to get our current
weather
30. Security
• Basic
• Authentication tokens are valid/present
• Account boundaries are not violated
• SSL is enforced/warned when not present
• Hacker-in-training
• Injection points – headers, parameters, body
• Recording tools – what is exposed/available
• White Hat hacker - OWASP
• Rest Security Cheat Sheet
• OWASP top 10 security vulnerabilities – new
section on Under-protected APIs
31. Functional
• Basic
• Correct status codes are generated for invalid
inputs
• Request/response bodies contain the correct
content type and schema
• Backwards-compatibility for public APIs -
previous tests continue to pass or breaking
changes are clearly documented – aka
regression testing
• Advanced
• Join API requests together to mirror application
functionality
32. Exploratory
• Identify the variable bits - things that can/will/might
change
• Requests –
• Method
• Mix/match endpoints
• Parameters
• Headers, especially content type
• ContentType
• Size, Depth - images, json/xml nesting
• Timing & Frequency – what happens with caching?
33. Heuristics
• Apply Heuristics to the variables
• Zero, One, Many
• Some, None,All
• Beginning, Middle, End
• Too Many,Too Few
• Relative Position, i.e. content
34. Automation
• Part of your CI/CD pipeline
• Part of development process since tests can be
run in both local and pre-production
environments
• Performance
• Combine tests with monitoring
• Tools
• Postman
• Command line runner that can be integrated
into your CI
• Developer adoption is high
• Runscope
• Powerful code snippets
35. Supporting an API
Tracker API, rewritten in 2012-13
• Our own client software uses public API, same as customers
• With some private endpoints
• Leading practices: RESTful, JSON in & out,
• Versioning
• Only changes are additions
• Promote new endpoints through various stages
• “edge” version
• Metadata-driven
• Reference doc generated from metadata and unit test outputs
36. Long-term results
• Few support requests
• Thanks to comprehensive unit tests, comprehensive doc & examples
• Comprehensive doc for devs to introduce new endpoints
• Many new endpoints added
• Mostly without pain – one backwards compatibility issue
• Postman regression tests run in CI in addition to unit tests
• Include performance checks
38. Take-aways
• APIs are the engine behind the apps we
use every day
• APIs are an integral part of our agile
processes - APIs make apps more testable,
and can be tested!
• APIs add value to your product - maybe
your company/product/team needs an
API?
• You’ve learned some terms about RESTful
web services – go forth and learn more!
39. Links
• ProgrammableWeb
• API Security Testing
• OWASPTop 10 Project
• List of HTTP Header fields
• Varonis - Introduction to Oauth
• Oauth.net
• Understanding rest and rpc