2. What is API testing? HTTP Communication
Server
Database
API
(Application
Programming
Interface)
• STATUS (200 OK, 404 NOT FOUND)
• RESPONSE BODY
• AUTHORIZATION (API KEY, OAUTH)
• METHOD (GET, POST, PUT)
• ENDPOINT (URL, QUERY STRING)
Browser or App
REQUEST
RESPONSE
API Integration Testing
3. Risk Analysis
X X X X X
X X X X X
X X X
X X X X X X
Post a Status
Delete a Status
Get User’s Post
What should I test?
Get User’s Timeline
USE CASE
X High Risk X Med Risk X Low Risk
API Security Top 10: owasp.org/www-project-api-security/
4. Post StatusWhat tests do I need?
POST https://api.twitter.com/1.1/statuses/update.json?status=This is a test
200 OK
6. POST https://api.twitter.com/1.0/statuses/update.json?status=This is a test
POST https://api.twitter.com/1.2/statuses/update.json?status=This is a test
Tests for API9: Improper Asset Management
POST https://api.twitter.com/1.1/statuses/update.json?status=This is a test
Post StatusWhat tests do I need?
7. POST https://api.twitter.com/1.0/statuses/update.json?status=This is a test
POST https://api.twitter.com/1.2/statuses/update.json?status=This is a test
Tests for API9: Improper Asset Management
POST https://api.twitter.com/1.1/statuses/update.json?status=This is a test
Post StatusWhat tests do I need?
404 Not Found
8. Post StatusWhat tests do I need?
POST https://api.twitter.com/1.1/statuses/update.json?status=This is a link to
the OWASP site. owasp.org
200 OK
10. Post StatusWhat tests do I need?
POST https://api.twitter.com/1.1/statuses/update.json?status=This is a link to
the OWASP site. owasp.org
11. Tests for API8: Injection
Post StatusWhat tests do I need?
POST https://api.twitter.com/1.1/statuses/update.json?status=This is a link to
the OWASP site. owasp.org
POST https://api.twitter.com/1.1/statuses/update.json?status=
vulnerableWebApplication.com/page.php?parameters=<script>alert('xss
payload');</script>
12. Post StatusWhat tests do I need?
POST https://api.twitter.com/1.1/statuses/update.json?status=This is a link to
the OWASP site. owasp.org
POST https://api.twitter.com/1.1/statuses/update.json?status=
vulnerableWebApplication.com/page.php?parameters=<script>alert('xss
payload');</script>
400 Bad Request
Tests for API8: Injection
16. 400 Bad Request
POST https://api.twitter.com/1.1/statuses/destroy/1267606507396501503.json
POST https://api.twitter.com/1.1/statuses/destroy/1267606507396501505.json
Tests for API1: Broken Object Level Authorization
POST https://api.twitter.com/1.1/statuses/destroy/1267606507396501504.json
Delete StatusWhat tests do I need?
19. Tests for API5: Broken Function Level Authorization
GET https://api.twitter.com/1.1/statuses/show.json?id=1273567447182913536
DELETE https://api.twitter.com/1.1/statuses/show.json?id=1273567447182913536
PUT https://api.twitter.com/1.1/statuses/show.json?id=1273567447182913536
Get Another User’s PostWhat tests do I need?
20. 400 Bad Request
GET https://api.twitter.com/1.1/statuses/show.json?id=1273567447182913536
Tests for API5: Broken Function Level Authorization
DELETE https://api.twitter.com/1.1/statuses/show.json?id=1273567447182913536
PUT https://api.twitter.com/1.1/statuses/show.json?id=1273567447182913536
Get Another User’s PostWhat tests do I need?
23. Tests for API4: Lack of Resources & Rate Limiting
GET https://api.twitter.com/1.1/statuses/user_timeline.json?screen_name=owasp&count=200000
GET https://api.twitter.com/1.1/statuses/user_timeline.json?screen_name=owasp&count=2
Get Another User’s TimelineWhat tests do I need?
24. 400 Bad Request
GET https://api.twitter.com/1.1/statuses/user_timeline.json?screen_name=owasp&count=200000
Tests for API4: Lack of Resources & Rate Limiting
GET https://api.twitter.com/1.1/statuses/user_timeline.json?screen_name=owasp&count=2
Get Another User’s TimelineWhat tests do I need?