Amber talks about testing tricks such as:
- Exploring public APIs such as Spotify where you can get a musical artist's album information.
- Importing API data into Postman by capturing information seen in Google Developer Tools -> Network by the "Copy as cURL" command. Importing the cURL commands into Postman by "Paste as Raw Text".
- Practicing API testing with Mark Winteringham's Restful-Booker API Playground which has some bugs built into it you can try to find.
- Setting up Get, Post, Put and Patch requests using the Restful Booking API Docs, setting up a token to get authorization.
POISED
What I loved most of all? Amber showcases her POISED mnemonic to describe API Testing: Parameters, Output, Interop, Security, Errors and Data.
Output: What kind of HTTP Status Codes, Error Messages, or Logging is thrown? Do you get the proper 200 OK status when something happens? Or do you get weird codes such as 201? If you choose to get reports, setting Headings to "Accept" from "application/xml" or "application/json", does that feature work for both types? Do your logs have extra information if there are 500 errors?
Interop: Test the Interoperability between services, that systems can get the information that they need. What happens if YYYY-MM-DD is changed from the United States MM-DD-YYYY and the European DD-MM-YYYY? When getting data such as users, are we given an understandable first and last name, or do we get a user id where we now need to search another table?
Security: If you are supposed to have an authorization or a cookie header in order to log into the API, does that work? Turn Authorization type to "No Auth" and see what happens. For Cross Site Scripting (XSS) attack simulation, submit into a text field "<script>alert(\"gotcha"\")</script>" and see if you can get the API to execute code. Check for validation, such as having angle brackets not allowed.
Errors: Testing Errors and Exception Handling, if you submit bad credentials (a 401 Unauthorized Response), does it give an error message of "Bad credentials" but a "200 OK" error code? Try to match up the error conditions with the codes. And try to avoid the cryptic "500 Internal Server Error". There should be exception messages or debug logs describing what happened so developers can troubleshoot. If you post to an API and received an error message, is a new record erroneously created?
Data: Did a record return a user id? Track down all ids represent the records that are supposed to be displayed. Don't assume that everything is correct just because you get a 200 OK. With Currency, does it list whether it is USD or GBP? What happens if you have 100, 1000, or 10000 users in the database? How about a million? How many milliseconds does it take for the data to return?
Data Driven Testing
There is a lot of content here! Make sure to spend time practicing the techniques listed, checking to see if you can find other errors in the Restful-Booker API Playground.
Happy Testing!
-T.J. Maher
Sr. QA Engineer, Software Engineer in Test
Meetup Organizer, Ministry of Testing - Boston
Twitter | YouTube | LinkedIn | Articles
4 comments:
Their ability to respond and scale according to changing needs impressed.
logo design san francisco
This is very educational content and written well for a change. It's nice to see that some people still understand how to write a quality post.! Best Automation in Abu Dhabi service provider.
I liked your work and the way in which you have shared this article here about Ecommerce Website Development Company for us .It is a beneficial and helpful article for us. Thanks for sharing an article like this.
"🚀 Ready to fast-track your success in the world of digital marketing? Look no further! Advantage Institute, the epitome of premium digital education, invites all aspiring marketers and professionals to embark on a transformative journey with our exclusive short-term courses.Digital Marketing Institute in Delhi
Post a Comment