Welcome!

• We’ll use postman for some of our examples. If you would like to follow along, download postman now. www.getpostman.com.

• Feel free to pair with someone!

• Our Postman demo collection will be available with our presentation materials.

• Follow @apidemo_carter on Twitter!

JoEllen Carter / Lisa Crispin

Overview

• What is an API?

• History of API growth

• Current API landscape

• How APIs work, including some hands-on demos

• Strategies and tools for testing an API

• API Stories

What is an

Application

Programming

Interface?

!!!

Interfaces

• Touch

• Voice

• Sight

APIYour application The world !!!

2000 2002 2004 2006 2008

Why RESTful?

• REST: Representational state transfer

• Uniform and predefined set of stateless operations

• People can “just know things” about an API that’s RESTful

How does an

Application ProgrammingInterface

Work?

RPC SOAP HTTP HTTPS CoAP …

HTT

P Re

ques

t URL

Method

Headers

Body

URL

https://api.twitter.com/1.1/statuses/update.json?status=testing

{base url} / {version} / {endpoint} ? {query parameters}

GET • Get some data about an object or ‘resource’

POST • Create a new resource

PUT • Update a resource

DELETE • Delete a resource

Methods

Headers

• Headers are key/value combinations that specify additional information about the request

• Some common request headers are:• Content-type• Authentication • Accept• Origin

Body

• Data to send with the request – usually for a POST or PUT

• Data format – xml, json, etc. - is specified by the content-type header

{

"location": {"lat": -33.8669710,"lng": 151.1958750

},"accuracy": 50,"name": "Google Shoes!","phone_number": "(02) 9374

4000","address": "48 Pirrama Road,

Pyrmont, NSW 2009, Australia","types": ["shoe_store"],"website":

"http://www.google.com.au/","language": "en-AU"

}

What about cookies?

• Restful API requests should be self-reliant

• Cookies are session-dependent, so not independent

• Using cookies to store data means your API is not Restful

Authentication

• Insecure - Authorization token in url• https://api.darksky.net/forecast/{{token}}

/39.9026420,-105.0905190• https://maps.googleapis.com/maps/api/p

lace/nearbysearch/json?key={{googlemapsKey}}

• Basic• Username:password are concatenated

and encoded• Sent in Authorization header

Authentication - Oauth• Oauth1/2 - https://oauth.net/

Service Provider

Authentication - JWT

JSON Web Token https://jwt.io/ - an open standard (RFC 7519) that defines a compact and self-contained way for securely transmitting information between parties as a JSON object.

• Header – type of token (JWT) and hashing (signing) algorithm• Payload – contains ‘claims’, or information about the user• Signature = signature from header-specified algorithm using

encoded Header + encoded payload + secret

Let’s try a GET now…

• We’ll hit the dark sky api to get our current weather

HTT

P Re

spon

se URL

Status Code

Headers

Body

OK200

Bad Request400

Forbidden403

Not Found404

Internal Server Error500

Service Unavailable503

Gateway Timeout504

Common Status Codes

Let’s try a POST now…

• We’ll post a tweet from #MHA2017

How do we

test

API’s?

Security• Basic

• Authentication tokens are valid/present• Account boundaries are not violated • SSL is enforced/warned when not present

• Hacker-in-training• Injection points – headers, parameters, body• Recording tools – what is exposed/available

• White Hat hacker - OWASP• Rest Security Cheat Sheet• OWASP top 10 security vulnerabilities – new

section on Under-protected APIs

Functional• Basic

• Correct status codes are generated for invalid inputs

• Request/response bodies contain the correct content type and schema

• Backwards-compatibility for public APIs -previous tests continue to pass or breaking changes are clearly documented – aka regression testing

• Advanced• Join API requests together to mirror application

functionality

Exploratory

• Identify the variable bits - things that can/will/might change• Requests –

• Method• Mix/match endpoints• Parameters• Headers, especially content type

• Content Type• Size, Depth - images, json/xml nesting• Timing & Frequency – what happens with caching?

Heuristics

• Apply Heuristics to the variables• Zero, One, Many• Some, None, All• Beginning, Middle, End• Too Many, Too Few• Relative Position, i.e. content

Automation• Part of your CI/CD pipeline

• Part of development process since tests can be run in both local and pre-production environments

• Performance• Combine tests with monitoring

• Tools• Postman

• Command line runner that can be integrated into your CI

• Developer adoption is high• Runscope

• Powerful code snippets

Supporting an APITracker API, rewritten in 2012-13

• Our own client software uses public API, same as customers• With some private endpoints

• Leading practices: RESTful, JSON in & out,

• Versioning • Only changes are additions• Promote new endpoints through various stages• “edge” version

• Metadata-driven• Reference doc generated from metadata and unit test outputs

Long-term results • Few support requests

• Thanks to comprehensive unit tests, comprehensive doc & examples• Comprehensive doc for devs to introduce new endpoints

• Many new endpoints added• Mostly without pain – one backwards compatibility issue

• Postman regression tests run in CI in addition to unit tests• Include performance checks

Questions? Stories?

Take-aways• APIs are the engine behind the apps we

use every day

• APIs are an integral part of our agile processes - APIs make apps more testable, and can be tested!

• APIs add value to your product - maybe your company/product/team needs an API?

• You’ve learned some terms about RESTful web services – go forth and learn more!

Links

• ProgrammableWeb

• API Security Testing

• OWASP Top 10 Project

• List of HTTP Header fields

• Varonis - Introduction to Oauth

• Oauth.net

• Understanding rest and rpc