Welcome!
• We’ll use postman for some of our examples. If you would like to follow along, download postman now. www.getpostman.com.
• Feel free to pair with someone!
• Our Postman demo collection will be available with our presentation materials.
• Follow @apidemo_carter on Twitter!
JoEllen Carter / Lisa Crispin
Overview
• What is an API?
• History of API growth
• Current API landscape
• How APIs work, including some hands-on demos
• Strategies and tools for testing an API
• API Stories
What is an
Application
Programming
Interface?
!!!
Interfaces
• Touch
• Voice
• Sight
APIYour application The world !!!
2000 2002 2004 2006 2008
Why RESTful?
• REST: Representational state transfer
• Uniform and predefined set of stateless operations
• People can “just know things” about an API that’s RESTful
How does an
Application ProgrammingInterface
Work?
RPC SOAP HTTP HTTPS CoAP …
HTT
P Re
ques
t URL
Method
Headers
Body
URL
https://api.twitter.com/1.1/statuses/update.json?status=testing
{base url} / {version} / {endpoint} ? {query parameters}
GET • Get some data about an object or ‘resource’
POST • Create a new resource
PUT • Update a resource
DELETE • Delete a resource
Methods
Headers
• Headers are key/value combinations that specify additional information about the request
• Some common request headers are:• Content-type• Authentication • Accept• Origin
Body
• Data to send with the request – usually for a POST or PUT
• Data format – xml, json, etc. - is specified by the content-type header
{
"location": {"lat": -33.8669710,"lng": 151.1958750
},"accuracy": 50,"name": "Google Shoes!","phone_number": "(02) 9374
4000","address": "48 Pirrama Road,
Pyrmont, NSW 2009, Australia","types": ["shoe_store"],"website":
"http://www.google.com.au/","language": "en-AU"
}
What about cookies?
• Restful API requests should be self-reliant
• Cookies are session-dependent, so not independent
• Using cookies to store data means your API is not Restful
Authentication
• Insecure - Authorization token in url• https://api.darksky.net/forecast/{{token}}
/39.9026420,-105.0905190• https://maps.googleapis.com/maps/api/p
lace/nearbysearch/json?key={{googlemapsKey}}
• Basic• Username:password are concatenated
and encoded• Sent in Authorization header
Authentication - Oauth• Oauth1/2 - https://oauth.net/
Service Provider
Authentication - JWT
JSON Web Token https://jwt.io/ - an open standard (RFC 7519) that defines a compact and self-contained way for securely transmitting information between parties as a JSON object.
• Header – type of token (JWT) and hashing (signing) algorithm• Payload – contains ‘claims’, or information about the user• Signature = signature from header-specified algorithm using
encoded Header + encoded payload + secret
Let’s try a GET now…
• We’ll hit the dark sky api to get our current weather
HTT
P Re
spon
se URL
Status Code
Headers
Body
OK200
Bad Request400
Forbidden403
Not Found404
Internal Server Error500
Service Unavailable503
Gateway Timeout504
Common Status Codes
Let’s try a POST now…
• We’ll post a tweet from #MHA2017
How do we
test
API’s?
Security• Basic
• Authentication tokens are valid/present• Account boundaries are not violated • SSL is enforced/warned when not present
• Hacker-in-training• Injection points – headers, parameters, body• Recording tools – what is exposed/available
• White Hat hacker - OWASP• Rest Security Cheat Sheet• OWASP top 10 security vulnerabilities – new
section on Under-protected APIs
Functional• Basic
• Correct status codes are generated for invalid inputs
• Request/response bodies contain the correct content type and schema
• Backwards-compatibility for public APIs -previous tests continue to pass or breaking changes are clearly documented – aka regression testing
• Advanced• Join API requests together to mirror application
functionality
Exploratory
• Identify the variable bits - things that can/will/might change• Requests –
• Method• Mix/match endpoints• Parameters• Headers, especially content type
• Content Type• Size, Depth - images, json/xml nesting• Timing & Frequency – what happens with caching?
Heuristics
• Apply Heuristics to the variables• Zero, One, Many• Some, None, All• Beginning, Middle, End• Too Many, Too Few• Relative Position, i.e. content
Automation• Part of your CI/CD pipeline
• Part of development process since tests can be run in both local and pre-production environments
• Performance• Combine tests with monitoring
• Tools• Postman
• Command line runner that can be integrated into your CI
• Developer adoption is high• Runscope
• Powerful code snippets
Supporting an APITracker API, rewritten in 2012-13
• Our own client software uses public API, same as customers• With some private endpoints
• Leading practices: RESTful, JSON in & out,
• Versioning • Only changes are additions• Promote new endpoints through various stages• “edge” version
• Metadata-driven• Reference doc generated from metadata and unit test outputs
Long-term results • Few support requests
• Thanks to comprehensive unit tests, comprehensive doc & examples• Comprehensive doc for devs to introduce new endpoints
• Many new endpoints added• Mostly without pain – one backwards compatibility issue
• Postman regression tests run in CI in addition to unit tests• Include performance checks
Questions? Stories?
Take-aways• APIs are the engine behind the apps we
use every day
• APIs are an integral part of our agile processes - APIs make apps more testable, and can be tested!
• APIs add value to your product - maybe your company/product/team needs an API?
• You’ve learned some terms about RESTful web services – go forth and learn more!
Links
• ProgrammableWeb
• API Security Testing
• OWASP Top 10 Project
• List of HTTP Header fields
• Varonis - Introduction to Oauth
• Oauth.net
• Understanding rest and rpc