Security Testing is a type of software testing that aims to identify and address vulnerabilities and threats in an application to ensure that its data and resources are protected against potential intrusions, misuses, and breaches. The primary goal of security testing is to ensure that the software is robust and secure from external and internal threats.
What is Security Testing in API?
API security testing is a process of evaluating API endpoints to identify and remediate vulnerabilities such as fuzzy input, parameter tampering, or injection attacks. Historically, this was done through penetration testing or manual scanning of the APIs by an enterprise security team. However, teams are shifting to running API security tests as part of the DevOps pipeline, ensuring that security issues are caught early in the development lifecycle.
Why Do You Need API Security Testing?
1. Protection of Sensitive Data – APIs often handle sensitive data, including personal information, financial data, and proprietary business information. Security testing helps ensure that this data is protected from unauthorized access, breaches, and leaks. Examples: Ensure data in transit is encrypted; prevent exposure of Personally Identifiable Information (PII)
2. Prevent Unauthorized Access: APIs typically serve as the gateway to an application’s backend and other critical infrastructure. Security testing helps to identify and mitigate flaws in authentication and authorization mechanisms, preventing unauthorized access. Examples: Ensuring proper use of API keys, tokens, and OAuth; verifying role-based access control (RBAC).
3. Ensuring Service Availability: Malicious actors can exploit vulnerabilities to launch Denial-of-Service (DoS) attacks, overwhelming your APIs and making them unavailable to legitimate users. Robust API penetration testing tools help uncover these weaknesses, allowing you to implement measures that prevent such attacks and ensure reliable service for your users.
4. Maintaining Compliance: Industrial regulations, such as HIPAA, GDPR, ISO, and SOX, mandate specific security controls during data handling. Failure to comply with such regulations due to API vulnerabilities can lead to hefty fines and legal liabilities. Security testing ensures that APIs comply with these regulatory requirements and avoid legal penalties. Examples: Encrypting sensitive data, maintaining proper access logs, and ensuring data integrity.
5. Prevent Injection Attacks: Injection attacks, such as SQL injection and command injection, can compromise the security of API endpoints and underlying systems. Security testing helps identify and remediate these vulnerabilities by validating input handling and data sanitization processes. Examples: Testing for SQL injection flaws; ensuring proper input validation.
6. Improving Stakeholder Trust: Customers and partners entrust the company with their data when they interact with their APIs. Regular security testing demonstrates your commitment to data protection, strengthening business relationships, and fostering customer confidence in your services.
What are the common security vulnerabilities found in API?
Rest APIs
REST APIs or RESTful APIs are stateless APIs that use simple HTTP requests to access and use data. It is one of the most used types of API due to its simplicity and flexibility of implementation in any language.
Common Vulnerabilities in REST APIs
1. Broken Authentication and Session Management: Weak authentication mechanisms can lead to unauthorized access. Use of tokens and proper handling of sessions is crucial.
2. Broken Access Control: Insufficient enforcement of user permissions can lead to unauthorized access to endpoints. Implement role-based access control (RBAC) and least privilege principle.
3. Sensitive Data Exposure: Failure to encrypt sensitive data both in transit and at rest. Use HTTPS, encrypt sensitive data and avoid exposing unnecessary data in API responses.
4. Lack of Rate Limiting: Failure to implement request throttling can result in Denial of Service (DoS) attacks. Implement rate limiting and quotas to control abuse.
5. Injection Attacks: Attackers insert malicious code into the requests to manipulate the APIs’ intended behavior. SQL Injection, Host-Header Injection, and Command Injection are some of the most common attacks.
6. Insufficient Logging and Monitoring: Lack of proper logging mechanisms can lead to undetected security incidents. Enforce comprehensive logging and monitoring for suspicious activities.
SOAP APIs
SOAP, or Simple Object Access Protocol, uses XML-based messaging to transfer data between the client and server.
Common Vulnerabilities in SOAP APIs
1. XML External Entity (XXE) Attacks: An attacker can manipulate XML data to exploit vulnerabilities in the XML parsers. Disable DTDs (Document Type Definitions) and external entity references.
2. Inadequate Input Validation:SOAP messages may not be thoroughly checked for integrity. Validate and sanitize all incoming XML content.
3. WS-Security Misconfigurations:Weak or improperly configured WS-Security policies can lead to security lapses. Ensure robust WS-Security configurations including encryption and digital signatures.
4. Token Replay Attacks:Reuse of tokens for unauthorized API requests. Implement mechanisms to detect and prevent token reuse, such as timestamps and nonces.
5. WSDL Exposure: If the WSDL file is exposed to the attackers, they can view detailed information about the API structure and operations, allowing them to craft more targeted attacks.
JSON-RPC and XML-RPC
JSON-RPC and XML-RPC are remote call protocols that use JSON and XML, respectively, to communicate between the client and the server. They send an HTTP request to a server that implements RPC and receives an HTTP response.
Common Vulnerabilities in JSON and XML RPC:
1. Brute Force Attacks: These attacks involve attempting various combinations of user credentials to gain unauthorized access. XML-RPC can be easily leveraged as an entry point for attacks and can execute multiple login attempts rapidly, leading to brute-force attacks.
2. Remote Code Execution: In this attack, attackers can execute malicious code on the server from a remote connection.
GraphQL
GraphQL is a flexible and efficient query language for APIs. It allows the client side to request the exact amount of data required to reduce data over- and underfetching.
Common Vulnerabilities Found in GraphQL APIs
1. Injection Attacks: Attackers insert malicious code into the requests to manipulate the APIs’ intended behavior. SQL Injection, Host-Header Injection, and Command Injection are some of the most common attacks.
2. Introspection Attack: It exploits an API’s introspection endpoint to gather information about access tokens, exposing sensitive details that attackers can use to compromise security. Introspection endpoints are designed to validate and retrieve metadata about tokens, such as their scopes, expiration, and the user they represent. If improperly secured, attackers can leverage them to gain unauthorized access or manipulate token data.
Types of API Security Testing
Dynamic API Security Tests
Dynamic API Security Testing involves testing the security of APIs during runtime. It dynamically interacts with the API, sends various requests with different payloads, and observes how the API behaves under different conditions to identify security vulnerabilities.
Running a dynamic API security test simulates an actual API-based attack and surfaces vulnerabilities introduced from both open-source dependencies and the code your team wrote.
OWASP ZAP (Zed Attack Proxy) – It is an open-source web application security scanner designed to find vulnerabilities in web applications and APIs.
Burp Suite – It is a comprehensive web vulnerability scanner that supports both automated and manual testing. It is used for the advanced scanning for API vulnerabilities and support for GraphQL, SOAP, and REST APIs.
SQLMap – It is an open-source penetration testing tool for automating SQL injection detection and exploitation. It supports various types of SQL injection attacks.
Static API Security Tests
Static analysis security testing tools look at the source code of the application to identify potential vulnerabilities. This form of testing looks for patterns in the code that represent potential security concerns. These tools are language-dependent, meaning you have to use a static tool that matches the language your API is written in.
SonarQube – It is an open-source platform that inspects code quality and security.
Checkmarx – It is a comprehensive static application security testing tool that focuses on security vulnerabilities.
Fortify Static Code Analyzer (SCA) – It is a static analysis tool by Micro Focus that identifies security vulnerabilities in source code.
Software Composition Analysis
Software Composition Analysis (SCA) tools look at the dependency tree of your application and match this against a database of known vulnerabilities. Using these tools, you would be alerted if your application or API uses a library or framework with a known vulnerability. With the ever-increasing use of open source in API development, these tools are essential to include in security testing. The limitations of SCA tools are that (1) they generally do not surface if the vulnerability is actually exploitable within your API, and (2) they only capture open-source vulnerabilities, not security bugs your team may have introduced.
Black Duck by Synopsys – Comprehensive SCA tool that identifies open-source components, assesses vulnerabilities, and manages license compliance.
Snyk – Developer-friendly tool that integrates with CI/CD pipelines to detect and fix open-source vulnerabilities in dependencies.
WhiteSource – Tool focused on managing open-source components, identifying vulnerabilities, and ensuring license compliance.
Security Quiz – You can test your knowledge with this Security Testing.
1. What is the primary goal of security testing in API testing?
a) To ensure the API functions as expected b) To verify the API’s security features against potential vulnerabilities c) To check API response times d) To test the user interface of the API
Answer 1
b) To verify the API’s security features against potential vulnerabilities
2. Which of the following is a common security vulnerability in APIs?
a) SQL Injection b) Cross-Site Scripting (XSS) c) Cross-Site Request Forgery (CSRF) d) All of the above
Answer 2
d) All of the above
3. Which attack can occur if an API does not properly validate user inputs?
a) Cross-Site Scripting (XSS) b) Denial of Service (DoS) c) SQL Injection d) Both a and c
Answer 3
d) Both a and c
4. What type of vulnerability can occur if an API leaks sensitive information in error messages?
a) Data Injection b) Information Disclosure c) XML External Entity (XXE) d) Broken Object Level Authorization (BOLA)
Answer 4
b) Information Disclosure
5. Which of these is a common tool used for API security testing?
a) Postman b) Burp Suite c) Swagger d) Selenium
Answer 5
b) Burp Suite
6. Which of the following is NOT a common security mechanism used for APIs?
a) OAuth b) JWT (JSON Web Token) c) SSL/TLS d) XML Parsing
Answer 6
d) XML Parsing
7. What does the term “Rate Limiting” refer to in API security?
a) The process of limiting the number of API requests a user can make within a specified time period b) The restriction of access to a specific set of users based on their IP address c) The process of allowing only authenticated users to access the API d) The encryption of data being sent in API requests
Answer 7
a) The process of limiting the number of API requests a user can make within a specified time period
8. What is the primary purpose of using an API token for authentication?
a) To ensure that the API request is coming from a valid user or system b) To speed up the API response c) To make the API endpoint accessible to everyone d) To increase the load on the server
Answer 8
a) To ensure that the API request is coming from a valid user or system
9. What is the best practice to prevent SQL Injection in API testing?
a) Allowing raw user inputs in the SQL queries b) Using parameterized queries or prepared statements c) Relying only on the database’s built-in security d) Allowing all API inputs
Answer 9
b) Using parameterized queries or prepared statements
10. Which of the following is a technique for testing the authorization of API access?
a) Testing if an API endpoint allows unauthenticated requests b) Testing the validity of an API token c) Ensuring that API responses include proper status codes for unauthorized access (e.g., 401, 403) d) All of the above
Answer 10
d) All of the above
11. What is the significance of encryption in API security?
a) To ensure data integrity by verifying the data is not tampered with b) To ensure data is securely transmitted and cannot be easily read by unauthorized users c) To speed up the API response d) To allow multiple API users to access the same data
Answer 11
b) To ensure data is securely transmitted and cannot be easily read by unauthorized users
12. Which of the following API security measures helps in protecting sensitive data during transmission?
a) Use of HTTPS b) IP Whitelisting c) User Authentication d) Query String Parameters
Answer 12
a) Use of HTTPS
13. What type of attack does Cross-Site Request Forgery (CSRF) typically target in API security?
a) It exploits the trust that a site has in the user’s browser b) It targets the API endpoint to inject malicious code c) It exploits weaknesses in the client-side JavaScript d) It bypasses authentication mechanisms
Answer 13
a) It exploits the trust that a site has in the user’s browser
14. Which method is commonly used to protect sensitive data in APIs during storage?
a) Encryption b) Caching c) Compression d) Rate Limiting
Answer 14
a) Encryption
15. What type of API attack involves sending malicious code through input fields to compromise the server or database?
a) Cross-Site Scripting (XSS) b) SQL Injection c) Man-in-the-Middle (MitM) d) DoS (Denial of Service)
Answer 15
b) SQL Injection
16. Which of the following is a valid security mechanism to prevent API key theft?
a) Store the API key in a local text file b) Use secure methods like OAuth for authentication c) Embed API keys directly in the frontend JavaScript code d) None of the above
Answer 16
b) Use secure methods like OAuth for authentication
17. What is Broken Object Level Authorization (BOLA)?
a) An attack that exploits poor input validation b) A vulnerability where users can access objects they are not authorized to view c) A flaw in API rate limiting implementation d) A security gap caused by misconfigured SSL/TLS settings
Answer 17
b) A vulnerability where users can access objects they are not authorized to view
18. What does the term API spoofing refer to in security?
a) Manipulating API responses to deceive users b) Impersonating a legitimate user or system to gain unauthorized access c) Intercepting API requests and altering data during transmission d) Exploiting an API vulnerability to crash the server
Answer 18
b) Impersonating a legitimate user or system to gain unauthorized access
19. Which of the following is a best practice for securing API endpoints?
a) Using a single access key for all users b) Applying security measures such as authentication, encryption, and authorization for every API request c) Allowing unlimited access to the API without any restrictions d) Not validating input from users
Answer 19
b) Applying security measures such as authentication, encryption, and authorization for every API request
20. Which of the following is an example of an insecure API design practice?
a) Using secure, token-based authentication (OAuth) b) Storing API keys in a public GitHub repository c) Encrypting sensitive data in transit d) Implementing rate limiting
Answer 20
b) Storing API keys in a public GitHub repository
21. What is the primary function of OAuth in API security?
a) To enable public access to APIs b) To authenticate and authorize users securely for API access c) To protect the API server from being overloaded d) To validate data inputs
Answer 21
b) To authenticate and authorize users securely for API access
22. Which HTTP status code indicates that a client is not authorized to access a resource?
a) 200 OK b) 401 Unauthorized c) 500 Internal Server Error d) 404 Not Found
Answer 22
b) 401 Unauthorized
23. Why is it essential to validate API responses?
a) To minimize bandwidth usage b) To detect unauthorized data leakage c) To ensure API compatibility with browsers d) To verify that the API uses REST principles
Answer 23
b) To detect unauthorized data leakage
24. What type of API attack involves overwhelming the server with a massive number of requests?
a) SQL Injection b) XML Injection c) Denial of Service (DoS) d) Man-in-the-Middle (MITM)
Answer 24
c) Denial of Service (DoS)
25. What is the purpose of using CORS (Cross-Origin Resource Sharing) in API security?
a) To block all external access to APIs b) To prevent unauthorized domains from accessing API resources c) To speed up API communication d) To allow unrestricted access to API endpoints
Answer 25
b) To prevent unauthorized domains from accessing API resources
API stands for Application Programming Interface. API testing is a type of software testing that focuses on verifying the functionality, reliability, performance, and security of an Application Programming Interface (API). APIs act as intermediaries that allow different software systems to communicate with each other. Example of an API is the Twitter API. It enables developers to access and interact with Twitter’s platform programmatically. Developers can use the Twitter API to retrieve tweets. They can also post tweets and search for tweets. Additionally, they can manage user accounts and perform various other actions related to Twitter’s services.
API architecture is usually explained in terms of client and server. The application sending the request is called the client, and the application sending the response is called the server.
Advantages of API Testing
1. Independent of UI – API testing can detect issues in the early stages of development. It is independent of the GUI. This allows for timely resolution and prevents more significant problems later on.
2. Faster Execution – API tests typically take less time than functional GUI testing. GUI testing takes longer because the web components need to be polled.
3. Integration with CI/CD Pipelines – API testing can be easily automated. It can be integrated into continuous integration (CI) pipelines. This enables rapid feedback and faster release cycles.
4. Ensures Security – API testing allows for thorough security testing. It includes authentication, authorization, data encryption, and protection against common security vulnerabilities.
5. Language Independent – An API test uses XML or JSON to exchange data. These transfer modes are not language-dependent; therefore, you can use any programming language when writing automated tests for your API.
Tools for API Testing
Postman: A user-friendly tool for manual and automated API testing. It supports automation and CI/CD integration. It includes features for writing test scripts with JavaScript.
SoapUI: Ideal for SOAP and REST API testing. It allows creation of complex test scenarios including assertions and parameterization.
JMeter: It is an Open-source tool primarily used for performance testing but also supports API testing. It provides detailed reports with performance metrics.
Karate: A framework combining API testing and automation. Framework built on top of Cucumber library for BDD-style API testing.
REST Assured: A Java library for testing REST APIs. Offers a DSL (Domain-Specific Language) for writing readable and maintainable test code. It is ideal for integration into Java-based test suites.
What are the testing methods that come under API testing?
1. Unit Testing: It involves testing the smallest functional parts of the API. These include individual endpoints, services, or methods. The purpose is to ensure they work as expected. Unit tests are typically written to validate the behavior and functionality of your code in isolation.
2. Functional Testing: It ensures that the API functions as expected and meets the requirements and specifications. It verifies responses for various inputs and parameters, HTTP status code.
3. Integration Testing: It tests the interaction between different modules or services to ensure they work together as intended. It verifies that APIs properly communicate with other APIs or systems.
4. Load Testing: It evaluates the API’s performance under a specific load to determine its behavior under normal and peak conditions.
5. Stress Testing: In stress testing, the API is subjected to extreme conditions. This evaluates how it handles high traffic, large data volumes, or limited resources.
6. Fuzz Testing: Sends random or unexpected data to the API to see how it responds. Automatically generating malformed or random inputs to test the API’s robustness.
7. Security Testing: It Ensures that the API is secure and can protect data from unauthorized access or attacks. Checks for vulnerabilities such as SQL injection, XSS, and other attack vectors.
8. Usability Testing: Ensures that the API is user-friendly and its endpoints are easy to use. Reviewing API documentation and testing the ease of making requests and interpreting responses.
9. Compliance Testing: Verifies that the API adheres to specific standards, regulations, and guidelines. Ensures adherence to industry standards such as REST, SOAP, or specific compliance requirements (e.g., GDPR, HIPAA).
10. Penetration Testing: Simulates attacks on the API to identify security weaknesses. Identifies vulnerabilities that could be exploited by attackers.
11. Regression Testing: Ensures that recent changes to the API do not affect existing functionality. Running a comprehensive set of tests after a new feature is added to ensure existing functionalities are intact.
12. Interoperability Testing: It ensures compatibility between different software systems or components. It facilitates smooth communication. These systems are often built using varying technologies, platforms, or protocols.
13. End-to-End Testing:It is a process of validating the entire workflow of an application. This is done by testing how APIs interact with other components within the system. For example, Trigger the POST /order API to create an order. Validate the response (e.g., order_id is generated).
What are the major challenges faced in API testing?
1. Output verification and validation – APIs can return responses in different data formats such as JSON, XML, or plain text. Parsing and validating these formats might require additional effort.
2. Security Tokens – APIs may require various types of authentication, such as OAuth, API keys, or JWT tokens. Managing and automating the generation and use of these tokens can be complex.
3. Version Management – Testing different versions of the API can become complex. Ensuring backward compatibility is also challenging. This is especially true if multiple versions are in active use.
4. External Dependencies – When integrating with third-party APIs, several challenges can arise. These challenges relate to their availability, reliability, and version changes. Testers have little control over these factors.
5. Setting Up the Test Environment – APIs often depend on other services or databases. Setting up a fully operational test environment that mimics production can be challenging.
HTML (HyperText Markup Language) is the most basic building block of the Web. It defines the meaning and structure of web content.
<input> elements of type email are used to let the user enter and edit an email address, or, if the multiple attribute is specified, a list of email addresses.
Step 4 – Locate Web Element and Perform Validation
Locates the email input field using “By.id“. Sends an empty string to trigger the form validation. Retrieves the validation message using “getAttribute(“validationMessage”)“.
Welcome to the DevOps Quiz! This blog post features answers to DevOps questions that explore key DevOps concepts, covering foundational principles and commonly used tools in a typical DevOps pipeline.
3) a) DevOps is only suitable for start-up companies
4) c) Blue-Green Deployment
Blue-Green Deployment involves two parallel environments – Blue (current production) and Green (clone of production). New code is deployed to the Green environment and, once tested and verified, traffic is switched to it.
5) c) Tracking changes to source code
A VCS like Git allows developers to track and manage changes to source code, facilitating collaboration and version management.
6) c) Terraform
Terraform is a widely-used tool for defining and providing cloud infrastructure using a declarative configuration language. It enables Infrastructure as Code (IaC) practices for cloud resources.
7) b) Continuous Integration
Continuous Integration (CI) is a DevOps practice where developers integrate code into a shared repository several times a day. It encourages more frequent code integrations and testing.
8) c) Grafana
Grafana is an open-source platform for monitoring and observability. It’s commonly used to visualize metrics from time-series databases.
9) b) Infrastructure components that are never updated once deployed
Immutable Infrastructure refers to an approach where once infrastructure components are deployed, they are never modified. Instead, if changes are needed, new instances are created to replace the old ones.
10) c) Configuration Management
Configuration Management involves the use of tools and practices to automate the provisioning and management of servers, ensuring that they maintain the desired state over time.
11) d) Ansible
12) d)Infrastructure as code and configuration management tools that enable the programmers in changing the environments themselves
13) b) No
14) c) Archetype
15) c) Telemetry is the process of recording the behaviour of your systems.
16) c) Reproducible and version-controlled infrastructure changes.
17) c) Implementing automated Dependency Scanning in the CI/CD pipeline.
18) d) Allows flexibility to choose the best environment for specific workloads.
19) d) Enables reproducible and consistent deployments with pre-built images.
20) b) Siloed Development, as breaking down organizational silos is a key aspect of fostering collaboration and efficiency in DevOps.
21) d) Both a) and b)
22) d) All of the above
23) a) Changes deployed by creating new instances with the updates applied, modifying existing instances directly.
24) a) Developers collaborate on code in a single branch called “trunk”.
25) b) Never mix test driven development (TDD) together with your test automation approach.
Welcome to the DevOps Quiz! This blog post features more than 20 multiple-choice questions that explore key DevOps concepts, covering foundational principles and commonly used tools in a typical DevOps pipeline.
1. What are the key components of DevOps?
Select the best answer
a) Continuous Testing b) Continuous Integration c) Continuous Delivery & Monitoring d) All of the above
3. Which one of the following statements about DevOps is incorrect?
Choose one option
a) DevOps is only suitable for start-up companies b) DevOps is suitable for brownfield software products and services c) DevOps is suitable for greenfield software products and services d) Some of the most exemplary DevOps initiatives started in companies with giant and mature IT organizations
9. What does the term “Immutable Infrastructure” refer to?
Choose one option
a) Infrastructure that can be easily changed and adapted b) Infrastructure components that are never updated once deployed c) Frequently changing infrastructure d) Infrastructure that is resistant to hacker attacks
12. Which tooling can best be used to automate the building and configuration of environments?
Choose one option
a) A ticketing system for the provision of a development, test or acceptance environment ​ b) A tool that copies the production environment settings to the development, test and acceptance environments c) Configuration files per environment that are manually distributed and maintained in order to keep the environments in sync d)Infrastructure as code and configuration management tools that enable the programmers in changing the environments themselves
a) Telemetry is a widely known SaaS tool to plan and execute DevOps projects. b) Telemetry is a communication tool used by DevOps teams at geographically distributed locations. c) Telemetry is the process of recording the behaviour of your systems. d) Telemetry is a tool to design, code and execute automated unit tests.
16. The DevOps team at Innovation Solutions is adopting Infrastructure as Code (IaC) for managing their cloud infrastructure. What is a key advantage of using IaC in terms of infrastructure provisioning and configuration?
Choose one option
a) Manual intervention for each infrastructure change. b) Infrastructure changes performed only by the operations team. c) Reproducible and version-controlled infrastructure changes. d) Infrastructure changes documented in a separate manual document.
17. As a DevOps engineer at AWS DevOps Certification Services, you are tasked with improving the security posture of the CI/CD pipeline. What security practice should be implemented to detect and address vulnerabilities in third-party dependencies during the build process?
Choose one option
a) Manual code review by security experts. b) Regularly updating dependencies without security analysis. c) Implementing automated Dependency Scanning in the CI/CD pipeline. d) Ignoring third-party dependencies to prioritize faster builds.
18. The DevOps team at DevOps Foundation Inc (Part of DevOps Institute) is considering the adoption of a hybrid cloud strategy. What is a key advantage of a hybrid cloud approach compared to a purely on-premises or public cloud solution?
Choose one option
a) Reduced flexibility in choosing cloud providers. b) Higher costs associated with data transfer between on-premises and the cloud. c) Optimized for either fully on-premises or fully public cloud solutions. d) Allows flexibility to choose the best environment for specific workloads.
19. The DevOps team at Microsoft DevOps Azure Solutions is implementing automated deployment pipelines. What is a key advantage of using immutable infrastructure in the deployment process?
a) Requires manual configuration for each deployment. b) Allows for in-place updates to running infrastructure. c) Minimizes consistency across different environments. d) Enables reproducible and consistent deployments with pre-built images.
20. Devops supports the elimination of _ because it can hamper collaboration, operations and morale within the company.
Choose one option
a) Excessive Documentation, which tends to create bottlenecks and hinder effective communication. b) Siloed Development, as it impedes the flow of information and slows down the overall delivery process. c) Traditional Waterfall Methodology, which lacks agility and responsiveness to changing requirements. d) Manual Testing Practices, as they introduce delays and are prone to human errors.
21. How does DevOps impact security of an application or machine?
a) Security is increased by including it earlier in the process. b) Security is increased because of the automation process. c) Security is reduced because of the automation process. d) Both (a) and (b)
23. Certain companies utilize immutable deployment, in which changes to the system are _ as opposed to _.
a) Changes deployed by creating new instances with the updates applied, modifying existing instances directly. b) Changes are temporarily implemented, allowing adjustments post-deployment. c) Changes are dynamically applied, enabling real-time system modifications. d) Changes are stored in a separate environment for future manual application.
a) Developers collaborate on code in a single branch called “trunk”. b) Trunk is a special private branch in a developer workstation. c) Trunk is the process of merging code in DevOps deliveries. d) Trunk is a special source code version controlling system which stores mission critical special projects of your DevOps organization.
25. Which one of the following is not one of the DevOps principles for good test automation?
a) Test Automation should give quick and early feedback about your quality of work. b) Never mix test driven development (TDD) together with your test automation approach. c) Tests should generate consistent, deterministic and repeatable results provided same conditions for different test runs. d) With your test automation, avoid slow and periodic feedback. What you need is fast feedback whenever you or your developer attempts to check-in code to your trunk.
API stands for Application Programming Interface. APIs are mechanisms that enable two software components to communicate with each other using a set of definitions and protocols. Example of an API is the Twitter API. It enables developers to access and interact with Twitter’s platform programmatically. Developers can use the Twitter API to retrieve tweets. They can also post tweets, search for tweets, and manage user accounts. Additionally, developers can perform various other actions related to Twitter’s services.
API architecture is usually explained in terms of client and server. The application sending the request is called the client, and the application sending the response is called the server.
2. What is API Testing?
API testing is a type of software testing that focuses on verifying the functionality, reliability, performance, and security of an application programming interface (API). Since APIs don’t have a GUI, API testing is performed at the message layer of the system.
3. What are the advantages of API Testing?
1. Independent of UI – API testing can detect issues in the early stages of development. It is independent of the GUI. This allows for timely resolution and prevents more significant problems later on.
2. Faster Execution – API tests typically take less time than functional GUI testing. GUI testing takes longer because the web components need to be polled.
3. Integration with CI/CD Pipelines – API testing can be easily automated. It can be integrated into continuous integration (CI) pipelines. This enables rapid feedback and faster release cycles.
4. Ensures Security – API testing allows for thorough security testing. It includes authentication, authorization, data encryption, and protection against common security vulnerabilities.
5. Language Independent – An API test uses XML or JSON to exchange data. These transfer modes are not language-dependent; therefore, you can use any programming language when writing automated tests for your API.
4. How is API testing different from UI testing?
API Testing
UNIT Testing
API is owned by QA team
Unit testing is owned by development team
API testing primarily involves testing the functionality of APIs without knowledge of their internal implementation details, making it a form of black-box testing.
Unit Testing is white box testing. In unit testing, the tester typically has knowledge of the internal workings of the code being tested.
It tests the integration and interaction between multiple units or components, typically involving larger portions of the codebase.
Unit tests are more granular and targeted, verifying the behavior of individual functions or methods.
It often involves testing the interaction between different components, services, or systems, including external dependencies such as databases or third-party APIs.
Unit tests typically focus on testing a single unit of code in isolation from its dependencies. It uses the techniques like mocking, stubbing, dependency injection.
API Testing can be conducted in various environments, including development, staging, and production, as long as the APIs are accessible.
Unit Tests can be generally conducted within the development environment or on developers’ local machines.
5. What are the types of APIs?
SOAP APIs
These APIs use Simple Object Access Protocol. Client and server exchange messages using XML. This is a less flexible API that was more popular in the past.
RPC APIs
These APIs are called Remote Procedure Calls. In RPC communication, the client program sends a request to the server program, specifying the procedure or function to be executed and any required parameters. The server receives the request, executes the specified procedure, and sends back the result to the client.
RPC APIs can use various communication protocols for transmitting data between the client and server, including HTTP, TCP/IP, and UDP. Examples of RPC APIs include XML-RPC, JSON-RPC, gRPC, and Microsoft’s Distributed Component Object Model (DCOM).
Websocket APIs
Websocket API is another modern web API development that uses JSON objects to pass data. A WebSocket API supports two-way communication between client apps and the server. The server can send callback messages to connected clients, making it more efficient than REST API.
REST APIs
These are the most popular and flexible APIs found on the web today. The client sends requests to the server as data. The server uses this client input to start internal functions and returns output data back to the client.
GraphQL APIs
GraphQL is a query language and runtime for APIs developed by Facebook. GraphQL APIs enable clients to request only the data they need using a single endpoint and a flexible query syntax. They provide more flexibility and efficiency compared to traditional REST APIs for fetching and manipulating data.
Database APIs
These APIs provide access to databases, allowing applications to perform CRUD (Create, Read, Update, Delete) operations on data stored in the database. Examples include JDBC (Java Database Connectivity) for Java applications and SQLAlchemy for Python applications.
6. Mention a few common tools used for API testing.
1. Postman: A popular tool for designing, testing, and documenting APIs. It provides a user-friendly interface for sending requests, inspecting responses, and automating tests.
2. Swagger: A widely used tool for designing, building, and documenting RESTful APIs. It provides a visual editor for designing API contracts and generating documentation.
3. SoapUI/ReadyAPI: It is a comprehensive tool for testing SOAP and RESTful APIs. It supports various protocols, message formats, and authentication methods and provides advanced testing features such as data-driven testing and security testing.
4. JMeter: Apache JMeter is a popular open-source tool for performance testing and load testing of web applications, including APIs. While it’s primarily known for its performance testing capabilities, JMeter can also be used for API testing by sending HTTP requests and analyzing responses.
5. REST Assured: REST Assured is a Java library for testing RESTful APIs. It provides a domain-specific language (DSL) for writing expressive and readable API tests, making it popular among Java developers for automated API testing.
7. What is the difference between RESTful API and SOAP API?
Rest API
SOAP API
RESTful API follows the principles of Representational State Transfer (REST) and typically uses HTTP methods such as GET, POST, PUT, and DELETE for operations.
SOAP is a protocol with specific requirements and infrastructure. It involves strict rules for data exchange and the structure of messages.
Supports multiple data formats such as JSON, XML, HTML, and plain text. JSON is the most commonly used format due to its simplicity and ease of use with JavaScript.
Primarily uses XML to format messages. The structure of the message is heavyweight and includes elements like Envelope, Header, and Body.
Typically uses HTTP/HTTPS for communication.
Uses HTTP/HTTPS, SMTP, and other protocols.
It is faster and more scalable due to its stateless nature and caching capabilities.
It is generally slower due to the verbosity of XML and the need to process extensive SOAP headers.
Custom security features like OAuth, JWT.
Built-in security features like WS-Security for secure messaging.
Best suited for web and mobile applications where performance, scalability, and simplicity are required.
Ideal for enterprise applications that require high security, reliability, and compliance with strict protocols.
8. What is an API endpoint?
An API endpoint is a specific URL that is exposed by an API to allow applications to interact with a system by performing various operations, such as creating, reading, updating, or deleting data. Each endpoint represents a unique path to a resource or a set of resources within the system that the API provides access to.
Characteristics of API Endpoint
URL Path: A specific URL for accessing resources or performing actions in an API. Example: “https://api.example.com/users“
HTTP Methods: Different methods (GET, POST, PUT, DELETE) define actions on the endpoint.
Parameters: Endpoints can include query, path parameters, headers, and request bodies. Example: “https://api.example.com/users?page=2&limit=20“ uses query parameters to paginate the list of users.
Responses: Contain status codes and data returned by the server.
9. What are the core components of an HTTP request?
An HTTP request contains five key elements:
An action showing HTTP methods like GET, PUT, POST, and DELETE.
Uniform Resource Identifier (URI), which is the identifier for the resource on the server.
https://www.qaautomation.expert
HTTP Version, which indicates HTTP version, for example-HTTP v1.1.
Request Header, which carries metadata (as key-value pairs) for the HTTP Request message. Metadata could be a client (or browser) type, format supported by the client, format of a message body format, cache settings, and so on.
9. Mention common HTTP methods used in API testing
GET: Used to retrieve data or resources from an API.
POST: Used to create new data or resources on an API.
PUT: Used to update existing data or resources on an API.
DELETE: Used to delete data or resources from an API.
PATCH: Used to update existing data or resources on an API partially.
10. What is the difference between POST and PUT?
POST
PUT
It is used to create a new resource on the server.
It is used to update an existing resource or create one if it does not exist (depending on the context and implementation).
It is not idempotent. Making the same `POST` request multiple times can result in multiple resources being created with different identifiers.
It is Idempotent. Making the same `PUT` request multiple times will have the same effect as making it once. The resource will be created or updated to the same state.
11. What is the purpose of HTTP status codes in API testing?
The purpose of HTTP status codes in API testing is to indicate the outcome of an API request that whether the request is successfully processed, encountered an error or needs further action. Status codes are three-digit numbers included in the response message from the server to provide information about the result of the request.
HTTP status codes clearly communicate the outcome of an HTTP request. They enable clients and APIs to understand the result of their interactions without ambiguity.
1xx (100 – 199): The response is informational
2xx Success: The request was successfully received, understood, and accepted (e.g., 200 OK, 201 Created).
3xx Redirection: Further action is needed to fulfill the request (e.g., 301 Moved Permanently, 302 Found).
4xx Client Errors: The request contains incorrect syntax or cannot be fulfilled (e.g., 400 Bad Request, 401 Unauthorized).
5xx Server Errors: The server failed to fulfill a valid request (e.g., 500 Internal Server Error, 503 Service Unavailable).
12. What is the purpose of authentication in API testing?
Authentication in API testing is a critical component that ensures secure and controlled access to the API endpoints.
Authentication prevents unauthorized users or systems from accessing the API, thereby protecting sensitive data and operations. Ensures that data is only accessible to authenticated users, protecting it from unauthorized exposure.
Supports compliance with regulations that require user authentication, such as GDPR, HIPAA, and others.
13. What are some common authentication methods used in API testing?
1.Basic Authentication: This involves sending the username and password as part of the API request headers, encoded in base64 format.
Authorization: Basic dXNlcm5hbWU6cGFzc3dvcmQ=
2. Token-Based Authentication: This method issues a token to the client after successful authentication. The client then includes this token in subsequent API requests for authorization.
3. OAuth: This is a widely used authorization framework. It allows for the delegation of access rights from one entity to another. Credentials are not shared. It uses access tokens obtained via authorization servers.
4. API Keys: It is simple tokens that map to a specific user or application. It is sent as a header, query parameter, or part of the request body.
x-api-key: YOUR_API_KEY
14. What are the different types of error responses in API testing?
1. HTTP error status codes: These are standard HTTP status codes, such as 4xx and 5xx codes, that indicate errors in the API request or response. Some of the examples are
400 Bad Request: The server could not understand the request due to invalid syntax. Possible reasons include malformed request syntax, invalid request message framing, or deceptive request routing.
401 Unauthorized: The request requires user authentication. This means the request lacks valid authentication credentials for the target resource.
403 Forbidden: The server understood the request but refuses to authorize it. This is usually due to insufficient permissions.
404 Not Found: The server cannot find the requested resource. This could mean the endpoint is incorrect or the resource has been deleted.
405 Method Not Allowed: The request method is known by the server but has been disabled and cannot be used. For example, a request method is not supported by that resource.
409 Conflict: There is a conflict with the current state of the resource. This code is used in situations where the request could not be processed because of conflict in the request.
429 Too Many Requests: The user has sent too many requests in a given amount of time (“rate limiting”).
2. Custom error responses: These are custom error messages or error objects returned by the API in case of errors or exceptions. These custom responses provide meaningful and detailed information that helps users and developers understand the nature of the error, the possible cause, and potential ways to resolve it. Example: Providing guidance like “Invalid input: Email field cannot be empty” is more helpful than a vague error message.
15. What is API mocking, and why is it used in API testing?
API mocking simulates the behavior of an API endpoint during testing. It does this without actually invoking the real API. This mock API can be configured to return predefined responses for specified requests. API mocking is particularly useful in various scenarios for both development and testing purposes.
1. Independent Development: Mock APIs allow front-end developers to work independently from back-end developers. They can simulate responses from the back end before the actual API is fully developed or functional.
2. Cost Management: When dealing with third-party APIs that bill based on usage, it can be cost-effective to use mock APIs during development. This approach reduces unnecessary expenses.
3. Simulation of Edge Cases: Mocking can be used to simulate different scenarios, including error cases and rare conditions that may be complex to reproduce with the actual API.
16. How do you perform load testing on APIs?
Load testing on APIs can be performed by simulating a large number of concurrent users or requests to the API endpoint using load testing tools or frameworks. The goal is to ensure that the API remains responsive and functional under stress.
Tools such as JMeter, Gatling, and k6 are popular open source tool for load testing APIs.
Tools like LoadRunner, BlazeMeter, and NeoLoad offer advanced features and support for various protocols.
Load Testing is used to identify performance bottlenecks, such as slow database queries, resource contention, or inefficient code. Implement fixes or optimizations based on the findings and rerun load tests to verify improvements.
Integrate load testing into the continuous integration/continuous deployment (CI/CD) pipeline to run tests automatically with each release.
Generate detailed reports summarizing the test results, including metrics, observations, and insights.
17. What is API security testing, and why is it important?
API security testing is a process of carefully evaluating API endpoints to identify and remediate vulnerabilities such as fuzzy input, parameter tampering, or injection attacks.
Why is API Security Testing Important?
1.Protection of Sensitive Data: APIs often handle sensitive information (user data, payment details). Security testing ensures compliance with data protection laws (e.g., GDPR, HIPAA). This protects data integrity and avoids potential reputational damage and the loss of customer trust.
2.Ensuring Service Availability: Malicious actors can exploit vulnerabilities to launch Denial-of-Service (DoS) attacks. They can overwhelm your APIs, making them unavailable to legitimate users. Securing APIs helps prevent downtime or service interruptions caused by security incidents.
3. Improving Stakeholder Trust: Customers and partners entrust the company with their data when they interact with their APIs. Regular security testing demonstrates your commitment to data protection, strengthening business relationships, and fostering customer confidence in your services.
18. What are the common security vulnerabilities found in API?
1. Injection Attacks: Attackers insert malicious code into the requests to manipulate the APIs’ intended behavior. SQL Injection, Host-Header Injection, and Command Injection are some of the most common attacks.
2. Brute Force Attacks: These attacks involve attempting various combinations of user credentials to gain unauthorized access. XML-RPC can be easily leveraged as an entry point for attacks and can execute multiple login attempts rapidly, leading to brute-force attacks.
3. Session Management Issues:Inadequate Session Management issues can lead to Authorization vulnerabilities.
4. Cross-Site Scripting (XSS): Injecting malicious scripts into API responses that can be executed in the client’s browser. An attacker injecting JavaScript into a response that steals session cookies.
5. WSDL Exposure: If the WSDL file is exposed to the attackers, they can view detailed information about the API structure. This information includes the operations. This allows attackers to craft more targeted attacks.
6. Cross-Site Request Forgery: This attack tricks a user into unknowingly executing unwanted actions. It happens on a web application where they are authenticated. It leverages the trust that a website has in the user’s browser. This can result in unauthorized actions like changing account settings, transferring funds, or deleting data.
7. Introspection Attack: It exploits an API’s introspection endpoint to gather information about access tokens, exposing sensitive details that attackers can use to compromise security. Introspection endpoints are designed to validate and retrieve metadata about tokens, such as their scopes, expiration, and the user they represent. If improperly secured, attackers can leverage them to gain unauthorized access or manipulate token data.
19. How to perform API Security testing?
1.SQL Injection – SQL Injection attacks are successful when the database processes the unsanitized API input. Hence, testing the REST API for any SQL Injection bugs is important. Try providing SQL commands in the input like:
'or 1=1--
"and 1=1--
2. Command Injection: Various OS commands can also inject API inputs, which are then executed on the server. However, the commands for different Operating systems(Windows, Linux, etc.) would differ. For Example, Redirecting output or appending data to files.
echo "malicious" >> /var/www/html/index.html
rm file.txt; cat /etc/passwd
The shell executes rm file.txt, deleting file.txt from the system. After deleting the file, the shell executes cat /etc/passwd, displaying the contents of the /etc/passwd file in the terminal.
3. Authentication Testing – Test whether the API properly implements authentication. Try to access the endpoint without using the authentication or invalid credentials.
JWT:Ensure tokens are signed, valid, and not modifiable
Basic Authentication: Validate if credentials are encrypted.
OAuth2/OpenID Connect: Verify token management (generation, expiration, and revocation).
4. Authorization Testing – Make sure that the users can only access resources they are authorized for. Test role-based access control (RBAC) or permission-based controls.
5. Rate Limiting and Throttling – Rate Limiting is a process of limiting the number of requests that can be sent to an API within a specific time. Testing for it means verifying that all the limits are properly set and enforced on all APIs. Simulate a high volume of requests to test the API’s resilience against Distributed Denial of Service (DDoS) attacks.
6. Discovering Zombie APIs – Zombie APIs are old or unused APIs that are still active but not updated or maintained. As they are not maintained, zombie APIs can lead to security risks and can be exploited for vulnerabilities.
Common Tests to Assess Zombie APIs:
Test for data accessed by zombie APIs(user data, financial data, etc.)
Test for Authentication and Authorization.
Test for weak encryption implementation.
Test for known vulnerabilities or CVEs.
20. What is the purpose of the request and response headers in API testing?
Request and response headers in API testing are used to transmit additional information about the request or response. Request headers can be used to specify a content type, authentication, caching, language preferences, etc.
Headers like Authorization include tokens, API keys, or credentials.
Specify the desired data format for the request or response.
Control or bypass caching mechanisms.
Response headers are sent by the server to the client, containing metadata about the response and instructions for handling it.
Specify the format and encoding of the response body.
Provide caching policies for the client to optimize performance.
Inform the client about rate limits or remaining quota.
Specify which origins are allowed to access the resource.
21. What is the purpose of query parameters in API testing?
Query parameters in API testing are used to pass additional parameters in the URL of an API request. These parameters are used to customize the behavior of the API request, such as filtering, sorting, or paginating results.
Pagination – APIs use query parameters to manage large datasets by breaking them into smaller chunks (pages).
https://api.example.com/items?page=2&limit=50
It returns the second page of results with 50 items per page.
Filtering Data – Query parameters are commonly used to filter the data returned by an API.
It will display products in the “electronics” category with a price less than $1000.
22. What are the major challenges faced in API testing?
Output verification and validation – APIs can return responses in different data formats like JSON, XML, or plain text. Parsing and validating these formats might require additional effort.
Security Tokens – APIs may require various types of authentication, such as OAuth, API keys, or JWT tokens. Managing and automating the generation and use of these tokens can be complex.
Version Management – Testing different versions of the API and ensuring backward compatibility can become complex, especially if multiple versions are in active use.
External Dependencies – When integrating with third-party APIs, there can be challenges related to their availability, reliability, and version changes over which testers have little control.
Setting Up the Test Environment – APIs often depend on other services or databases. Setting up a fully operational test environment that mimics production can be challenging.
23. What are the testing methods that come under API testing?
1. Unit Testing: It involves testing the smallest functional parts of the API, such as individual endpoints, services, or methods, to ensure they work as expected. Unit tests are typically written to validate the behavior and functionality of your code in isolation.
2. Functional Testing: It ensures that the API functions as expected and meets the requirements and specifications. It verifies responses for various inputs and parameters, HTTP status code.
3. Integration Testing: It tests the interaction between different modules or services to ensure they work together as intended. It verifies that APIs properly communicate with other APIs or systems.
4. Load Testing: It evaluates the API’s performance under a specific load to determine its behavior under normal and peak conditions.
5. Stress Testing: Subjects the API to extreme conditions to evaluate how it handles high traffic, large data volumes, or limited resources.
6. Fuzz Testing: Sends random or unexpected data to the API to see how it responds. Automatically generating malformed or random inputs to test the API’s robustness.
7. Security Testing: It Ensures that the API is secure and can protect data from unauthorized access or attacks. Checks for vulnerabilities such as SQL injection, XSS, and other attack vectors.
8. Usability Testing: Ensures that the API is user-friendly and its endpoints are easy to use. Reviewing API documentation and testing the ease of making requests and interpreting responses.
9. Compliance Testing: Verifies that the API adheres to specific standards, regulations, and guidelines. Ensures adherence to industry standards such as REST, SOAP, or specific compliance requirements (e.g., GDPR, HIPAA).
10. Penetration Testing: Simulates attacks on the API to identify security weaknesses. Identifies vulnerabilities that could be exploited by attackers.
11. Regression Testing: Ensures that recent changes to the API do not affect existing functionality. Running a comprehensive set of tests after a new feature is added to ensure existing functionalities are intact.
24. Why is API testing considered as the most suitable form for Automation testing?
API testing is now preferred over GUI testing and is considered as most suitable because:
1. APIs serve as the communication layer between different software components. By testing APIs, issues can be identified early in the development process before the UI is developed.
2. APIs tend to be more stable and less prone to frequent changes compared to the user interface (UI). This stability makes API tests more reliable and less likely to break with minor updates.
3. API tests are generally faster to execute. They are quicker because API tests do not require the overhead of rendering the user interface, unlike UI tests.
4. API tests do not depend on the UI, they can be executed even when the UI is not available or under development. This independence allows for continuous testing throughout the development cycle.
5. API tests focus on the core business logic and data layer, which are crucial for the functionality of the application. This ensures that the critical components are thoroughly tested.
6. APIs are ideal candidates for automation within CI/CD pipelines. Automated API tests can be seamlessly integrated into build and deploy processes, providing rapid feedback and ensuring continuous testing.
25. What type of bugs would often found in API testing?
1. Incorrect Response Data: API returns incorrect data due to logic errors.
2. Missing or Extra Fields: Response JSON or XML missing required fields or containing unexpected fields.
3. Incorrect Status Codes: API endpoints returning incorrect HTTP status codes (e.g., 200 OK for an error condition).
4. Unexpected Behavior: API does not perform operations as expected (e.g., CRUD operations not working correctly).
5. Slow Response Times: API takes too long to respond under normal or load conditions.
6. Throughput Issues: API cannot handle expected load, leading to reduced throughput.
7. Resource Utilization: High CPU, memory, or network usage during API requests.
8. Injection Attacks: Susceptibility to SQL, NoSQL, and other forms of injection attacks.
9. Cross-Site Scripting (XSS): API responses containing unescaped data leading to XSS vulnerabilities.
10. Authentication Issues: Failure to correctly implement authentication mechanisms (e.g., missing or expired tokens not handled properly).
26. What are the principles of an API test design?
1. Understand the API Specifications: Review the API documentation to understand the endpoints, request/response formats, parameters, authentication mechanisms, status codes, and error messages.
2. Identify Test Scenarios:
Positive Tests: Test with valid inputs to ensure the API returns the expected responses.
Negative Tests: Test with invalid inputs or boundary values to ensure the API handles errors gracefully and returns appropriate error messages.
Edge Cases: Consider unusual or extreme cases, such as very large inputs, empty inputs, or special characters.
Error Scenarios: Test the API’s behavior when it encounters errors, such as network failures, timeouts, or invalid inputs.
Logging and Monitoring: Ensure that the API has proper logging and monitoring to help diagnose and troubleshoot issues.
3. Execution: Send API requests with defined parameters, methods, and data, and observe how the system behaves.
4. Verification & Reporting: Validate the response against expected results, including status codes, response data, and schema. Document test outcomes, marking them as passed, failed, or blocked based on validation results.
5. Performance and Load Testing: Test how well the API scales under load and how it performs under peak traffic conditions.
6. Security Testing: Test that the API properly handles authentication and authorization and does not expose sensitive data.
7. Cleanup: Return the environment to its pre-test state, such as deleting test data or stopping services.
27. Can API tests run in CI/CD pipeline
Yes, API tests can and should run in a Continuous Integration/Continuous Deployment (CI/CD) pipeline to ensure the quality and reliability of your software.
Implementation Steps
1. Write and Prepare the API Tests: API Tests should be written using the suitable tools like Postman, Rest Assured, JUnit and JUnit for Java and PyTest for Python language.
2. Setup CI/CD Pipeline: CI/CD platform such as Jenkins, GitHub Actions, GitLab CI, or others can be used. example GitHub Actions workflow file to run API tests using Postman and Newman:
name: API Tests
on:
push:
branches:
- main
pull_request:
branches:
- main
jobs:
test:
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v2
- name: Set up Node.js
uses: actions/setup-node@v2
with:
node-version: '14'
- name: Install Newman
run: npm install -g newman
- name: Run API tests with Newman
run: newman run test.json
3. Handle Test Results: CI/CD pipeline is configured to handle and report test results. Many CI/CD tools can integrate with test reporting tools for detailed results and logs.
4. Configure Notifications or Alerts: Configure notifications (e.g., emails or Slack messages) to alert the team when tests fail. This ensures that any issues are promptly addressed.
By integrating API tests into your CI/CD pipeline, you can automatically verify the stability and reliability of your APIs with each code change.
28. What is the difference between Authentication and Authorization in API testing?
Authentication – Authentication is the process of verifying the identity of a user or system attempting to access the API. It ensures that the person or system making the API request is who they claim to be.
Example – A user logs in to a banking API using their credentials and receives a token.
Common Methods:
API Keys: A unique identifier sent with the request to validate the user or application.
Username and Password: Basic authentication.
OAuth Tokens: Access tokens issued after a successful login.
Multi-Factor Authentication (MFA): Combining two or more methods (e.g., password + OTP).
JWT (JSON Web Token): A token that securely transmits user identity
{
"token": "eyJhbGciOiJIUzI1NiIsInR..."
}
Authorization – Authorization is the process of verifying whether an authenticated user has the necessary permissions. This process checks if they can access specific resources or perform certain actions
Example – The same user tries to transfer money to another account. The API checks if the user’s role allows this action. If the user doesn’t have sufficient permissions, the API denies the request.
Common Methods:
Role-Based Access Control (RBAC): Permissions based on user roles (e.g., Admin, User).
Policy-Based Access Control (PBAC): Custom policies to determine access rights.
Scopes in OAuth: Limit the actions that a token allows (e.g., read-only, full access).
29. Can API testing be automated? If yes, how?
Yes, API testing can be automated using tools like RestAssured, Postman, or TestNG. Test scripts can be written to send requests and validate the response. Assert the following in your tests:
1. Status Codes (e.g., 200 OK, 401 Unauthorized). 2. Response Body: Check for required fields and values. 3. Headers: Validate Content-Type, Cache-Control, etc. 4. Performance: Measure response times.
Below is an example of automated test scripts using Java with Rest Assured.
import io.restassured.http.ContentType;
import org.json.JSONObject;
import org.junit.jupiter.api.Test;
import static io.restassured.RestAssured.given;
import static org.hamcrest.Matchers.equalTo;
public class APITests {
String BaseURL = "https://reqres.in/api";
@Test
public void getUser() {
// GIVEN
given()
.contentType(ContentType.JSON)
// WHEN
.when()
.get(BaseURL + "/users/2")
// THEN
.then()
.statusCode(200)
.body("data.first_name", equalTo("Janet"))
.log().all();
}
}
These tests can be run as part of CI/CD pipelines using GitLab, GitHub, Jenkins and many more.
30. What is the difference between synchronous and asynchronous APIs?
Synchronous APIs: The client waits for the server to process the request and send back a response. Request and response happen in the same thread. The client is blocked until a response is received.
Suitable for real-time, sequential tasks where the response is required immediately (e.g., login authentication). Commonly uses HTTP/HTTPS with immediate response (e.g., REST APIs).
Use Case Examples**:
- Login authentication: The client needs the server's response before proceeding.
- Fetching data: The client requires the result immediately to display to the user.
Asynchronous APIs: The client sends a request and continues processing without waiting for the server’s response. Request and response happen in separate threads or processes. The client continues processing while waiting for the response.
Suitable for long-running processes or tasks that do not require an immediate response (e.g., batch processing). Often uses WebSockets, Message Queues, or event-driven systems (e.g., Webhooks).
**Use Case Examples**:
- File upload or processing: The server processes the file and sends a notification when done.
- Notification systems: Sending push notifications to multiple devices.
9. What is the purpose of using the PageFactory class in Selenium?
Choose one option
a) To find elements on a page using CSS selectors b) To manage the browser cookies c) To initialize web elements defined in a Page Object class d) To handle browser pop-ups
10. Which WebDriver method is used to wait until a web element is visible on the page?
Choose one option
a) driver.waitForElement()
b) new WebDriverWait().until(ExpectedConditions.elementToBeClickable())
c) Thread.sleep()
d) new WebDriverWait().until(ExpectedConditions.visibilityOfElementLocated())
15. How can data-driven tests be achieved in Selenium with TestNG?
Choose one option
a) By using the @DataProvider annotation b) By using the @DataDriven annotation c) By using the @Test annotation with parameters attribute d) By using the @TestData annotation
16. How can you run Selenium tests in parallel using TestNG?
Choose one option
a) Modify the test class constructor b) Use the synchronized keyword c) Configure the testng.xml file with parallel execution settings d) Use the parallel=true annotation
20. When integrating Selenium with a CI/CD pipeline, what is the role of the Headless browser mode?
Choose one option
a) To execute browser tests without a graphical user interface, reducing resource consumption b) To run tests exclusively on mobile devices c) To make browsers invisible while the graphical interface is still running d) To configure user sessions on virtual machines
21. How can you store sensitive information, such as Selenium Grid credentials, securely in GitHub Actions?
a) Directly hardcode the credentials into the YAML file b) Use GitHub Secrets to store and access sensitive information c) Email the credentials to team members d) Store the credentials in a public repository
It is not possible to test APIs or web services directly using Selenium WebDriver. Selenium is primarily designed for automating web browser interactions and performing functional testing of web applications by simulating user actions.
3) b) No
4) b) No
5) a) Yes
6) a) Yes
By using testing frameworks such as TestNG or JUnit, you can configure and run your Selenium tests in parallel.
7) b) No
Selenium cannot handle security testing on its own. However, it can assist in certain aspects of security testing when integrated with specialized security tools.
8) a) Yes
9) c) To initialize web elements defined in a Page Object class
10) d) new WebDriverWait().until(ExpectedConditions.visibilityOfElementLocated())
11) d) Actions.contextClick(element)
12) b) ((TakesScreenshot) driver).getScreenshotAs(OutputType.FILE)
13) a) Yes
14) a) Yes
15) a) By using the @DataProvider annotation
16) c) Configure the testng.xml file with parallel execution settings
17) a) Jenkins
18) a) HTML Publisher Plugin
19) c) Cross-Browser Testing
20) a) To execute browser tests without a graphical user interface, reducing resource consumption
21) b) Use GitHub Secrets to store and access sensitive information
22) a) Yes
23) b) No
Selenium is not designed for performance testing. For performance testing, specialized tools such as JMeter, Gatling, and LoadRunner are more appropriate.
24) b) No
Selenium does not have inbuilt functionality specifically for testing Excel files. We can use external libraries in conjunction with Selenium to work with Excel files, like Apache POI.
JSON Web Token (JWT) is an open standard (RFC 7519) that defines a compact and self-contained way for securely transmitting information between parties as a JSON object. This information can be verified and trusted because it is digitally signed. JWTs can be signed using a secret (with the HMAC algorithm) or a public/private key pair using RSA or ECDSA.
What is the JSON Web Token structure?
JSON Web Tokens consist of three parts separated by dots (.), which are:
Header: Contains metadata about the token, such as the algorithm used.
{
"typ":"JWT",
"alg":"HS256"
}
Payload: Contains claims, like subject, issuer, expiration, etc.
1. The JWT.decode() method from the auth0 library decodes the token into its components without verifying the signature.
DecodedJWT decodedJWT = JWT.decode(jwtToken);
2. Retrieving Components:
Header: The Base64Url-encoded header. Payload: The Base64Url-encoded payload. Signature: The cryptographic signature. getSubject() extracts the sub claim (subject). getIssuer() extracts the iss claim (issuer).
3. The Base64.getUrlDecoder() decodes the Base64Url-encoded header and payload into human-readable JSON strings.
String decodedHeader = new String(java.util.Base64.getUrlDecoder().decode(header));
String decodedPayload = new String(java.util.Base64.getUrlDecoder().decode(payload));
1. The DecodedJWT.getSubject() and DecodedJWT.getIssuer() methods already extract and decode the claims. The attempt to decode them manually as Base64 will fail. They are not separately Base64-encoded. They are JSON values embedded in the payload.
2. The header and payload are Base64Url-encoded, so you we decode them to get the full JSON structures.
3. The signature cannot be “decoded” because it is a hash. It can only be validated using the appropriate cryptographic key.
QA Automation Expert 