Applications increasingly talk to each other behind the scenes via APIs. Google’s recent acquisition of Apigee, an API management company, is an indicator of the continued importance of APIs. APIs are like building blocks, providing services and data that can be connected with other APIs to build powerful customized apps. However, developing and testing an API can be challenging because there is no built-in interface, breaking changes can cause widespread outages, sensitive data may be exposed or accessed, and accepted agile testing paradigms can be difficult to adapt to APIs. This session is an introduction to restful APIs and how to test them for security, performance, functionality, and backwards-compatibility risks.
1. Welcome!
• We’ll use postman for some of our examples. If you would like to follow along,
download postman now. www.getpostman.com.
• Feel free to pair with someone!
• We’ll provide collections at the end of our talk.
• Follow @apidemo_carter onTwitter!
3. Overview
• What is an API?
• History of API growth
• Current API landscape
• HowAPIs work, including some hands-on demos
• Strategies and tools for testing an API
• API Stories
11. Why RESTful?
• REST: Representational state transfer
• Uniform and predefined set of stateless
operations
• People can “just know things” about an API
that’s RESTful
17. GET
• Get some data about an object or
‘resource’
POST • Create a new resource
PUT • Update a resource
DELETE • Delete a resource
Methods
18. Headers
• Headers are key/value combinations that specify
additional information about the request
• Some common request headers are:
• Content-type
• Authentication
• Accept
• Origin
19. Body
• Data to send with the
request – usually for a
POST or PUT
• Data format – xml,
json, etc. - is specified
by the content-type
header
{
"location": {
"lat": -33.8669710,
"lng": 151.1958750
},
"accuracy": 50,
"name": "Google Shoes!",
"phone_number": "(02) 9374
4000",
"address": "48 Pirrama Road,
Pyrmont, NSW 2009, Australia",
"types": ["shoe_store"],
"website":
"http://www.google.com.au/",
"language": "en-AU"
}
20. What about cookies?
• Restful API requests should be self-reliant
• Cookies are session-dependent, so not
independent
• Using cookies to store data means your
API is not Restful
21. Authentication
• Insecure - Authorization token in url
• https://api.darksky.net/forecast/{{token}}
/39.9026420,-105.0905190
• https://maps.googleapis.com/maps/api/p
lace/nearbysearch/json?key={{googlema
psKey}}
• Basic
• Username:password are concatenated
and encoded
• Sent in Authorization header
24. Authentication - JWT
JSON WebToken https://jwt.io/ - an open standard (RFC 7519)
that defines a compact and self-contained way for securely
transmitting information between parties as a JSON object
• Header – type of token (JWT) and hashing (signing) algorithm
• Payload – contains ‘claims’, or information about the user
• Signature = signature from header-specified algorithm using
encoded Header + encoded payload + secret
25. Let’s try a GET now…
• We’ll hit the dark sky api to get our current
weather
30. Security
• Basic
• Authentication tokens are valid/present
• Account boundaries are not violated
• SSL is enforced/warned when not present
• Hacker-in-training
• Injection points – headers, parameters, body
• Recording tools – what is exposed/available
• White Hat hacker - OWASP
• Rest Security Cheat Sheet
• OWASP top 10 security vulnerabilities – new
section on Under-protected APIs
31. Functional
• Basic
• Correct status codes are generated for invalid
inputs
• Request/response bodies contain the correct
content type and schema
• Backwards-compatibility for public APIs -
previous tests continue to pass or breaking
changes are clearly documented – aka
regression testing
• Advanced
• Join API requests together to mirror application
functionality
32. Exploratory
• Identify the variable bits - things that can/will/might
change
• Requests –
• Method
• Mix/match endpoints
• Parameters
• Headers, especially content type
• ContentType
• Size, Depth - images, json/xml nesting
• Timing & Frequency – what happens with caching?
33. Heuristics
• Apply Heuristics to the variables
• Zero, One, Many
• Some, None,All
• Beginning, Middle, End
• Too Many,Too Few
• Relative Position, i.e. content
34. Automation
• Part of your CI/CD pipeline
• Part of development process since tests can be
run in both local and pre-production
environments
• Performance
• Combine tests with monitoring
• Tools
• Postman
• Command line runner that can be integrated
into your CI
• Developer adoption is high
• Runscope
• Powerful code snippets
35. Supporting an API
Tracker API, rewritten in 2012-13
• Our own client software uses public API, same as customers
• With some private endpoints
• Leading practices: RESTful, JSON in & out,
• Versioning
• Only changes are additions
• Promote new endpoints through various stages
• “edge” version
• Metadata-driven
• Reference doc generated from metadata and unit test outputs
36. Long-term results
• Few support requests
• Thanks to comprehensive unit tests, comprehensive doc & examples
• Comprehensive doc for devs to introduce new endpoints
• Many new endpoints added
• Mostly without pain – one backwards compatibility issue
• Postman regression tests run in CI in addition to unit tests
• Include performance checks
38. Take-aways
• APIs are the engine behind the apps we
use every day
• APIs are an integral part of our agile
processes - APIs make apps more testable,
and can be tested!
• APIs add value to your product - maybe
your company/product/team needs an
API?
• You’ve learned some terms about RESTful
web services – go forth and learn more!
39. Links
• ProgrammableWeb
• API Security Testing
• OWASPTop 10 Project
• List of HTTP Header fields
• Varonis - Introduction to Oauth
• Oauth.net
• Understanding rest and rpc