Cookie Consent by Free Privacy Policy Generator ๐Ÿ“Œ API Testing using Postman

๐Ÿ  Team IT Security News

TSecurity.de ist eine Online-Plattform, die sich auf die Bereitstellung von Informationen,alle 15 Minuten neuste Nachrichten, Bildungsressourcen und Dienstleistungen rund um das Thema IT-Sicherheit spezialisiert hat.
Ob es sich um aktuelle Nachrichten, Fachartikel, Blogbeitrรคge, Webinare, Tutorials, oder Tipps & Tricks handelt, TSecurity.de bietet seinen Nutzern einen umfassenden รœberblick รผber die wichtigsten Aspekte der IT-Sicherheit in einer sich stรคndig verรคndernden digitalen Welt.

16.12.2023 - TIP: Wer den Cookie Consent Banner akzeptiert, kann z.B. von Englisch nach Deutsch รผbersetzen, erst Englisch auswรคhlen dann wieder Deutsch!

Google Android Playstore Download Button fรผr Team IT Security



๐Ÿ“š API Testing using Postman


๐Ÿ’ก Newskategorie: Programmierung
๐Ÿ”— Quelle: dev.to

In the dynamic world of API testing, versatility is key. With Postman, a leading API testing tool, there's no one-size-fits-all approach to test codes. The significance of each test hinges on the unique demands and context of your API. But fear not! Whether you're a seasoned developer or just starting out, understanding the landscape of API testing is crucial. In this insightful guide, we'll delve into the diverse and vital types of tests. Get ready to enhance your API testing skills and bring precision and efficiency to your projects!

Types of Test

There isn't a single "most important" test code, as the importance of a test depends on the specific requirements and context of the API you are testing. However, there are several common and crucial types of tests that are often used in API testing with Postman:

  • Status Code Verification: Ensuring that the API returns the expected HTTP status code. For example, a 200 OK for successful requests, 404 Not Found for invalid endpoints, or 500 Internal Server Error for server issues.
pm.test("Status code is 200", function () {
    pm.response.to.have.status(200);
});

  • Response Time Validation: Checking that the API responds within an acceptable time frame. This is crucial for performance testing.
pm.test("Response time is less than 500ms", function () {
    pm.expect(pm.response.responseTime).to.be.below(500);
});

  • Data Validation: Ensuring that the response body contains the correct data. This could involve checking the structure of the response JSON or XML, and verifying that the values are as expected.
pm.test("Response body has correct data", function () {
    var responseJson = pm.response.json();
    pm.expect(responseJson.name).to.eql("John Doe");
    pm.expect(responseJson.id).to.eql(123);
});

  • Header Checks: Verifying that the HTTP headers in the response are correct. This can include checks for content type, security headers, etc.
pm.test("Content-Type header is present and application/json", function () {
    pm.response.to.have.header("Content-Type", "application/json");
});

  • Authentication and Authorization Tests: Ensuring that requests are properly authenticated and that users have the correct authorization level for different requests.
pm.test("Response should be unauthorized", function () {
    pm.response.to.have.status(401);
});

  • Error Handling Tests: Verifying that the API handles errors gracefully and returns appropriate error messages and codes.
pm.test("Error message is as expected", function () {
    var responseJson = pm.response.json();
    pm.expect(responseJson.error).to.eql("Invalid request parameters");
});

  • Business Logic Verification: Testing the actual business logic that the API implements, to ensure it meets the specified requirements.
pm.test("Discount is applied correctly", function () {
    var responseJson = pm.response.json();
    pm.expect(responseJson.total).to.eql(responseJson.subtotal - responseJson.discount);
});

  • Schema Validation: Ensuring that the response follows a defined schema or structure, which is particularly important for RESTful APIs.
const schema = {
    "type": "object",
    "required": ["name", "id"],
    "properties": {
        "name": {"type": "string"},
        "id": {"type": "number"}
    }
};

pm.test("Schema is valid", function() {
    pm.response.to.have.jsonSchema(schema);
});

  • Integration Tests: Checking how the API interacts with other services and databases.
pm.test("User profile data matches with database", function () {
    // Here you'd typically use pm.sendRequest to query another API or database
    // For demonstration, assuming a static check
    var responseJson = pm.response.json();
    pm.expect(responseJson.username).to.eql("user_from_db");
});

  • Security Tests: Identifying vulnerabilities in the API, like SQL injection, Cross-Site Scripting (XSS), and other security threats.
pm.test("No SQL Injection vulnerability", function () {
    // This would ideally involve sending a potentially malicious SQL code in the request and checking the response
    pm.response.to.not.have.status(500); // Simple check for server error
    pm.response.to.not.have.body("SQL"); // Ensure response does not contain SQL error messages
});

GET Test

Let's consider a more complex and tailored test for a hypothetical GET API request. This API, for example, could be for retrieving user profile information. The test will cover various aspects, including status code verification, response time, data validation, schema validation, and some custom logic related to the data returned.

Hypothetical API Details:

  • Endpoint: /api/users/{userId}
  • Method: GET
  • Response Structure:
{
    "userId": "string",
    "name": "string",
    "email": "string",
    "roles": ["string"],
    "isActive": "boolean",
    "lastLogin": "string" // Date in ISO format
}

Sample Test Code in Postman:

// Test for Status Code and Response Time
pm.test("Status code is 200 and response time is acceptable", function () {
    pm.response.to.have.status(200);
    pm.expect(pm.response.responseTime).to.be.below(1000); // assuming 1000ms as the threshold
});

// Data Validation with Multiple Checks
pm.test("Response body has correct data structure", function () {
    let responseJson = pm.response.json();
    pm.expect(responseJson).to.have.keys("userId", "name", "email", "roles", "isActive", "lastLogin");
    pm.expect(responseJson.userId).to.be.a('string');
    pm.expect(responseJson.name).to.be.a('string');
    pm.expect(responseJson.email).to.match(/^[\w-\.]+@([\w-]+\.)+[\w-]{2,4}$/); // Email format validation
    pm.expect(responseJson.roles).to.be.an('array');
    pm.expect(responseJson.isActive).to.be.a('boolean');
    pm.expect(new Date(responseJson.lastLogin)).to.be.a('date');
});

// Schema Validation (assuming a predefined schema variable)
const userProfileSchema = {
    "type": "object",
    "required": ["userId", "name", "email", "roles", "isActive", "lastLogin"],
    "properties": {
        "userId": {"type": "string"},
        "name": {"type": "string"},
        "email": {"type": "string", "format": "email"},
        "roles": {
            "type": "array",
            "items": {"type": "string"}
        },
        "isActive": {"type": "boolean"},
        "lastLogin": {"type": "string", "format": "date-time"}
    }
};

pm.test("Schema is valid", function() {
    pm.response.to.have.jsonSchema(userProfileSchema);
});

// Custom Logic Check
pm.test("User is active and has logged in within the last month", function () {
    let responseJson = pm.response.json();
    pm.expect(responseJson.isActive).to.be.true;
    let lastLoginDate = new Date(responseJson.lastLogin);
    let aMonthAgo = new Date();
    aMonthAgo.setMonth(aMonthAgo.getMonth() - 1);
    pm.expect(lastLoginDate).to.be.above(aMonthAgo);
});

In this example, we have created a more comprehensive set of tests that not only check the basic aspects like status code and response time but also validate the data structure, ensure the response matches a predefined schema, and include a custom logic check to validate business rules (e.g., the user's active status and recent login).

PUT Test

Let's consider a PUT API request that updates user details. This type of request often requires careful testing to ensure data integrity and adherence to business rules.

Hypothetical API Details:

  • Endpoint: /api/users/{userId}
  • Method: PUT
  • Request Body:
{
  "name": "string",
  "email": "string",
  "isActive": "boolean"
}

  • Expected Response: Status code 200 for successful update, with a JSON body containing the updated user details.

Sample Test Code in Postman:

// Variables for Request Data
const requestData = pm.request.body.toJSON();

// Test for Status Code
pm.test("Status code is 200 for successful update", function () {
    pm.response.to.have.status(200);
});

// Response Time Validation
pm.test("Response time is within acceptable limits", function () {
    pm.expect(pm.response.responseTime).to.be.below(2000); // 2000ms as a threshold
});

// Data Validation
pm.test("Response body matches updated data", function () {
    let responseJson = pm.response.json();
    pm.expect(responseJson.name).to.eql(requestData.name);
    pm.expect(responseJson.email).to.eql(requestData.email);
    pm.expect(responseJson.isActive).to.eql(requestData.isActive);
});

// Email Format Check
pm.test("Email format is valid", function () {
    let responseJson = pm.response.json();
    pm.expect(responseJson.email).to.match(/^[\w-\.]+@([\w-]+\.)+[\w-]{2,4}$/); // Simple regex for email validation
});

// Check for Required Fields in Response
pm.test("Response has all required fields", function () {
    let responseJson = pm.response.json();
    pm.expect(responseJson).to.have.all.keys("userId", "name", "email", "isActive");
});

// Custom Business Rule Check (Example: isActive should not be true if user's email is not verified)
pm.test("Active status should not be true for unverified email", function () {
    let responseJson = pm.response.json();
    if (responseJson.isActive) {
        // Assuming there's a field in response that indicates email verification status
        pm.expect(responseJson.isEmailVerified).to.be.true;
    }
});

// Additional Security Check (e.g., Checking for unexpected modifications)
pm.test("Response should not contain sensitive data", function () {
    let responseJson = pm.response.json();
    pm.expect(responseJson).to.not.have.keys("password", "securityQuestionAnswers");
});

In this example, the tests are tailored to verify not only the basic functionality of the PUT request (like status code and response structure) but also to ensure that the update adheres to business rules and security standards. The tests check if the response data matches the update request, validate the email format, ensure no sensitive data is exposed, and include a custom check related to the business logic (like the user's active status in relation to their email verification status).

Remember, the specifics of your tests will vary based on the exact nature of your API, its business logic, security considerations, and other factors unique to your application.

...



๐Ÿ“Œ API Testing using Postman


๐Ÿ“ˆ 40.58 Punkte

๐Ÿ“Œ Mastering API Testing and Exploring the Power of Postman: A Comprehensive Guide


๐Ÿ“ˆ 35.41 Punkte

๐Ÿ“Œ How to use Postman for API testing


๐Ÿ“ˆ 35.41 Punkte

๐Ÿ“Œ Validate localhost API request processed by POSTMAN using Regular Expression


๐Ÿ“ˆ 33.09 Punkte

๐Ÿ“Œ Learn How to Create and Test a File Upload API using NestJS and Postman


๐Ÿ“ˆ 33.09 Punkte

๐Ÿ“Œ API-Management: Postman fรผhrt einen รถffentlichen Kommunikationsbereich ein


๐Ÿ“ˆ 27.91 Punkte

๐Ÿ“Œ Rest API testen mit Postman: Vorgehensweise und Strategien


๐Ÿ“ˆ 27.91 Punkte

๐Ÿ“Œ API-Plattform: Postman bietet Token Refresh fรผr OAuth 2.0


๐Ÿ“ˆ 27.91 Punkte

๐Ÿ“Œ Comparing The Best API Clients: Postman vs Hoppscotch vs Insomnia vs ThunderClient


๐Ÿ“ˆ 27.91 Punkte

๐Ÿ“Œ Postman 10 improves API governance and security


๐Ÿ“ˆ 27.91 Punkte

๐Ÿ“Œ How to Crush API Dev Work when You're 100% Remote with Postman


๐Ÿ“ˆ 27.91 Punkte

๐Ÿ“Œ Navigating the API Landscape with Postman: A Journey of Discovery


๐Ÿ“ˆ 27.91 Punkte

๐Ÿ“Œ How to Use an API with Postman โ€“ A Step-by-Step Guide


๐Ÿ“ˆ 27.91 Punkte

๐Ÿ“Œ Harnessing the Potential of APIs: A Deep Dive into POSTMAN API 101๐ŸŒ


๐Ÿ“ˆ 27.91 Punkte

๐Ÿ“Œ API Security Testing 101: Know Everything About API Security Testing!


๐Ÿ“ˆ 27.59 Punkte

๐Ÿ“Œ How make a Swagger UI using postman collections in nodejs


๐Ÿ“ˆ 26.79 Punkte

๐Ÿ“Œ TIBCO FTP Community Edition up to 6.5.0 on Windows Server/C API/Golang API/Java API/.Net API access control


๐Ÿ“ˆ 25.2 Punkte

๐Ÿ“Œ Performance Testing vs. Load Testing vs. Stress Testing


๐Ÿ“ˆ 22.48 Punkte

๐Ÿ“Œ Postman 6.3.0 Improper Certificate Validation


๐Ÿ“ˆ 21.62 Punkte

๐Ÿ“Œ Postman 6.3.0 Improper Certificate Validation


๐Ÿ“ˆ 21.62 Punkte

๐Ÿ“Œ #0daytoday #Postman 6.3.0 Improper Certificate Validation Vulnerability [webapps #exploits #Vulnerability #0day #Exploit]


๐Ÿ“ˆ 21.62 Punkte

๐Ÿ“Œ Spam:PHP/Mailer.Postman.A


๐Ÿ“ˆ 21.62 Punkte

๐Ÿ“Œ AssoCIateD Postman up to up to 6.3.0 X.509 Certificate Validation HTTPS Request Man-in-the-Middle information disclosure


๐Ÿ“ˆ 21.62 Punkte

๐Ÿ“Œ Postman 7.24.0 Englisch


๐Ÿ“ˆ 21.62 Punkte

๐Ÿ“Œ postman-smtp Plugin up to 2017-10-04 on WordPress tools.php page cross site scripting


๐Ÿ“ˆ 21.62 Punkte

๐Ÿ“Œ How To Install Postman On Linux?


๐Ÿ“ˆ 21.62 Punkte

๐Ÿ“Œ Postman SMTP Mailer/Email Log - Cross-Site Scripting (XSS)


๐Ÿ“ˆ 21.62 Punkte

๐Ÿ“Œ HackTheBox Box Hacking Write Up Postman โ€“ HackingVision


๐Ÿ“ˆ 21.62 Punkte

๐Ÿ“Œ APIs mit dem Analysewerkzeug Postman erforschen und entwickeln | heise online


๐Ÿ“ˆ 21.62 Punkte

๐Ÿ“Œ heise+ | APIs mit dem Analysewerkzeug Postman erforschen und entwickeln


๐Ÿ“ˆ 21.62 Punkte

๐Ÿ“Œ Demystifying How Postman Web Works


๐Ÿ“ˆ 21.62 Punkte

๐Ÿ“Œ Postman Flows makes building software more accessible


๐Ÿ“ˆ 21.62 Punkte

๐Ÿ“Œ Getting started with Postman for GraphQL


๐Ÿ“ˆ 21.62 Punkte

๐Ÿ“Œ 3 Easy Commands to Install Postman in Kali Linux


๐Ÿ“ˆ 21.62 Punkte











matomo