Testing an API

Download as pdf or txt
Download as pdf or txt
You are on page 1of 20

Mini Project Report

Testing an API Report Submitted to

Jawaharlal Nehru Technological University


Anantapur, Ananthapuramu
in partial fulfillment of the requirements for
the award of the degree of
BACHELOR OF TECHNOLOGY
IN
INFORMATION TECHNOLOGY
Submitted by

P KHALEEDH KHAN 21121A1584


P NANDINI 21121A1591
R DEVARSHINI 21121A1594
V RAKESH 21121A15B5
V.S MUSTAK MOULANA 21121A15B7
Under the supervision of
Ms. Chengamma Chitteti, M. Tech (Ph.D.)
Assistant Professor
Department of Information Technology

SREE VIDYANIKETHAN ENGINEERING


COLLEGE
(AUTONOMOUS)

(Affiliated to JNTUA, Ananthapuramu, Approved by AICTE, Accredited by NBA


& NAAC) Sree Sainath Nagar, Tirupati – 517 102, A.P., INDIA
2023-2024

1
SREE VIDYANIKETHAN ENGINEERING COLLEGE
(AUTONOMOUS)
Sree Sainath Nagar, Tirupati

DEPARTMENT OF COMPUTER SCIENCE AND SYSTEMS


ENGINEERING

CERTIFICATE
This is to certify that the Project report entitled

Testing an API

is the Bonafide work done by

P KHALEEDH KHAN 21121A1584


P NANDINI 21121A1591
R DEVARSHINI 21121A1594
V RAKESH 21121A15B5
V.S MUSTAK MOULANA 21121A15B7

in the Department of Computer Science and Systems Engineering, and submitted to


Computer Science and Systems Engineering during the academic year 2023-2024. This work
has been carried out under my supervision.

Supervised by : Head:

Ms. Chengamma Chitteti, M. Tech (Ph.D.) Dr. K. Ramani (Ph.D.)


Assistant Professor Professor & Head
Dept. of IT Dept. of IT

INTERNAL EXAMINER EXTERNAL EXAMINER

2
DEPARTMENT OF INFORMATION TECHNOLOGY

VISION
To become a nationally recognized quality education center in the domain of Computer
Science and Information Technology through teaching, training, learning, research and
consultancy.

MISSION

⮚ The Department offers undergraduate program in Information Technology to produce


high quality information technologists and software engineers by disseminating
knowledge through contemporary curriculum, competent faculty and adopting
effective teaching-learning methodologies.

⮚ Igniting passion among students for research and innovation by exposing them to
real time systems and problems

⮚ Developing technical and life skills in diverse community of students with modern
training methods to solve problems in Software Industry.

⮚ Inculcating values to practice engineering in adherence to code of ethics in


multicultural and multi discipline teams.

PROGRAM EDUCATIONAL OBJECTIVES

After few years of graduation, the graduates of B. Tech. (IT) Program will be:

1 Enrolled or completed higher education in the core or allied areas of Computer


. Science and Information Technology or management.
2 Successful entrepreneurial or technical career in the core or allied areas of
. Computer Science and Information Technology.
3 Continued to learn and to adapt to the world of constantly evolving technologies in
. the core or allied areas of Computer Science and Information Technology.

PROGRAM OUTCOMES

3
On successful completion of the Program, the graduates of B. Tech. (IT) Program will be
able to:

1. Apply the knowledge of mathematics, science, engineering fundamentals, and an


engineering specialization to the solution of complex engineering problems.
2. Identify, formulate, research literature, and analyze complex engineering
problems reaching substantiated conclusions using first principles of mathematics,
natural sciences, and engineering sciences.
3. Design solutions for complex engineering problems and design system
components or processes that meet the specified needs with appropriate
consideration for the public health and safety, and the cultural, societal, and
environmental considerations.
4. Use research-based knowledge and research methods including design of
experiments, analysis and interpretation of data, and synthesis of the information
to provide valid conclusions.
5. Create, select, and apply appropriate techniques, resources, and modern
engineering and IT tools including prediction and modeling to complex
engineering activities with an understanding of the limitations.
6. Apply reasoning informed by the contextual knowledge to assess societal, health,
safety, legal and cultural issues and the consequent responsibilities relevant to
the professional engineering practice.
7. Understand the impact of the professional engineering solutions in societal and
environmental contexts, and demonstrate the knowledge of, and need for
sustainable development.
8. Apply ethical principles and commit to professional ethics and responsibilities and
norms of the engineering practice.
9. Function effectively as an individual, and as a member or leader in diverse teams,
and in multidisciplinary settings.
10. Communicate effectively on complex engineering activities with the engineering
community and with society at large, such as, being able to comprehend and
write effective reports and design documentation, make effective presentations,
and give and receive clear instructions.
11. Demonstrate knowledge and understanding of the engineering and management
principles and apply these to one’s own work, as a member and leader in a team,
to manage projects and in multidisciplinary environments.
12. Recognize the need for, and have the preparation and ability to engage in
independent and life-long learning in the broadest context of technological
change.

PROGRAM SPECIFIC OUTCOMES

On successful completion of the program, the graduates of B.Tech. (IT) program will be
able to:

PSO1: Design and develop database systems, apply data analytics techniques, and
use advanced databases for data storage, processing and retrieval.
PSO2: Apply network security techniques and tools for the development of highly
secure systems.
PSO3: Analyze, design and develop efficient algorithms and software applications to
deploy in secure environment to support contemporary services using
programming languages, tools and technologies.

4
PSO4: Apply concepts of computer vision and artificial intelligent for the
development of efficient intelligent systems and applications.

Institute Vision and Mission

VISION
To be one of the Nation’s premier Engineering Colleges by achieving the
highest order of excellence in Teaching and Research.

MISSION

⮚ To foster intellectual curiosity, pursuit and dissemination of


knowledge.
⮚ To explore students’ potential through academic freedom and integrity.

⮚ To promote technical mastery and nurture skilled professionals to face


competition in ever increasing complex world.

5
TABLE OF CONTENTS

TABLE OF CONTENTS PageNo

ABSTRACT 6

INTRODUCTION 7

PROBLEM DEFINITION 8

ALGORITHM 9

TEST PLANNING 10-11

TEST CASE DESIGN 11-13

TEST EXECUTION 14-15

PROGRAM 16-18

TEST REPORTING 19

CONCLUSIONS 19

6
ABSTRACT

Testing an API involves assessing its functionality, performance, and security to ensure its
reliability and robustness. Functionality testing examines whether the API meets its intended
purpose and requirements, while performance testing assesses its responsiveness and
scalability under various conditions. Security testing focuses on identifying vulnerabilities
and protecting against potential threats, safeguarding sensitive data, and ensuring compliance
with security standards. These tests collectively guarantee the API's quality, ensuring it
operates as intended, performs efficiently, and remains secure.

Keywords: Functionality, Performance, Security, Reliability, Robustness, Scalability,


Vulnerabilities.

7
INTRODUCTION

In our digitally interconnected world, Application Programming Interfaces (APIs) are


the hidden backbone that powers the seamless exchange of data and functionality between
diverse software systems. These vital bridges between applications enable us to book flights,
make online payments, access social media profiles, and countless other tasks with a single
click. However, the reliability, efficiency, and security of APIs are paramount in ensuring that
these digital interactions run smoothly and securely.

The heart of the matter lies in comprehensive API testing. Ensuring that an API
functions as intended, performs under varying loads, and remains impervious to security
threats is a multifaceted challenge. This project delves into the realm of API testing, with a
specific focus on evaluating functionality, performance, and security.

This project embarks on a journey to tackle these challenges head-on by developing a


comprehensive testing framework. By addressing functionality, performance, and security in
an integrated manner, we aim to deliver APIs that are not only reliable and efficient but also
secure in a rapidly evolving digital landscape.

We will employ a combination of automated testing procedures, manual assessments,


and industry-leading testing tools to achieve our objectives. By adhering to best practices in
API testing and security analysis, we aim to create a robust and trustworthy API that can
meet the demands of a digital world where APIs underpin the services and interactions that
shape our lives.

8
PROBLEM DEFINITION

In the ever-evolving landscape of digital technologies and online services,


Application Programming Interfaces (APIs) play a critical role in enabling seamless data
exchange and functionality between various software systems. To ensure the reliability,
integrity, and safety of these APIs, it is imperative to conduct comprehensive testing. This
project aims to address the challenge of ensuring the functionality, performance, and security
of an API in a rapidly changing and increasingly interconnected digital ecosystem.

The problem statement can be broken down into three key aspects:

1. Functionality: Many APIs are designed to provide specific functionalities or


services to external applications. Ensuring that the API functions as intended, delivering the
expected results, and is user-friendly is crucial. The problem lies in identifying potential
functional issues, such as incorrect responses, missing features, or inconsistent behavior.

2. Performance: With the increasing demand for real-time data access and faster
response times, performance testing is crucial. The challenge here is to simulate various loads
and usage scenarios to identify bottlenecks, latency issues, and resource constraints that could
affect the API's responsiveness, scalability, and reliability.

3. Security: As cyber threats continue to grow in complexity and frequency, API


security is a paramount concern. The problem revolves around identifying and mitigating
security vulnerabilities, such as data breaches, unauthorized access, injection attacks, and
other potential risks that could compromise the API's integrity and the data it handles.

To address these challenges, this project will focus on designing and implementing a
comprehensive testing framework that encompasses functional, performance, and security
testing for a specific API. The objective is to ensure that the API meets its functionality
requirements, performs efficiently under various loads, and remains secure against a wide
range of threats. The project will employ a combination of automated and manual testing
techniques, utilize relevant testing tools, and follow best practices in security testing and
analysis.

9
ALGORITHM

Here is an algorithm for testing an API for functionality, performance, and security:

1. Identify all of the API's endpoints and operations.


2. Create test cases for each endpoint and operation.
3. Execute the test cases and verify the results.
4. Identify the performance metrics that are important to your business.
5. Create performance test cases.
6. Execute the performance test cases and measure the results.
7. Identify the security vulnerabilities that are most likely to affect your API.
8. Create security test cases.
9. Execute the security test cases and verify the results.
10. Remediate any vulnerabilities that are found.

10
TEST PLANNING

The plan for testing an API for functionality, performance, and security. The goal of this
project is to ensure that the API meets its intended requirements and is safe and reliable to
use.
Test Strategy:
Methodologies and approaches to be used for each type of testing (functional,
performance,security).
Testing environment details: tools, software, hardware, and resources.
Test Scenarios:
Define test scenarios for functionality, performance, and security.
Use cases and user stories related to the API functionalities.
Performance benchmarks and criteria for measuring security compliance.
Test Cases:
Detailed test cases for each scenario, specifying inputs, expected outputs, and test
conditions.
Functional test cases focusing on endpoints, responses, error handling, etc.
Performance test cases covering load, stress, and scalability testing.
Security test cases, including authentication, encryption, and authorization checks.
Testing Approach:
Identify the sequence and methods for executing test cases.
Mention any specific tools or scripts to be used for automation or performance
testing. Explain the strategy for handling security testing, including penetration
testing and vulnerability assessment.
Resource Allocation:
Allocation of personnel, equipment, and timeframes for testing.
Risks and Contingencies:
Identify potential risks in the testing process and outline mitigation strategies.
Deliverables:
Documentation and reports to be generated at the end of each testing phase.
Criteria for determining pass/fail for each type of testing.

11
TEST CASE DESIGN

TEST CASE DESIGN

TEST CASE DESIGN

Test Case ID Test Case Description Expected Result

TC-01 Verify that the API returns a list of all products The API should return a list of all
when the GET /products endpoint is called with products in JSON format.
a valid authorization token.

TC-02 Verify that the API returns a specific product The API should return a JSON
when the GET /products/:id endpoint is called object representing the specified
with a valid authorization token and a valid product.
product ID.

TC-03 Verify that the API can create a new product The API should create a new
when the POST /products endpoint is called with product and return a JSON object
a valid authorization token and a valid JSON representing the created product.
payload.

TC-04 Verify that the API can update an existing The API should update the
product when the PUT /products/:id endpoint is specified product and return a
called with a valid authorization token and a JSON object representing the
valid JSON payload. updated product.

12
TC-05 Verify that the API can delete a product when the The API should delete the specified
DELETE /products/:id endpoint is called with a product and return a 204 No
valid authorization token and a valid product ID. Content response.

Performance Testing Test Cases:

Test Case ID Test Case Description Expected Result

TC-06 Verify that the API can handle The API should be able to handle 100
100 concurrent requests with a concurrent requests without any errors or
valid authorization token performance degradation.
without any errors.

TC-07 Verify that the API can handle a The API should be able to handle a burst
burst of 1000 requests in 10 of 1000 requests in 10 seconds without
seconds with a valid any errors or performance degradation.
authorization token without any
errors.

TC-08 Verify that the API response The API response times should be within
times are within acceptable acceptable limits under different loads, as
limits under different loads with defined by the requirements.
a valid authorization token.

Security Testing Test Cases:

Test Case ID Test Case Description Expected Result

TC-09 Verify that the API is not vulnerable to The API should not be
SQL injection attacks, even with an vulnerable to SQL injection
invalid authorization token. attacks, regardless of the

13
validity of the authorization
token.

TC-10 Verify that the API is not vulnerable to The API should not be
cross-site scripting (XSS) attacks, even vulnerable to XSS attacks,
with an invalid authorization token. regardless of the validity of the
authorization token.

TC-11 Verify that the API is not vulnerable to The API should not be
common web application vulnerabilities, vulnerable to any common web
such as insecure direct object references application vulnerabilities,
(IDOR) and broken authentication and regardless of the validity of the
session management, even with an authorization token.
invalid authorization token.

Ensure that data transmission is encrypted (e.g., using HTTPS) to protect sensitive
information.
These test cases cover a range of scenarios for testing the API for functionality, performance,
and security aspects. Adjust and expand these test cases based on the specific requirements
and details of your API, considering potential use cases and system behavior.

14
TEST EXECUTION

The following steps can be used to execute the test cases for an API:

● Set up the test environment. This may involve configuring the test server, database,
and other resources.
● Deploy the API to the test environment.
● Execute the test cases. This can be done manually or using a test automation tool.
● Record the test results. This may involve recording the pass/fail status of each test
case, as well as any error messages or performance data.
● Analyze the test results. This involves identifying any bugs or performance issues that
need to be fixed.
● Report the test results. This involves creating a test report that summarizes the results
of the test execution.
Functionality testing
● Identify all of the API endpoints and the expected behavior for each endpoint.
● Create test cases that cover all of the possible inputs and outputs for each endpoint.
● Use an API testing tool to send requests to the API and verify the responses.
● Performance testing
● Identify the performance requirements for the API, such as the expected response
time and throughput.
● Generate a load of traffic to the API and measure the response time and throughput.
● Compare the measured results to the performance requirements.
Security testing
● Identify the potential security vulnerabilities in the API, such as authentication and
authorization vulnerabilities, input validation vulnerabilities, and SQL injection
vulnerabilities.
● Use security testing tools to scan the API for vulnerabilities.
● Manually test the API to exploit the identified vulnerabilities.

Here are some specific examples of tests that you can perform for each type of testing:

Functionality testing

15
● Test that the API returns the expected response for valid inputs.
● Test that the API returns the expected error response for invalid inputs.
● Test that the API handles unexpected inputs gracefully.
● Test that the API performs the desired operations on the data.
● Test that the API is idempotent, meaning that multiple requests with the same input
will produce the same output.
Performance testing
● Test the response time of the API under different loads.
● Test the throughput of the API under different loads.
● Test the scalability of the API by increasing the load and monitoring the performance.
● Test the API for concurrency by sending multiple requests at the same time and
monitoring the performance.
● Security testing
● Test that the API requires authentication and authorization for sensitive endpoints.
● Test that the API validates all inputs properly.
● Test the API for SQL injection vulnerabilities.
● Test the API for cross-site scripting (XSS) vulnerabilities.
● Test the API for other common security vulnerabilities.
You can use a variety of tools to test APIs, such as:
● Postman
● Insomnia
● SoapUI
● JMeter
● OWASP ZAP
● Burp Suite
You can also use cloud-based API testing services, such as:
● LoadNinja
● BlazeMeter
● k6
● Apigee

16
PROGRAM

import requests
import json
import time
import jmeter
import owaspzap

# Function to test the API's functionality


def test_functionality(endpoint, payload):
response = requests.post(endpoint, json=payload)

# Verify the response status code


assert response.status_code == 200

# Verify the response payload


response_payload = json.loads(response.content)
assert response_payload["success"] == True

# Function to test the API's performance


def test_performance(endpoint, payload, num_requests):
start_time = time.time()

for i in range(num_requests):
response = requests.post(endpoint, json=payload)

# Verify the response status code


assert response.status_code == 200

end_time = time.time()

# Calculate the average response time


avg_response_time = (end_time - start_time) / num_requests

17
# Verify that the average response time is less than a certain threshold
assert avg_response_time < 100

# Function to test the API's security


def test_security(endpoint, payload):
# Scan the API for vulnerabilities using OWASP ZAP
zap = owaspzap.ZAPv2()
zap.start()
zap.access_url(endpoint)
scan = zap.scan(endpoint)

# Wait for the scan to finish


zap.wait_for_completion(scan)

# Get the scan results


results = zap.get_results(scan)

# Verify that there are no high-severity vulnerabilities


assert len([finding for finding in results if finding.severity == "HIGH"]) == 0

# Example usage:

# Test the API's functionality


endpoint = "https://api.example.com/users"
payload = {"name": "John Doe"}
test_functionality(endpoint, payload)

# Test the API's performance


endpoint = "https://api.example.com/products"
payload = {"name": "Product 1"}
test_performance(endpoint, payload, 100)

# Test the API's security

18
endpoint = "https://api.example.com/login"
payload = {"username": "admin", "password": "password"}
test_security(endpoint, payload)

19
TEST REPORTING

Once all of the test cases have been executed, a test report should be generated. The test
report should include the following:

● Summary of results: A summary of the overall results of the testing, including the
number of tests passed, failed, and blocked.
● Detailed results: A detailed breakdown of the results of each test case.
● Analysis: An analysis of the results, including any trends or patterns that were
identified.
● Recommendations: Recommendations for improving the API or for further testing.

CONCLUSION
API testing is an essential part of the software development lifecycle. By testing your API
for functionality, performance, and security, you can ensure that it is reliable and meets the
needs of your users.

Here are some additional tips for API testing:

● Use a variety of testing tools to get a comprehensive view of the API's behavior.
● Automate your tests to make them more efficient and repeatable.
● Test the API in a variety of environments, including production, staging, and
development.
● Involve stakeholders in the testing process to get their feedback and ensure that the
API meets their needs

20

You might also like