30 Days of API Testing - Day 9: Share some tools we can use to discover what API calls our applications are making

As a mobile testing engineer I usually use Charles or Fiddler to discover what API calls my client application make and what responses it receive from the server. If I need to verify some requests from outside servise to my server I use Postman. Both Charles and Postman afford to manipulate (change) sending data when it is required in tests. When I want to explore requests\response from\to admin part of backend I use devpanel in browser (can be opened by pressing F12).

2 Likes

I am also using Browser “Developer tools” and fiddler to find, and analyse API calls from my application.

But there is a catch : Our application can make 2 types of API calls.

  1. C2S (Client to Server API calls which is captured in Fiddler & DevTools of Browser).

  2. S2S (Server to Server API calls where Fiddler & DevTools may not necessarily captures those calls as it is purely S2S call. (You can find some details to know about s2s calls and its usage “https://developer.oculus.com/documentation/platform/1.13/concepts/pgsg-s2s-basics/” ).

So, Here I am more interested to know Is there any tools to discover what are all S2S calls our applications are making :thinking:

5 Likes

I’ll just paste in here what I put in another post:
I use a variety of tools to discover what API calls my application is making:

  • Fiddler/Charles/etc can show me what my app is calling directly
  • browser dev tools - Network tab can also show me what my app is calling directly
  • REST services can also have a Swagger or OpenAPI document available; SOAP services can have a WSDL - these tell you all kinds of things, and with Swagger/OpenAPI you can use them for manual testing as well
  • I can look at the code as well - Controllers tell me how my application handles API calls, and I can see what other code is using those controllers; Models tell me what data the API handles

For the S2S calls, the Swagger/OpenAPI/WSDL or whatever documentation should help you find this information out.
I also look for process flow or data flow diagrams for the api

5 Likes

I am still new at this, but according to the responses on this post I did get a “two for one” as it turns out that Fiddler meets the criteria. Lots of other great tools were mentioned, most commonly Swagger, so I’ll look into it now!

-Dave K

1 Like

Read through all posts and have now downloaded Fiddler and trying to learn even more. Still an API newbie and have not done anything like this before. Thank you for all the inspiration though! If you have any nice tutorials or blogs to share regarding Fiddler and capture API call let me know.

1 Like

I go through it a bit here: https://g33klady.com/2017/11/21/using-fiddler-autoresponder-for-quick-service-or-response-mocking/ (just for set up really).
Seems I need to blog a bit more on it!

3 Likes

If you are concerned only about HTTP/S protocol Postman is cool, but WireShark is great HTTP + lots of other types of protocol.

2 Likes

I tried the Blazemeter plugin for Chrome (don’t know about support for other browsers). Didn’t use it much, but I was satisfied with the features it has.
It records requests as you browse. You can then export them in different formats, automate them, combine with other tools/frameworks (eg. Selenium).

1 Like

great share @g33klady

Interested to know what can be used to discover S2S API calls. Does it mean run fiddler or Wireshark on the server to capture network traffic?

1 Like

Hi @testerawesome

I don’t think fiddler can capture S2S calls.

As @g33klady suggested, we can get to know those calls by going through api documentation or arc design docs etc.

1 Like

Some suggestions on Twitter for this challenge:

The first time working on APIs testing, I’m using a Fiddler to find and analyse API calls from my application. For the Fiddler, you can catch any responses from your application like image as below:

But this information is difficult to analyze, so I also tried to find out another APIs testing can help me working on the APIs, the first tool I has used is Postman.

With Postman, Your can make a APIs testing method and see the data responses, status of your method, that is easy for the newbie.

For the APIs automation testing , I’m learning on KATALON and read more guide to working on it :slight_smile:
—APIs Testing Newbie—

6 Likes

@kms_namnguyen: I saw that you tried PostMan for some of the requests and thats great.
One suggestion: Instead of using mask on screenshot, you start using Environment variables or Global variable so that it makes your work easy to maintain variables environment/global level and also help you to masks the values that you don’t want to show on screen.

cheers.

2 Likes

Agreed with @nagesh.joy, @kms_namnguyen should use Environment variables or Global variable. I’ve researched to use PostMan today, it’s also a cool API Testing tool.

1 Like

I found a helpful tool to capture all HTTP Requests and Responses sent between the Web browser and the Web server so that we can know the request URLs.

4 Likes

What is meant by ARC Design docs? (ARC - Full form?)

Day 9: Share some tools we can use to discover what API calls our applications are making. #30DaysofAPITesting

1 Like

Here’s a resource I found useful which provides 10 tools:

Out of the 10, I’ve used:

  • SoapUI
  • Postman
  • apigee
  • JMeter
  • Rest-Assured

I’ve been through a demo of Tricentis Tosca.

I’m keen to try Karate DSL

1 Like

Today I spent time to explore Firefox Developer Tools - Network tab and know how to use it to discover API calls :blush:.

4 Likes