30 Days of API Testing - Day 9: Share some tools we can use to discover what API calls our applications are making

(Thao) #21

I always use Chrome developer tool by press F12 to capture API calls. Besides that, I found a chrome extension - Web Sniffer to do this. Web Sniffer looks like cooler than Chrome developer tool.

(Thanh) #22

I usually use Chrome DevTools > Network tab to discover requests

I have just tried to download and run Fiddler, Charles and Wireshark, they are so great, but they are quite complicated and difficult to overview for me, maybe I need to spend more time to research to use them

(Tuan Tran) #23

To discover the API call in web application, I usually use:

  • Browser Dev Tools -> Network tab: Easy access to see what API call…
  • Fiddler: strong tools and extendable by some plugin. I did make a plugin for myself.

And thank to all comments above. I find a new tool Charles. I am going to play with it now.

(Trang Ta) #24

Some tools discover API calls:

  • API Monitor
  • Process Monitor
  • AlertSite

(Felipe) #25

Before reading this post I was only aware of Charles and browsers’ Network tab to inspect API calls. I’ve been using a Charles and found it to be very cool although it has a bit of a learning curve

(David Luu) #26

Interested to know what can be used to discover S2S API calls. Does it mean run fiddler or Wireshark on the server to capture network traffic?

Yes, I believe that is one possible approach, provided you have access to the network where the “server” of interest is running on, and you have access to run a sniffer on the network (or on the server) to monitor the outgoing traffic from server that don’t go to clients but another server. For the sniffer, Wireshark would be the desired tool since it can capture any traffic coming out of the server and it doesn’t have to run on the server but just the network. Use of tools like Fiddler, Charles Proxy, or some other proxy will require reconfiguring the server of interest to route network requests through the proxy in order for you to see it (usually this is more streamlined/automated should you be able to run the proxy on the server itself, but more work when run externally).

The tricky part is then figuring out the S2S calls from the captured traffic.

Note that as others have said, it would be preferable to read the API documentation tooling in case the documentation mentions what S2S calls exist, I assume it might not, depending on how the API is documented.

Another option to try is analyze the server’s application/service logs. Sometimes the S2S calls might be logged for which you can check.

(Han Ho) #27

With more than 2 years experience on Mobile testing, I have used Fiddler and Browser developer tool to catch API calls our applications are making.
After read all your post and research on the Internet, I found out some other tools that we can use:

  • Web Sniffer (Chrome Addon)

  • Wizdler (Chrome Addon)