Do you refer to any heuristics when you design your API tests?

Hi all,

I discovered POISED heuristics from Chapter 3.0 - POISED API testing strategy
POISED =Parameters, Output, Interop, Security, Errors, and Data .
I wonder if you have any other tip (or other heuristics) to design API tests ?

Thanks,
Emna

3 Likes

Not a specific heuristic but for API Testing we test (& design of course):

To think of while API designing & testing

  • Logging
  • Monitoring
  • Test Data
  • Which framework/library you will use to API test
  • Which CI/CD platform & can we integrate our tests to it
  • Reporting, how will it happen?
  • Will all tests come together on some dashboard?

For testing the API itself:

  • Headers (response, request)
  • QueryParams
  • Cache
  • Cookies
  • HTTP Status codes
  • Changing Methods
  • JSON value validation
  • JSON scheme validation
  • Error Handling
  • JWT Hacking (None Algorithm, HMAC Algorithm , Directory Traversal in KID, SQL Injection in KID, Parameter tampering, Command injection, Information Disclosure)
  • Authorization
  • Authentication
  • Response times

Non-Func

  • Security / Pen-tests
  • What kind of performance tests are required?
3 Likes

POISED was one of the first heuristics I came across for API testing, itโ€™s quite usefull

CRUD heuristic also makes a lot of sense for testing API (it does depend on how an API is made)
C - Create, testing POST requests
R Read - tests related to the GET method
U Update - tests for PUT and/or PATCH
D Delete for, well, DELETE :smiley:

I also came across this VADER heuristic by a lady called Linda Roy:

Verbs
Authorisation/Authentication
Data
Errors
Responsiveness

The Force is strong with this heuristic! :smiley:

3 Likes

I think BINMEN is a cool one!

Boundary
Invalid Entries
NULL
Method
Empty
Negative

Available at about 23 minutes on this talk.

3 Likes
3 Likes

Many Thanks @kristof !! looks great and some of the terms are not trivial for me, will do some research to see how I can implement them in practice. if you have an example that you recommend let me know.
I use this one: https://restful-booker.herokuapp.com/
For the moment the existing API at the company contains only GET, I want to prepare myself with techniques to test the API so that I will be able to proceed in good ways when others get ready (create, delete, updateโ€ฆ) :wink:

3 Likes

Thatโ€™s great! thanks a lot for the precision and the link! very helpful

3 Likes

This is genious ! thanks a lot for the PDF and all the details :))

3 Likes