![]() Postman also provides some helpful examples that you can use. ![]() I will walk carefully through the examples so you should be able to follow along. If you are not familiar with JavaScript, don't worry about it. In this chapter, I will show you how to set up good test validation scripts in Postman. It can have perfect coverage and be impeccably structured, but without good assertions, it isn't doing you much good. You can have a test suite that is checking all the necessary endpoints with all the correct inputs. Although these were egregious examples, the reality is that often a well-designed test suite will fail to deliver on its promise because of poor assertions. Imagine my surprise when in several of them I found assertions that where checking things such as whether true=true or 5 = 5? No wonder the tests had never failed. I had identified several test scripts that had never failed and was looking through them. My hypothesis was that if a script had been running for some time and had never failed, it was unlikely to fail in the future and so was not giving us valuable information. One of the rules I used to determine which scripts might not be adding value was to look at scripts that had never failed. In order to do this, I was analyzing the test results to see which scripts were giving us the most information. Let's continue with that in the next chapter!Īt one company that I worked at, I was trying to figure out the value of some of the test automation scripts that we had. This will involve using JavaScript in Postman and will be a lot of fun as you learn how to check that requests are doing what they should be and a lot of other powerful things that Postman can help you with. I hope you are excited to continue learning about Postman in the next chapter, where I will show you how to create test validation scripts. All in all, we covered a lot of ground in this chapter. To help with this, I showed you an example of how to integrate Postman with Burp Suite so that you could see how this might work. In addition, you learned how to integrate Postman with other external security testing tools. I also helped you get started with a few security testing techniques such as fuzzing, command injection, and authorization testing and showed you how to use them in Postman. We didn't just look at how to call secured APIs in this chapter though. I also showed you some of the other authorization options in Postman and showed you how to get started with them. You learned how to log in with many different authorization types ranging from Basic Auth to API keys and tokens to OAuth 2.0. I also showed you how to use the various Postman authorization types to give you access to secured APIs. In this chapter, I have shown you how to think about API security and what the distinction is between authorization and authentication in security. Security is a complex and important topic and understanding how to work with it is an important part of API testing. This chapter has covered a lot of territory. ![]() Doing this allows you to reuse your tests for security purposes. Once you have defined all your test cases in Postman, you can run them with different credentials to check whether they are correctly authorized. You cannot fully mitigate all authorization mistakes, but when you set up tests, be sure to include negative authorization checks. ![]() I have seen cases where the user interface correctly restricts users from things they do not have the rights to, but that same security is not applied correctly in the API, meaning users can see things they do not have the right to. This kind of security is often mixed up with business logic in an application and so it is a very important type of authorization to check for in your tests. There isn't really a standard term for this, but it is sometimes called things such as rights-based security or programmatic security. They should only be able to see data from certain courses that they are enrolled in. In the example of a learning system, someone might have a student role within the system, but that does not mean that they can access data from any course in the system. Trying out different roles in an important aspect of authorization testing, but there is another level of detail that is important for this as well.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |