API test heuristics refer to a set of guidelines or rules that can be used to identify and test the functionality of an API. These heuristics are often based on the characteristics of the API, such as its parameters, output, interop, security, errors, and data. Here are some common API test heuristics:
https://qa-matters.com/2016/07/30/vader-a-rest-api-test-heuristic/
- VADER stands for Verbs, Authorization, Data, Errors, and Responsiveness. This heuristic can be used to test the API’s verbs, authorization, data, errors, and responsiveness.
- optimized for REST apis
https://en.wikipedia.org/wiki/Exploratory_testing Exploratory testing involves testing the API without a specific test plan or script. This heuristic can be used to identify unexpected issues or edge cases.
https://www.geeksforgeeks.org/software-engineering-black-box-testing/?ref=header_search
- equivalence partitioning
- boundary value analysis
- cause-to-effect graphing (like a truth table)
Code feedback involves generating test cases based on the API’s code. This heuristic can be used to identify issues that may not be caught by traditional testing methods.
Security testing starts with Exploratory Testing. Find anamalies or unexpected behavior; then probe deeper.
A good way to get a grasp of the concepts is to use an application you control or one where the owner has granted permission for you to use active scans.
Some good starting points: // explore-with-postman repo - all v2 Json collections can be imported to SoapUI
https://github.com/ambertests/explore-with-postman/tree/master
// OwASP Juice Shop
// OWASP Web Goat
// vMAPI
[Ministry of Testing] (https://club.ministryoftesting.com)
[API Testing Blog] (https://www.testingxperts.com/category/api-testing/)