Exploring and modelling Web services - Created by Mark Winteringham / @2bittester © 2017

Exploring and modelling Web services

Available at http://mwtestconsultancy.co.uk/presentations/exploring_web_services/


Please install the following

POSTMANwww.getpostman.com/apps
BURPSUITEwww.portswigger.net/burp/

About me...

- www.mwtestconsultancy.co.uk

- @2bittester

- linkedin.com/in/markwinteringham

profile.png

Workshop goals

Explore the behaviour of a web service

Model our observations of a web service

Create a test suite of checks based on our model

Welcome to 'The best at rest ltd'


Creators of RESTFUL-BOOKER-PLATFORM

A SaaS platform for management to manage their hotels and bookings

RESTFUL-BOOKER-PLATFORM requirements

  1. Be able to retrieve, create, update and delete a hotel
  2. Be able to retrieve, create, update and delete bookings for a hotel
  3. Require a user to be logged in to create, update and delete data

A service-oriented architecture

Explore

How do we explore how a Web service?

Proxy Server

'A server... that acts as an intermediary for requests from clients seeking resources from other servers.'


  • Caching content
  • Security
  • Monitoring and filtering


https://en.wikipedia.org/wiki/Proxy_server

How does a proxy server work?

Browser

User Interface

Proxy

Proxy

Service

Service

Proxy Servers

POSTMAN logo
Burp suite logo

Using proxy servers

Iteration one - Explore proxies

  • Setup BurpSuite and intercept HTTP requests
  • Setup Postman proxy and intercept HTTP requests

Firebug / Developer tools

Log files

Source code

https://github.com/mwinteringham/restful-booker-platform

Iteration two - Explore other tools

  • Use Developer tools/Firebug tools
  • Discover different log files and trigger events
  • View source code and discover more about the application

What did you learn?

Modelling

Modelling?

Flow chart

An abstract representation of the application

Why Model?

Pedal schematic How many tests?
Pedal schematic How many tests?

How might you model

No right or wrong way

Modelling by API

Doesn't give us feedback on how the API is used

Modelling by behaviour

Models can get quite complicated

Iteration three - Model!

  • Record the requests flowing between services
  • Build a model of the application

What did you learn?

Ensuring coverage


  • Work collaboratively
  • Try using web spidering tools
  • Look at source code for routes

Design

POSTMAN Tests

Setup

  1. Select the Test tab
  2. Enter your JavaScript test
  3. Save your request to a collection
  4. Click the arrow on your collection to reveal the run option

Resource / Query string


URIs

  • Valid and invalid paths
  • Resource identifiers

Query strings

  • Data types
  • Boundaries
  • Robustness principle

Headers


  • Missing headers
  • Positive/negative values
  • Redundant headers

Status codes


Positive codes- 200, 201, 304
Negative codes- 400, 500, 404

Do status codes match the way you expect the service to respond?

Payloads


  • Data types
  • Boundaries
  • Robustness principle

Iteration four - Design!

  • Using POSTMAN collections create a suite of API tests
  • Use your model of the application as reference

What did you learn?

Wrapping up

Thank you

Slides - http://mwtestconsultancy.co.uk/presentations/exploring_web_services/