Explore key concepts in API testing with this quiz focused on assertions, asynchronous calls, flaky test detection, and security testing basics. Strengthen your understanding of reliable, secure, and robust API test practices through practical scenarios and clear explanations.
What is the primary purpose of an assertion in API testing?
Explanation: Assertions are used to check that the API's actual response aligns with what is expected, ensuring the API behaves correctly. Recording response times is related to performance monitoring, not assertions. Displaying documentation and encrypting payloads address different aspects of API management and security, not response validation.
Which of the following is a typical assertion when testing a successful API GET request?
Explanation: A successful GET request normally returns a 200 status code, so asserting this helps verify correct operation. Expecting immediate timeout suggests failure, not success. Requiring a null request body is not standard and database schema changes are unrelated to standard GET request assertions.
Why is special handling required for asynchronous API calls in automated tests?
Explanation: Asynchronous calls can respond later than expected, so tests must wait or check for completion before asserting results. Endpoints being unauthorized or always returning 400 is incorrect and not a property of asynchronous APIs. Encryption of data is unrelated to asynchronicity.
What characteristic most commonly signals a flaky API test?
Explanation: Flaky tests are unreliable because their outcomes change even when the code hasn't, indicating instability or external dependencies. Always passing tests ignore failures, which is not flaky. Logging a warning or running only on weekends does not indicate test flakiness.
Which solution best addresses flakiness caused by delayed API responses?
Explanation: Retries and adjusted waits account for variable response times, minimizing flakiness. Removing assertions prevents useful verification, reducing test effectiveness. Reducing input data or adding logs may help diagnosis but does not directly fix the timing issue.
In API security testing, why should tests assert the exact structure of JSON responses?
Explanation: By asserting JSON structure, you ensure sensitive fields are not leaked and responses follow security protocols. Blocking requests, upgrading clients automatically, or triggering server restarts are unrelated to the validation of JSON structure.
Which assertion type verifies sensitive information is not present in API error messages?
Explanation: A negative assertion checks that something should not occur, such as ensuring error messages do not reveal sensitive information. Rate limiting and performance assertions address different aspects. Redirect assertions deal with HTTP redirects, not content checks.
How should an API security test assert correct handling of unauthorized access?
Explanation: A 401 code signals to the client that authentication has failed, which is expected for invalid login attempts. An empty body or lack of status code is not standard and may indicate improper error handling. A 500 error suggests a server problem, not an authentication issue.
What is the main goal of testing API rate limiting functionality?
Explanation: Testing rate limits checks that too many requests are detected and limited, preventing abuse. Verifying emails, reducing endpoints, or automating onboarding do not test or enforce rate limiting policies.
Which describes a basic security testing technique that submits unexpected or random parameters to an API?
Explanation: Fuzzing sends random or malformed data to find vulnerabilities and ensure robust handling. Puzzling is not a recognized technique. Spoofing and phishing are security attacks targeting different weaknesses, not parameter stress-testing.
A test for an API endpoint that updates a resource asynchronously must ensure what before making assertions?
Explanation: Assertions must wait for async operations to complete; otherwise, assertions may check incomplete or outdated data. Archiving the database or invalidating keys does not relate to async operations. Running tests at midnight is irrelevant.
Which assertion verifies the API server correctly handles requests with missing required fields?
Explanation: A 400 status informs the client the request was invalid, which is proper API behavior. Simply ignoring requests or returning success for bad requests can lead to security or usability problems. Disconnecting the client is unnecessarily harsh.
Flaky API tests that rely on time delays can be improved by replacing hardcoded waits with what approach?
Explanation: Polls check for a specific outcome rather than waiting a set time, making tests more adaptable and reliable. Doubling wait times increases run duration without guarantee of stability. Randomization and disabling async tests do not solve timing issues.
When testing for sensitive data exposure, which type of assertion confirms the absence of secret keys in API responses?
Explanation: Negative content assertions confirm that certain sensitive values, like secret keys, do not appear where they shouldn't. Positive schema assertions validate structure, not content. Parallel and load assertions address concurrency and performance, not data exposure.
Idempotence in API testing is verified by which of the following?
Explanation: Idempotence means repeating the same request yields the same result, an important property for safe, predictable APIs. Forcing server restarts or refusing requests is disruptive or incorrect behavior. Random responses break the principle of idempotence.
Which scenario can commonly cause flakiness when testing APIs with parallel requests?
Explanation: Concurrent modifications to shared data can produce unpredictable results and flakiness. Unique tokens typically avoid data collisions. Running tests only once does not inherently cause flakiness, and targeting non-existent endpoints creates consistent errors rather than unpredictable test outcomes.