No idea about interface testing? An article to teach you how to handle the interview

My original text is here

https://zhuanlan.zhihu.com/p/538210976

Server interface includes server-to-server interface , As in the project RPC Interface or dubbo Interface , And facing APP The interface of , But the theory of two kinds of interface test design is the same , It's just that the testing tools are different , The former may need to deploy services into some Kaiyuan frameworks so that requests can be submitted directly on the interface , Or submit with the help of code , The latter is for APP Of , You can directly access , use postman perhaps Charles It can be tested directly . No matter what kind of interface test , You need to refer to the interface document , At the same time, combine the function to test , Next, face APP Take interface as an example to share my common interface testing methods in the project , It's also useful to go to an interview ~~

One 、 Whether the interface is used https agreement

First of all, the interface should use https agreement , as everyone knows http The agreement is an unsafe agreement , I won't repeat this more

Two 、 Whether the transmitted sensitive information is encrypted

Like ID card 、 Bank card 、 cell-phone number 、 Whether private information such as name is encrypted , Whether the password adopts a secure algorithm , As simple as MD5 Encryption is insecure encryption , It is possible to crack the password through the rainbow table

（ Except that the transmission of the interface should be encrypted , The server log cannot be printed directly , Id card 、 The data stored in the database by the bank card also needs to be encrypted , In particular, the password is best to add salt ）

3、 ... and 、 authentication

Authentication refers to verifying whether the user has the right to access the system , It is divided into horizontal ultra vires and vertical ultra vires .

Vertical ultra vires ： It refers to a low-level attacker trying to access the resources of a high-level user . Suppose the administrator can access xxx/admin.html The page of , But ordinary administrators cannot access , If the ordinary administrator logs in , Type... Directly into the browser xxx/admin.html, If you can visit the administrator page , Then it is vertical ultra vires

lateral ultra vires ： It refers to an attacker trying to access the resources of a user with the same permissions as him . Each member of a website can only see their own member information , members A After logging in, you can see the content of your own page url by xxx/member.php?id=A, If A Want to peep B Information about , Type in the browser xxx/member.php?id=B, If you can visit B The page of , Then it is horizontal ultra vires

The above example is modified url, about post request , You can modify the request parameters id Wait for information to test . The modified request parameters can be used postman Submit , It can also be used. Charles Interrupt the request to modify parameters .

Four 、 idempotent

Interface idempotence means that the user initiates one or more requests for the same operation, and the impact on the data is consistent . For example, in the payment system , We paid for an order , If the client does not get the order status of the server , You can pay at the payment portal again , If the payment is successful, it will lead to repeated payment , Cause asset losses , Then this interface does not conform to idempotent , It can also be done through postman Submit payment request repeatedly , See whether the same order can be paid successfully multiple times .

（ In addition to the server can do idempotent , The client can also do anti duplication , For example, form submission , If the page does not jump in time because of network problems , The user clicked submit twice , The client can make repeated judgments , Block the submission of the second request ）

5、 ... and 、 Multi interface dependency

The interfaces of servers are mostly dependent , If members want to see their login page , You must log in , Login with password or verification code . You can try to directly splice parameters to access the following interface , See if you can bypass login . In addition, we need to pay attention to , If it is a verification code login , After requesting the verification code , The verification code cannot be returned as a return parameter , Otherwise, you can steal others' verification code .

6、 ... and 、 Boundary value test

A lot of errors occur at the boundary of the input or output range , Not in the input range . Test the input except for the value within the input range , You also need to override the value closest to the left of the values smaller than the left boundary , Left boundary , Greater than the first value of the left boundary , Among the values smaller than the right boundary, the value closest to the boundary , Right border , Greater than the first value with boundary

7、 ... and 、 Will pass / Unnecessary parameters , Non empty parameter verification

Interfaces generally agree on mandatory and non mandatory parameters , We can remove the mandatory parameters one by one in the parameters 、 Set the non null parameter to null , The interface needs to report the corresponding coarse error , There is no need to pass parameters , It should not cause interface errors . Especially for the system accessed by the business party , Such as account system , Almost every business can call login , Then it is necessary to establish the specification of login interface for the access of business parties .

8、 ... and 、 attestation

An attacker may tamper with the request parameters in the interface and then send a request to the server , The server needs to recognize the tampering of parameters , This identification process is signature verification . give an example ： The attacker placed two orders in a mall , Order A The amount of is 1000 element , Order B by 1 element , Both payments are pending , The attacker has obtained the request parameters of the payment interface through packet capturing , In payment B When ordering , The attacker tampered the order number in the request parameter into A Order , It may eventually lead to 1 Yuan paid A Order . In the interface of order generation , The server can sign the request parameters , Return to the client , The client assigns the obtained signature to sign As the request parameter of the payment interface, it is submitted to the server , Then the server compares the parameters from the calling payment interface , The difference is the failure of signature verification , Illegal request .

Nine 、 Data unit test

The client and server need to agree on the unit of data , For example, the interface related to the amount stipulates whether it is cent or yuan , If the agreement is yuan , Whether the client will transmit 0.1,0.10,1.00, 1.0, 1 The situation of , Whether the server can cope with these situations , Give the correct return

Ten 、 For any interface exception , The client needs to display the corresponding user page

1、 The server needs to transcode the error and return it to the client

If an error occurs in the upstream server , The server that handles client requests needs to handle errors , Convert to the error code defined with the client . When testing, you can shut down or restart the upstream services , The client then initiates the request , See how the server responds

2、 The client needs to have a user error page for all errors

APP There should be timeout processing for all interfaces , Show users a unified error page . The error of the server cannot be directly displayed to the user , You can modify the format of the response that is not recognized by the client , See if the client can handle .

The above are the interface test methods commonly used in my work , A payment system test may be updated later , Stay tuned , Please indicate the source of reprint ~~~~

Updated Payment system test _houge Ah, my blog -CSDN Blog