Understanding and Preventing Insecure Direct Object Reference (IDOR) Vulnerabilities in Web Applications

 

1. Understanding API Basics 

        API stands for Application Programming Interface, a set of rules that define how software components should interact. APIs typically use HTTP requests to communicate, which can involve the following methods: 

        ● GET: Retrieve data from a server. 

        ● POST: Send data to a server to create a new resource. 

        ● PUT: Updates an existing resource. 

        ● DELETE: Remove a resource from the server.

2. Setting Up Tools for API Testing

         For this guide, we’ll use two common tools: 

        ● Postman: A user-friendly GUI tool for testing APIs. 

        ● Rest Assured: A Java-based API testing library for automation testing.

3. Using Postman for API Testing 

        Step A: Install Postman

              Download and install Postman from Postman’s official website. 

        Step B: Create a New Request 

              ● Open Postman and click New > Request. 

              ● Select the request type (e.g., GET, POST) and enter the API URL. 

              For example: 

                     GET https://jsonplaceholder.typicode.com/posts/1

        Step C: Add Parameters/Body

              If needed, add query parameters or request body in the Params or Body tabs.

        Step D: Send Request

                Click Send and examine the response (e.g., Status Code, JSON data).

        Step E: Writing Tests

                 In the Tests tab, write simple assertions using JavaScript:

                 javascript 

                                    pm.test("Status code is 200", function () { 

                                                pm.response.to.have.status(200);

                                    });

        Step F: Collection Runs and Automation

                   Group your requests into collections and automate them using Postman’s Collection Runner                    for repeated testing.

4. REST Assured API Automation with Java: A Beginner's Guide

     REST Assured is a powerful Java library that simplifies testing RESTful APIs. It allows you to write readable and maintainable API test scripts in a fluent style.

---

✅ Step A: Set Up REST Assured

To get started, add REST Assured as a dependency in your pom.xml if you're using Maven:

<dependency>
  <groupId>io.rest-assured</groupId>
  <artifactId>rest-assured</artifactId>
  <version>4.4.0</version>
  <scope>test</scope>
</dependency>

---

✅ Step B: Write a Basic GET Request Test

Here’s a simple Java example that performs a GET request and validates the status code and response body:

import io.restassured.RestAssured;
import static io.restassured.RestAssured.*;
import static org.hamcrest.Matchers.*;

public class ApiTest {
  public static void main(String[] args) {
    RestAssured.baseURI = "https://jsonplaceholder.typicode.com";

    // Test GET /posts/1
    given()
    .when()
      .get("/posts/1")
    .then()
      .statusCode(200)
      .body("userId", equalTo(1));
  }
}

Tip: Use JUnit or TestNG for a more robust and scalable test suite.

---

✅ Step C: Understand Core API Testing Concepts

Here are the essentials every API tester must master:

🔸 1. Status Code Validation

Verify the response status code to check if the request succeeded or failed.

Code	Meaning
200	OK – Request was successful
201	Created – Resource was created
400	Bad Request – Invalid syntax
401	Unauthorized – Auth required
500	Internal Server Error

🔸 2. Response Body Validation

Use Hamcrest matchers to validate specific fields:

.body("title", equalTo("foo"))

🔸 3. Header Validation

Check if the API response headers are as expected:

.header("Content-Type", "application/json; charset=utf-8")

🔸 4. Authentication

For protected APIs, pass authentication tokens:

given().auth().oauth2("YOUR_ACCESS_TOKEN")

🔸 5. Negative Testing

Test how the API handles invalid input, malformed data, or missing parameters. This ensures the API is robust and secure.

🚀 Final Tip

REST Assured + Java is a killer combo for API automation. Combine it with a test framework like JUnit/TestNG and CI tools like Jenkins/GitHub Actions to build a scalable and automated testing pipeline.

---

5. Advanced API Testing with Rest Assured & Postman

Once you've mastered the basics of API testing, it's time to scale your skills with advanced techniques that improve coverage, efficiency, and reliability. Let’s explore some expert strategies and tools used in real-world API test automation.

---

✅ Advanced Techniques for API Testing

🔸 1. Parameterized Tests

Write reusable test cases by passing different inputs dynamically—ideal for testing the same endpoint with various data values.

📌 Tools: TestNG (with @DataProvider), JUnit 5 (with @ParameterizedTest)

🔸 2. Data-Driven Testing

Feed your test cases with data from CSV, JSON, or Excel files to validate multiple scenarios without duplicating code.

Example: Read login credentials from a file and validate API response for each user.

🔸 3. Mocking APIs

When an API isn’t available or under development, use mocking tools to simulate responses and test integration logic.

✅ Tools:

• Postman Mock Server

• WireMock

• MockServer

---

✅ Reporting & Continuous Integration (CI)

🔹  Postman + Newman

Use Newman (Postman’s CLI) to run collections in CI tools like Jenkins, GitHub Actions, GitLab CI, etc.

newman run collection.json -e environment.json --reporters cli,html

🔹  Rest Assured + Reporting

Pair Rest Assured with reporting tools like:

• Extent Reports

• Allure Reports

• JUnit HTML Reports

They provide detailed test summaries, logs, and screenshots for debugging failed cases.

---

✅  API Testing Best Practices

Here are some golden rules every QA engineer should follow:

🔸 1. Clear & Structured Test Cases

Cover all types of flows:

• ✅ Happy Path (valid data)

• ❌ Negative Path (invalid input)

• ⚠️ Edge Cases (boundaries, large payloads, etc.)

🔸 2. Keep Tests Independent

Each test should run on its own without depending on previous steps or results. This avoids false failures in CI runs.

🔸 3. Monitor APIs After Testing

Once deployed, continue monitoring APIs using tools like:

• Postman Monitors

• Pingdom

• Uptime Robot

This ensures you catch downtime, performance degradation, or unexpected failures quickly.

---

🎯 Conclusion

API testing ensures your backend systems work reliably, securely, and at scale. Whether you're using Postman for manual tests or Rest Assured for automation, adopting a disciplined approach with CI integration, proper reporting, and mock setups takes your testing to the next level.