How to Test Encrypted APIs?

Generate an information digest from plaintext encoding to prevent tampering. For example, MD5 uses a hash algorithm, which outputs a 128-bit string regardless of the input length.

The digest algorithm does not require a secret key; both the client and server can use the same digest algorithm to obtain consistent ciphertext for the same plaintext.

Symmetric Encryption

The symmetric encryption algorithm is a shared key encryption algorithm, using only one key during the encryption and decryption process. Both the sender and receiver know the encryption key in advance and use it to encrypt and decrypt the data.

Data Encryption: In symmetric encryption algorithms, the data sender processes the plaintext (original data) along with the encryption key to generate complex ciphertext for transmission.

Data Decryption: The data receiver uses the encryption key and the inverse algorithm of the same algorithm to decrypt the ciphertext, restoring it to readable plaintext.

Asymmetric Encryption

The asymmetric encryption algorithm has two keys: one is called the public key, and the other is the private key. The encryption and decryption use two different keys, hence the name asymmetric encryption algorithm.

If data is encrypted using the public key, only the corresponding private key can decrypt it.

If data is encrypted using the private key, only the corresponding public key can decrypt it.

Common Encryption Algorithms and Their Processing Methods

Based on the common encryption algorithms mentioned above, testers can use the following methods to handle encrypted APIs.

Digest Algorithms (MD5, SHA1): Call MD5 or SHA1 to encode before creating API data, and the server will compare whether the encoded strings are consistent.

Symmetric Encryption Algorithms (AES, DES): Obtain the symmetric public key from the developer before creating API data, which can be used to encrypt request data and decrypt response messages.

Asymmetric Encryption Algorithms (RSA): Obtain public and private keys from the developer to encrypt and decrypt API data before creating API data.

User Authentication

Most API testing tools provide a User Auth/Authorization option. For example, in Postman, you can see the following options:

Basic Authentication

Digest Authentication

OAuth 1.0a

OAuth 2.0 (the most common, as most web APIs provide this user authentication method)

You can select the corresponding user authentication option in the respective tool.

How to Handle Data Encryption in APIs?

(1) Write a function or method that filters the parameters to be encrypted using this function, meaning that you pass the data through it, and after encryption, you can transmit the encrypted data.

(2) As for which encryption algorithm to use, this depends on the product and your business scenarios and requirements, whether it’s AES or public/private key, it’s up to your choice.

(3) It might also be an encoding issue, where you directly use base64 to encode the data to be transmitted, returning it as a base64 string, and then putting it in for transmission.

(4) This is encoding, not encryption. If you really want to encrypt, first encrypt the parameters you need before transmission, and during transmission, encrypt and package the data again before sending.

(5) Use JMeter for API testing with post-processor and Beanshell for encryption and decryption, then check the parameters in the logs; the specific encryption algorithm depends on the requirements.

(6) Each testing tool provides different encryption algorithms; different tools have different encryption algorithms.

Add Teacher Tang’s WeChat for Free Access

[A Complete Linux Course]

How to Test Encrypted APIs?

Related posts

Leave a Comment Cancel reply