Testing of RESTful Web APIs

Alberto Martin-Lopez1,2 and Juan C. Alonso3

1
Schaffhausen Institute of Technology, Schaffhausen, Switzerland
2
Università della Svizzera Italiana, Lugano, Switzerland
3
Smart Computer Systems Research and Engineering Lab (SCORE),
Research Institute of Computer Engineering (I3US)
Universidad de Sevilla, Seville, Spain
[email protected],[email protected]

Abstract. RESTful web APIs nowadays may be considered the de facto

standard for web integration, since they enable interoperability between
heterogeneous software systems in a standard way, and their usage is
widespread in industry. Testing these systems thoroughly is therefore of
utmost importance: a single bug in an API could compromise hundreds
of services using it, potentially affecting millions of end users. In recent
years, there has been an explosion in the number of tools and approaches
to test RESTful web APIs, making it difficult for researchers and prac-
titioners to select the right solution for the problem at hand.
In this tutorial, we overview some of the main industrial and research
tools for testing RESTful APIs, with a primarily practical approach. We
analyze different testing tools and frameworks from three different per-
spectives: a) manual vs automated testing; b) black-box vs white-box
testing; and c) online vs offline testing. First, we show the capabilities of
industrial tools and libraries for manual testing of web APIs, including
REST Assured [3] and Postman [1]. Then, we delve into some of the
main research tools for automatically generating test cases for RESTful
APIs such as RESTler [6], EvoMaster [5], and RESTest [7]. Finally, we
overview existing industrial Testing as a Service (TaaS) platforms such
as RapidAPI [2] and Sauce Labs [4], and we show the latest research
advances on the provision of continuous online testing of RESTful APIs
(including automated test generation and execution) with the RESTest
testing ecosystem [8]. We finish the tutorial outlining some of the most
pressing research challenges in the domain of web API testing automa-
tion, which will hopefully open a range of opportunities for future re-
searchers working on the topic.

Keywords: RESTful APIs · Web APIs · OpenAPI Specification · Black-

box testing · White-box testing.

Biographies
Alberto Martı́n López is a postdoctoral fellow at the Schaffhausen Institute
of Technology (SIT) and the Università della Svizzera Italiana (USI), in Switzer-
land. He belongs to the Software Testing and Analysis Research (STAR) group,
2 Alberto Martin-Lopez and Juan C. Alonso

led by Professor Mauro Pezzè. Before that, he did a PhD in Software Engineer-
ing at the SCORE Unit of Excellence of the University of Seville, from where he
also obtained a Bachelor degree in Telecommunications Engineering and a Mas-
ter’s degree in Software Engineering and Technology. He was also a Fulbright
fellow at the University of California, Berkeley (USA) and an external lecturer
at the Kristiania University College (Oslo, Norway). The main research interests
of Alberto span varied topics within the areas of software testing and service-
oriented systems, including field testing, web API testing, test oracle generation,
and AI4SE, among others. He is the author and main developer of the registered
tool RESTest, a comprehensive framework for automated black-box testing of
RESTful web APIs, thanks to which he and his team have found numerous bugs
in commercial APIs such as YouTube, Yelp, GitHub, and more. He has pub-
lished in some of the main conferences and journals related to his field such
as ESEC/FSE, ICSOC, TSE and TSC. To know more about Alberto, visit his
personal website: https://personal.us.es/amarlop.
Juan Carlos Alonso Valenzuela is a PhD student and a teaching assis-
tant at the University of Seville, in Spain. He is part of the Applied Software
Engineering (ISA) group and the SCORE Unit of Excellence of the University of
Seville. His current research interests lie in the areas of software testing, Artificial
Intelligence and Natural Language Processing. He obtained a Bachelor degree
in Software Engineering and a Master’s degree in Data Science, both of them
in the University of Seville. He is one of the core developers of RESTest and
the main contributor of ARTE, an approach for the generation of realistic test
inputs for web APIs thanks to which he and his team have found domain-specific
bugs in the APIs of DHL and Amadeus. To know more about Juan Carlos, visit
his personal website at www.javalenzuela.com.

Acknowledgments

This work has been supported by the European Commission (FEDER) and
Junta de Andalucı́a under projects MEMENTO (US-1381595), APOLO (US-
1264651) and EKIPMENT-PLUS (P18-FR-2895), by the Spanish Government
(FEDER/Ministerio de Ciencia e Innovación – Agencia Estatal de Investigación)
under project HORATIO (RTI2018-101204-B-C21), by MCIN/AEI/10.13039/
501100011033/FEDER, UE under project BUBO (PID2021-126227NB-C22), and
by the Excellence Network SEBASENet 2.0 (RED2018-102472-T).

References
1. Postman. https://www.postman.com, accessed: November 2022
2. RapidAPI. https://rapidapi.com, accessed: November 2022
3. REST Assured. https://rest-assured.io, accessed: November 2022
4. Sauce Labs. https://saucelabs.com, accessed: November 2022
5. Arcuri, A.: RESTful API Automated Test Case Generation with EvoMaster. ACM
Transactions on Software Engineering and Methodology 28(1), 1–37 (2019)
 Testing of RESTful Web APIs 3

6. Atlidakis, V., Godefroid, P., Polishchuk, M.: RESTler: Stateful REST API Fuzzing.
In: IEEE/ACM 41st International Conference on Software Engineering. pp. 748–758
(2019)
7. Martin-Lopez, A., Segura, S., Ruiz-Cortés, A.: RESTest: Automated Black-Box
Testing of RESTful Web APIs. In: Proceedings of the 30th ACM SIGSOFT In-
ternational Symposium on Software Testing and Analysis. pp. 682–685 (2021)
8. Martin-Lopez, A., Segura, S., Ruiz-Cortés, A.: Online Testing of RESTful APIs:
Promises and Challenges. In: Proceedings of the 30th ACM Joint European Soft-
ware Engineering Conference and Symposium on the Foundations of Software En-
gineering. pp. 408–420 (2022)