1. What Is Web Application Testing?
Web Application Testing is the process of validating a web-based system to ensure it is:
- Functionally correct
- Secure from vulnerabilities
- Performant under load
- Compatible across browsers and devices
- Reliable end-to-end
Modern web applications are API-driven, meaning:
- UI interacts with APIs
- APIs interact with databases
- Security, performance, and data integrity depend heavily on APIs
👉 That’s why API web services testing is a core interview skill today.
2. Functional Testing Scenarios for Web Applications (API Context)
Even when the interview is about APIs, web flows matter, because APIs power those flows.
Login & Authentication Scenarios
- Login API returns correct token
- Invalid credentials return proper error code
- No sensitive data in login response
- Token expiry validation
- Multiple login attempts handling
Session Management
- Session timeout enforced via API
- Token invalid after logout
- Old token rejected after re-login
- Concurrent session handling
Cookies & Headers
- Secure cookies set correctly
- HttpOnly and SameSite flags
- Authorization headers validated
- Cookies cleared on logout API
API-Driven Functional Scenarios
- UI calls correct API endpoints
- API response mapped correctly to UI
- Error responses handled gracefully
- Partial API failures handled properly
3. UI, UX, Responsive & Accessibility Test Cases (API-Driven Apps)
Even API-centric systems require UI validation.
UI Testing
- API errors shown as user-friendly messages
- No raw JSON displayed in UI
- No stack traces exposed
UX Testing
- Clear messages for API failures
- Retry mechanisms for failed calls
- Consistent behavior across screens
Responsive Testing
- Same API behavior across devices
- No mobile-only API failures
- Token handling consistent on mobile/desktop
Accessibility
- API-driven messages accessible to screen readers
- Keyboard navigation does not break API calls
4. API Web Services Testing Interview Questions & Answers
Q1. What is API web services testing?
Answer:
API web services testing validates:
- Request and response correctness
- Business logic at API level
- Security and authorization
- Performance and reliability
It ensures APIs work independently of UI, which makes testing faster and more reliable.
Q2. Why is API testing important in web applications?
Answer:
Because:
- UI depends on APIs
- APIs expose business logic
- API bugs bypass UI validation
If APIs fail, the entire application fails—even if UI looks fine.
Q3. Difference between REST and SOAP web services?
Answer:
REST
- Lightweight
- Uses JSON/XML
- Stateless
- Faster and simpler
SOAP
- XML-based
- Strict schema (WSDL)
- More secure by design
- Slower but structured
Most modern applications prefer REST.
Q4. How do you test a login API?
Answer:
- Valid credentials → 200 OK
- Invalid credentials → 401 Unauthorized
- SQL injection attempts in payload
- Token generation validation
- Token expiration handling
Login APIs are high-risk endpoints.
Q5. How do you validate API response?
Answer:
- Status code
- Response body
- Schema validation
- Headers
- Business logic correctness
Correct status code alone is not enough.
Q6. What HTTP status codes should you know?
Answer:
- 200 – Success
- 201 – Created
- 400 – Bad Request
- 401 – Unauthorized
- 403 – Forbidden
- 404 – Not Found
- 500 – Internal Server Error
Incorrect status codes indicate poor API design.
5. Security & Penetration-Based Interview Questions (API Focus)
Q7. How do you test API security?
Answer:
- Authentication validation
- Authorization checks
- Input validation
- Rate limiting
- Token misuse
APIs are often direct attack targets.
Q8. What is SQL Injection in APIs?
Answer:
SQL Injection occurs when malicious input manipulates queries.
Example payload:
{
“username”: “‘ OR 1=1 –“,
“password”: “test”
}
APIs must use parameterized queries.
Q9. What is XSS in API-driven apps?
Answer:
XSS occurs when API returns unsanitized data rendered in UI.
Example stored response:
<script>alert(‘XSS’)</script>
APIs must sanitize or encode output.
Q10. What is CSRF and how does it affect APIs?
Answer:
CSRF forces users to perform unwanted actions using valid sessions.
APIs must:
- Validate CSRF tokens
- Use SameSite cookies
- Reject unauthorized requests
Q11. What is authentication abuse in APIs?
Answer:
- Brute-force login
- Credential stuffing
- Token reuse
- Missing rate limits
These issues are critical severity defects.
6. API & Web Services Validation Examples (Postman / SOAPUI)
Q12. How do you test APIs using Postman?
Answer:
- Send requests with different payloads
- Validate status codes
- Verify JSON schema
- Test headers and auth tokens
- Automate collections
Postman simulates real client behavior.
Q13. How do you test SOAP services?
Answer:
- Validate WSDL
- Check request/response XML
- Validate SOAP faults
- Schema validation using SOAPUI
SOAP testing focuses on contract validation.
Q14. Difference between JSON and XML?
Answer:
- JSON: Lightweight, faster, easier to parse
- XML: Verbose, strict, schema-driven
REST APIs usually prefer JSON.
Q15. How do you validate API error handling?
Answer:
- Missing mandatory fields
- Invalid data types
- Oversized payloads
- Unauthorized access
Error responses must be secure and meaningful.
7. Web Performance Checkpoints (API Perspective)
Q16. What is TTFB?
Answer:
Time To First Byte measures server responsiveness.
High TTFB may indicate:
- Backend slowness
- API inefficiency
- Infrastructure issues
Q17. How do you test API performance?
Answer:
- Measure response time
- Test concurrent requests
- Validate throughput
- Identify bottlenecks
Performance issues affect scalability.
Q18. How does caching impact APIs?
Answer:
- Improves response time
- Reduces server load
- Can expose sensitive data if misconfigured
APIs must control cache headers carefully.
Q19. What role does CDN play?
Answer:
- Improves performance
- Provides DDoS protection
- Caches static API responses (if allowed)
Sensitive APIs should not be cached.
8. Browser & Device Compatibility Scenarios (API-Driven Apps)
Q20. Why test APIs across browsers?
Answer:
Because:
- Browsers handle headers differently
- Cookies and storage differ
- CORS behavior varies
API issues can appear browser-specific.
Q21. How do you test mobile API behavior?
Answer:
- Token storage validation
- Network instability handling
- Retry logic
Mobile APIs must handle unreliable networks.
9. Real-Time API Web Services Defects & RCA
Defect 1: Token Still Valid After Logout
- Issue: Old token works after logout
- Impact: Account takeover risk
- Root Cause: Token not invalidated server-side
- Fix: Invalidate token on logout API
Defect 2: API Returns 200 for Invalid Data
- Issue: Invalid payload accepted
- Impact: Data corruption
- Root Cause: Missing backend validation
- Fix: Enforce schema validation
Defect 3: SQL Injection via API
- Issue: API vulnerable to injection
- Impact: Database exposure
- Root Cause: Dynamic SQL queries
- Fix: Parameterized queries
10. Defect Logging Format + RCA + Priority/Severity
API Defect Template
- Defect ID
- API Endpoint
- Request Payload
- Response Received
- Expected Response
- Status Code
- Logs / Evidence
- Severity
- Priority
Severity vs Priority
- Severity: Business/technical impact
- Priority: Fix urgency
Security API bugs are usually Critical & High Priority.
11. Quick Revision Sheet (Interview-Ready)
- API testing validates business logic
- REST > SOAP in modern systems
- Status codes matter
- Security testing is mandatory
- APIs must be tested independent of UI
- Performance issues become security risks
- Authorization bugs are more dangerous than auth bugs
12. FAQs – API Web Services Testing Interview Questions
Q: Is automation mandatory for API testing?
Helpful but not mandatory. Manual reasoning is crucial.
Q: Should testers know REST standards?
Yes. It is a basic expectation.
Q: What is the most critical API area?
Authentication, authorization, and data validation.