1. What Is Web Application Testing?
Web Application Testing is the process of validating a web-based system to ensure it is:
- Functionally correct
- Secure against vulnerabilities
- Performant under load
- Compatible across browsers and devices
- Reliable end-to-end
Modern web applications are API-driven:
- UI sends requests to APIs
- APIs process business logic
- Databases store and retrieve data
👉 That’s why web API testing is a core skill in today’s interviews.
2. Functional Testing Scenarios for Web Applications (API-Driven)
Even API interviews include web scenarios, because APIs power those flows.
Login & Authentication Scenarios
- Login API returns token for valid credentials
- Invalid credentials return proper error code
- No sensitive data in login response
- Token expiration handling
- Multiple login attempts handling
Session Management
- Session timeout enforced via API
- Token invalidated after logout
- Old token rejected after re-login
- Concurrent session handling
Cookies & Headers
- Secure cookies set correctly
- HttpOnly and SameSite flags validated
- Authorization headers mandatory
- Cookies cleared after logout API
API-Driven Functional Scenarios
- UI calls correct API endpoints
- API response mapped correctly to UI
- Partial API failure handling
- Graceful UI error messages
3. UI, UX, Responsive & Accessibility Test Cases (API Context)
Even API-centric systems must be tested from the UI perspective.
UI Testing
- API errors shown as user-friendly messages
- No raw JSON or stack traces visible
- Consistent error formatting
UX Testing
- Clear messages for API failures
- Retry options for temporary failures
- No infinite loaders on API errors
Responsive Testing
- Same API behavior on mobile and desktop
- No mobile-only API failures
- Token handling consistent across devices
Accessibility
- API error messages readable by screen readers
- Keyboard navigation does not break API calls
- Status messages announced properly
4. Web API Testing Interview Questions & Structured Answers
Q1. What is web API testing?
Answer:
Web API testing validates:
- Request and response correctness
- Business logic at API level
- Security and authorization
- Performance and scalability
APIs are tested independently of UI, making defect detection faster and more reliable.
Q2. Why is API testing important for web applications?
Answer:
Because:
- UI depends on APIs
- APIs expose core business logic
- API bugs bypass UI validation
If APIs fail, the entire application fails—even if UI looks fine.
Q3. Difference between REST and SOAP APIs?
Answer:
REST
- Lightweight
- Uses JSON/XML
- Stateless
- Faster and simpler
SOAP
- XML-based
- Strict schema (WSDL)
- Built-in standards
- Slower but structured
Most modern systems use REST APIs.
Q4. How do you test a login API?
Answer:
- Valid credentials → 200 OK
- Invalid credentials → 401 Unauthorized
- SQL injection attempts in payload
- Token generation validation
- Token expiration handling
Login APIs are high-risk endpoints.
Q5. What validations do you perform on an API response?
Answer:
- HTTP status code
- Response body content
- Schema validation
- Headers
- Business logic correctness
A correct status code alone is not sufficient.
Q6. Which HTTP status codes should you know?
Answer:
- 200 – Success
- 201 – Created
- 400 – Bad Request
- 401 – Unauthorized
- 403 – Forbidden
- 404 – Not Found
- 500 – Internal Server Error
Incorrect status codes indicate poor API design.
5. Security & Penetration-Based API Interview Questions
Q7. How do you test API security?
Answer:
- Authentication validation
- Authorization checks
- Input validation
- Rate limiting
- Token misuse testing
APIs are direct attack surfaces.
Q8. What is SQL Injection in APIs?
Answer:
SQL Injection occurs when malicious input manipulates backend queries.
Example payload:
{
“username”: “‘ OR 1=1 –“,
“password”: “test”
}
APIs must use parameterized queries.
Q9. How does XSS relate to APIs?
Answer:
XSS occurs when APIs return unsanitized data that is rendered in UI.
Example response:
<script>alert(‘XSS’)</script>
APIs must sanitize or encode output data.
Q10. What is CSRF and how does it affect APIs?
Answer:
CSRF forces authenticated users to perform actions unknowingly.
APIs must:
- Validate CSRF tokens
- Use SameSite cookies
- Reject unauthorized requests
Q11. What is authentication abuse in APIs?
Answer:
- Brute-force login attempts
- Credential stuffing
- Token reuse
- Missing rate limits
These are critical-severity security defects.
6. API & Web Services Validation Examples (Postman / SOAPUI)
Q12. How do you test APIs using Postman?
Answer:
- Send requests with various payloads
- Validate status codes
- Verify JSON schema
- Check headers and auth tokens
- Test negative scenarios
Postman simulates real client behavior.
Q13. How do you test SOAP web services?
Answer:
- Validate WSDL
- Verify request/response XML
- Check SOAP faults
- Schema validation using SOAPUI
SOAP testing focuses on contract validation.
Q14. Difference between JSON and XML?
Answer:
- JSON is lightweight and faster
- XML is verbose and schema-driven
Most REST APIs prefer JSON.
Q15. How do you validate API error handling?
Answer:
- Missing mandatory fields
- Invalid data types
- Oversized payloads
- Unauthorized access
Errors must be secure, consistent, and meaningful.
7. Web Performance Checkpoints (API Perspective)
Q16. What is TTFB?
Answer:
Time To First Byte measures server responsiveness.
High TTFB indicates:
- Backend slowness
- API inefficiency
- Infrastructure issues
Q17. How do you test API performance?
Answer:
- Measure response time
- Test concurrent requests
- Validate throughput
- Identify bottlenecks
Performance issues affect scalability and user experience.
Q18. How does caching affect APIs?
Answer:
- Improves response time
- Reduces server load
- Can expose sensitive data if misconfigured
APIs must control cache headers carefully.
Q19. What role does CDN play in API performance?
Answer:
- Improves latency
- Protects against DDoS
- Caches static responses
Sensitive APIs should not be cached.
8. Browser & Device Compatibility Scenarios (API-Driven Apps)
Q20. Why test APIs across browsers?
Answer:
Because:
- Browsers handle headers differently
- Cookies and storage vary
- CORS behavior changes
API issues can appear browser-specific.
Q21. How do you test mobile API behavior?
Answer:
- Token storage validation
- Network instability handling
- Retry logic
Mobile APIs must handle unreliable networks.
9. Real-Time Web API Defects & RCA
Defect 1: Token Still Valid After Logout
- Issue: Old token works after logout
- Impact: Account takeover risk
- Root Cause: Token not invalidated server-side
- Fix: Invalidate token on logout API
Defect 2: API Returns 200 for Invalid Data
- Issue: Invalid payload accepted
- Impact: Data corruption
- Root Cause: Missing backend validation
- Fix: Enforce schema validation
Defect 3: SQL Injection via API
- Issue: API vulnerable to injection
- Impact: Database exposure
- Root Cause: Dynamic SQL queries
- Fix: Parameterized queries
10. Defect Logging Format + RCA + Priority/Severity
API Defect Template
- Defect ID
- API Endpoint
- Request Payload
- Response Received
- Expected Response
- Status Code
- Logs / Evidence
- Severity
- Priority
Severity vs Priority
- Severity: Business/technical impact
- Priority: Urgency to fix
Security API bugs are usually Critical & High Priority.
11. Quick Revision Sheet (Interview-Ready)
- API testing validates business logic
- REST > SOAP in modern systems
- Status codes matter
- Security testing is mandatory
- APIs must be tested independent of UI
- Performance issues become security risks
- Authorization bugs are more dangerous than auth bugs
12. FAQs – Web API Testing Interview Questions
Q: Is automation mandatory for API testing?
Helpful but not mandatory. Manual reasoning is essential.
Q: Should testers know REST standards?
Yes. It is a baseline expectation.
Q: What is the most critical API area?
Authentication, authorization, and input validation.