1. What is Web Application Testing?
Web application testing is the process of validating a web-based system to ensure it works correctly, securely, efficiently, and consistently across browsers, devices, and environments.
From a web service testing perspective, the focus shifts to the backend layer:
- APIs and web services (REST/SOAP)
- Data exchange formats (JSON/XML)
- Authentication and authorization
- Performance and scalability
- Security vulnerabilities
- Integration with UI and third-party systems
Web services act as the core engine behind modern web applications, mobile apps, and microservices.
2. Functional Testing Scenarios for Web Applications (Service-Oriented)
Even when testing web services, understanding UI-driven scenarios is important because APIs power these flows.
Login & Authentication Scenarios
- Login API accepts valid credentials
- Invalid credentials return proper error codes
- No sensitive data in response
- Token/session generated after login
- Multiple login attempts handling
- Logout API invalidates token/session
Session Timeout Scenarios
- Token/session expires after configured time
- Expired token rejected by APIs
- Token refresh mechanism works correctly
- Session invalidated across multiple tabs/devices
Cookies & Caching Scenarios
- Cookies used only when required
- Cookies have Secure and HttpOnly flags
- Tokens not stored in plain text cookies
- No caching of authenticated responses
- Cache headers validated at service level
API Call Scenarios
- Correct HTTP method usage (GET/POST/PUT/DELETE)
- Mandatory headers validation
- Payload structure validation
- Boundary value handling
- Error handling and retries
3. UI + UX + Responsive + Accessibility Test Cases (Service Dependency)
Although web service testing is backend-focused, services directly affect UI behavior.
UI + Service Validation
- UI displays correct data returned by API
- Graceful handling of API failures
- No raw API errors shown to users
- Loading indicators during API calls
UX with API Failures
- Clear error messages for service downtime
- Retry or fallback mechanisms
- Timeout handling without UI freeze
Responsive & Accessibility Dependency
- Same API behavior across devices
- Accessibility tools do not expose sensitive API data
- Secure keyboard navigation triggers API calls correctly
4. Web Service Testing Interview Questions and Answers
Q1. What is web service testing?
Answer:
Web service testing validates the functionality, reliability, performance, and security of APIs and services that communicate over HTTP using protocols like REST or SOAP.
Q2. Difference between web application testing and web service testing?
Answer:
Web application testing focuses on UI and user flows, while web service testing focuses on backend logic, data exchange, and integration without a UI.
Q3. What are the types of web services?
Answer:
- RESTful web services
- SOAP web services
Q4. What is REST?
Answer:
REST is an architectural style that uses HTTP methods and stateless communication.
Q5. What is SOAP?
Answer:
SOAP is a protocol that uses XML messaging and strict standards like WSDL.
Q6. Difference between REST and SOAP?
Answer:
REST is lightweight and flexible; SOAP is heavyweight with strict security and standards.
Q7. What HTTP methods are commonly used?
Answer:
GET, POST, PUT, PATCH, DELETE.
Q8. What is statelessness in REST?
Answer:
Each request is independent; no session is stored on the server.
Q9. What is idempotency?
Answer:
An operation that produces the same result even when executed multiple times.
Q10. How do you test API authentication?
Answer:
By validating token generation, expiry, refresh, and rejection of invalid tokens.
Q11. What is authorization in APIs?
Answer:
Controlling access to API resources based on roles or permissions.
Q12. What are common API defects?
Answer:
Incorrect status codes, missing validations, insecure endpoints, poor error handling.
Q13. What is deep API testing?
Answer:
Testing APIs independently without UI dependency.
Q14. What is schema validation?
Answer:
Ensuring request and response follow defined structure and data types.
Q15. What is contract testing?
Answer:
Validating API behavior against agreed specifications between services.
5. Security & Penetration-Based Interview Questions
Q16. What is API security testing?
Answer:
Testing APIs for vulnerabilities like injection, broken authentication, and data exposure.
Q17. What is SQL Injection in APIs?
Answer:
Manipulating backend queries via API inputs.
Example:
‘ OR ‘1’=’1
Q18. How do you test SQL Injection in APIs?
Answer:
Send malicious payloads and observe responses or errors.
Q19. What is XSS in web services?
Answer:
APIs that return unsanitized data consumed by UI can enable XSS.
HTML Example:
<script>alert(‘XSS’)</script>
Q20. What is CSRF in APIs?
Answer:
Forcing authenticated users to perform unintended API actions.
Q21. How do you prevent CSRF?
Answer:
CSRF tokens, SameSite cookies, and header validation.
Q22. What is authentication abuse?
Answer:
Brute force or credential stuffing through login APIs.
Q23. How do you test rate limiting?
Answer:
Send repeated requests and verify throttling.
Q24. What is broken object-level authorization?
Answer:
Accessing other users’ data by modifying object IDs.
Q25. What headers improve API security?
Answer:
Authorization, Content-Type, Cache-Control, CSP-related headers.
6. API + Web Services Validation Examples
Common HTTP Status Codes
- 200 OK
- 201 Created
- 204 No Content
- 400 Bad Request
- 401 Unauthorized
- 403 Forbidden
- 404 Not Found
- 500 Internal Server Error
Sample JSON Request
{
“username”: “apiUser”,
“password”: “Api@123”
}
Sample JSON Response
{
“token”: “eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9”,
“expiresIn”: 3600
}
Sample XML (SOAP) Request
<loginRequest>
<username>apiUser</username>
<password>Api@123</password>
</loginRequest>
Postman Usage
- Send requests
- Validate headers and tokens
- Assert response body
- Measure response time
- Automate collections
SOAPUI Usage
- Validate WSDL
- XML schema validation
- SOAP fault handling
- Load testing APIs
7. Web Performance Checkpoints for Services
Key Performance Metrics
- TTFB (Time to First Byte)
- API response time
- Throughput
- Concurrent request handling
- Error rate
CDN & Caching
- Static responses cached at CDN
- Cache-control headers validated
- Sensitive APIs not cached
- Compression enabled
8. Browser & Device Compatibility Scenarios (API Impact)
- Same API behavior across browsers
- Mobile and desktop parity
- JavaScript clients handle API responses consistently
- Network fluctuation handling
9. Real-Time Defects with RCA
Defect 1: API Returns 200 for Invalid Login
- Severity: High
- Priority: High
- Root Cause: Missing backend validation
- Fix: Enforce credential validation and proper status codes
Defect 2: Token Valid After Logout
- Root Cause: Token not invalidated server-side
- Fix: Blacklist or revoke token on logout
Defect 3: Slow API Response
- Root Cause: Unoptimized database queries
- Fix: Indexing and query optimization
10. Defect Logging Format + RCA
Defect Template
- Defect ID
- Summary
- Steps to Reproduce
- Expected Result
- Actual Result
- Severity
- Priority
- Root Cause
- Environment
Severity vs Priority
- Severity: Business/technical impact
- Priority: Fix urgency
11. Quick Revision Sheet
- Validate API methods and payloads
- Check authentication and authorization
- Test negative and boundary cases
- Validate status codes
- Perform security checks
- Monitor performance metrics
- Perform RCA for production issues
12. FAQs + CTA
FAQ 1: Is web service testing only backend testing?
Primarily yes, but understanding UI interaction improves test coverage.
FAQ 2: Do manual testers need API testing skills?
Yes. API testing is essential even for manual testers.