Web Services API Testing Interview Questions -

1. What is Web Application Testing?

Web application testing is the process of validating a web-based system to ensure it is functionally correct, secure, performant, usable, and compatible across browsers, devices, and environments.

In modern systems, web services and APIs act as the backbone of web applications. While the UI is what users see, APIs handle:

Business logic
Data processing
Authentication and authorization
Integration with databases and third-party systems

Therefore, web services API testing ensures that backend services work reliably even when the UI is unavailable or fails.

2. Functional Testing Scenarios for Web Applications (API-Driven)

Although APIs are backend components, they directly impact web application behavior.

Login & Authentication API Scenarios

Login API with valid credentials
Invalid credentials return proper error codes
No sensitive data in login response
Token or session generated after login
Multiple failed login attempts handled correctly
Logout API invalidates token/session

Session Timeout & Token Scenarios

Token expires after configured time
Expired token rejected by all APIs
Token refresh flow works correctly
Logout invalidates token across devices
Concurrent session handling

Cookies & Cache Scenarios (API Perspective)

Cookies created only when required
Secure and HttpOnly flags enabled
Tokens not stored in plain text cookies
Cache-control headers prevent sensitive API caching
CDN caches only non-secure static responses

API Call Validation Scenarios

Correct HTTP method usage (GET/POST/PUT/DELETE)
Mandatory headers validation
Payload structure validation
Boundary value handling
Idempotency validation
Error handling consistency

3. UI + UX + Responsive + Accessibility Test Cases (API Dependency)

Even though API testing is backend-focused, APIs directly affect UI behavior.

UI + API Integration Checks

UI displays correct data returned by APIs
Graceful handling of API failures
No raw API errors shown to users
Loading indicators during API calls

UX with API Failures

Clear and meaningful error messages
Retry or fallback mechanisms
Timeout handling without freezing UI

Responsive & Accessibility Considerations

Same API behavior across devices
Accessibility tools do not expose sensitive API data
Keyboard actions trigger correct API calls
Screen readers do not read hidden API responses

4. Web Services API Testing Interview Questions & Answers

Q1. What is web services API testing?

Answer:
Web services API testing validates the functionality, reliability, performance, and security of backend services that communicate over HTTP using REST or SOAP, without relying on a UI.

Q2. Difference between web application testing and API testing?

Answer:
Web application testing focuses on UI and user workflows, while API testing focuses on backend logic, data exchange, and integrations.

Q3. What are the types of web services?

Answer:

RESTful web services
SOAP web services

Q4. What is REST?

Answer:
REST is an architectural style that uses HTTP methods and stateless communication to interact with resources.

Q5. What is SOAP?

Answer:
SOAP is a protocol that uses XML messages and strict standards like WSDL.

Q6. Difference between REST and SOAP?

Answer:
REST is lightweight, flexible, and uses JSON/XML, while SOAP is heavyweight, XML-only, and supports built-in security standards.

Q7. What HTTP methods are commonly used in APIs?

Answer:
GET, POST, PUT, PATCH, DELETE.

Q8. What is statelessness in REST APIs?

Answer:
Each API request is independent and contains all required information.

Q9. What is idempotency?

Answer:
An API operation that produces the same result even if executed multiple times.

Q10. What is API contract testing?

Answer:
Validating API behavior against defined specifications agreed between teams.

Q11. What is schema validation?

Answer:
Ensuring request and response follow expected structure, data types, and formats.

Q12. What are common API defects?

Answer:
Incorrect status codes, missing validations, insecure endpoints, poor error handling.

Q13. What is deep API testing?

Answer:
Testing APIs independently without UI involvement.

Q14. What is versioning in APIs?

Answer:
Managing changes without breaking existing clients.

Q15. What is backward compatibility?

Answer:
Ensuring older clients continue working after API updates.

5. Security & Penetration-Based API Interview Questions

Q16. What is API security testing?

Answer:
Testing APIs for vulnerabilities such as injection attacks, broken authentication, and data exposure.

Q17. What is SQL Injection in APIs?

Answer:
Manipulating backend SQL queries through API inputs.

Example:

‘ OR ‘1’=’1

Q18. How do you test SQL Injection in APIs?

Answer:
Send malicious payloads and observe error messages or unauthorized data access.

Q19. What is XSS in API testing?

Answer:
APIs returning unsanitized data consumed by UI can lead to XSS.

HTML Example:

Q20. What is CSRF in APIs?

Answer:
Forcing authenticated users to execute unwanted API actions.

Q21. How do you prevent CSRF?

Answer:
CSRF tokens, SameSite cookies, and header validation.

Q22. What is authentication abuse?

Answer:
Brute force or credential stuffing attacks on login APIs.

Q23. How do you test rate limiting?

Answer:
Send repeated API requests and verify throttling or blocking.

Q24. What is broken object-level authorization?

Answer:
Accessing other users’ data by modifying object IDs in API requests.

Q25. What security headers are important for APIs?

Answer:
Authorization, Cache-Control, Content-Type, CSP-related headers.

6. API + Web Services Validation Examples

Common HTTP Status Codes

200 OK
201 Created
204 No Content
400 Bad Request
401 Unauthorized
403 Forbidden
404 Not Found
500 Internal Server Error

Sample JSON Request

{

“username”: “apiTester”,

“password”: “Api@123”

}

Sample JSON Response

{

“token”: “eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9”,

“expiresIn”: 3600

}

Sample XML (SOAP) Request

<username>apiTester</username>

</loginRequest>

Postman Usage

Send requests
Validate headers and tokens
Assert response body
Measure response time
Automate API collections

SOAPUI Usage

Validate WSDL
XML schema validation
SOAP fault handling
Load and stress testing APIs

7. Web Performance Checkpoints for APIs

Key Performance Metrics

TTFB (Time to First Byte)
API response time
Throughput
Concurrent request handling
Error rate

CDN & Caching

Cache static responses only
Validate cache-control headers
Sensitive APIs not cached
Compression enabled

8. Browser & Device Compatibility Scenarios (API Impact)

Same API behavior across browsers
Mobile and desktop parity
JavaScript clients handle responses consistently
Network fluctuation handling

9. Real-Time Defects with RCA

Defect 1: Login API Returns 200 for Invalid Credentials

Severity: High
Priority: High
Root Cause: Missing backend validation
Fix: Enforce credential validation and correct status codes

Defect 2: Token Remains Valid After Logout

Root Cause: Token not revoked server-side
Fix: Token revocation or blacklist implementation

Defect 3: Slow API Response

Root Cause: Unoptimized database queries
Fix: Indexing and query optimization

10. Defect Logging Format + RCA

Defect Template

Defect ID
Summary
Steps to Reproduce
Expected Result
Actual Result
Severity
Priority
Root Cause
Environment

Severity vs Priority

Severity: Impact on system
Priority: Urgency of fix

11. Quick Revision Sheet

Validate HTTP methods and payloads
Check authentication and authorization
Test negative and boundary cases
Validate status codes
Perform security testing
Monitor performance metrics
Perform RCA for production issues