Test tool automates sending a series of requests to a server using different test payloads. It’s designed to streamline API testing for both functional validation and basic security assessments.

Test list

Use the list on the left to manage your tests. When you run tests, this list gives you an overview of their results. Drag and drop items to rearrange them – note that you can select and drag multiple items at once. Press Enter to rename items.

Each Test Series consists of a number of Tests. This allows you to run multiple relevant tests at once.

Each Test has at least one Test Request that it uses as the base request to modify according to your configuration. If you add multiple requests to a test, the same test will be performed on all requests one at a time. This allows you to reuse the same test configuration for different requests.

You set placeholders in each request that are then replaced with test payloads when you run your test.

Configuring tests

Change types

Your request can be modified using multiple types of changes. Add an item to the Change request with list and select its type using the Type popup. Each type of test generates specific kind of values for the placeholders you have set up in your requests.

For each change, select the placeholder position that its values will be used in. Selecting All will generate values for each placeholder at a time.

Changes can be applied either

  • One at a Time where each change is applied to one placeholder or All of them
  • In Parallel where there is one change type per placeholder in request

The following types are available:

  • Value List has a simple list of text values. Click Load to insert values from a text file (each value on a separate line).
  • Numbers produces a series of values between Start and End at Step intervals. You can use floating point values and define how many fractional digits to include in the numbers.
  • Dates generates dates between Start and End dates stepping at selected intervals (days, months or years). Use the date format specifier to format your dates.
  • Characters creates combinations of a given set of characters between minimum and maximum length. Use this type to perform a brute force attack to some discover unknown value.
  • Flip goes through either bytes or bits of the placeholder’s base value and either flips the bit or increases the byte value by one. Use this type of test to discover which parts of a parameter are significant, i.e. used by the remote service.
  • Read File takes a file path that is read at runtime when you start your test. Similar to Value List values are separated by newlines. This type of test allows you to quickly iterate with your test input or programmatically provide test payloads.

Passing and failing a test

By default, receiving a response passes the test and receiving no response fails the test.

Enable Match response to rules to only pass the test if the server response matches with either All or Any of the configured rules. Rules can be targeted to specific parts of the message and configured with more accurate matching logic. Each rule can be disabled using a checkbox.

Finally, you can choose to Stop testing when matching to rules fails or passes.

Request placeholders

Use command-t keyboard shortcut to test a request in History tool or add a default request using control-n keyboard shortcut in the tests list.

Set the request target by clicking the button in the top left corner. Use the popup to configure host and port of the target server. Select whether to connect using TLS or not.

Edit your request before testing it. If you want to change its contents add placeholders using the either:

  • Add Position adds a placeholder to the current cursor position (default base value is test). If part of the request is selected a placeholder will be added there using the selection as base value.
  • Find Values tries to automatically find parameter values from the request and add placeholders for each of them. You can select to add placeholders for URL path components, query parameters, cookies, form fields, or values in JSON or XML data. Note that this search may not find all values in more complex data.

Running tests

Start all selected Test Series, Tests and Test Requests using command-⏎ keyboard shortcut or click the Start toolbar button. If Show messages is selected in the accessory toolbar, a window will pop up showing request and responses for each test.

You can watch test progress in realtime in the tests list to see which tests pass or fail. Use keyboard shortcut command-. to stop testing at any time.

Select Test Log to see a summary of all test results. Select any item under a request and press enter to open the message for that specific test case.

Options

Select Use cookie jar in the accessory toolbar to use Cookie Jar to automatically update test requests with cookies. You can also open the cookie jar using the toolbar button.

Open Test options to customize how tests are performed.

  • Select a connection timeout after a specific time interval. Set this to a larger value if your target server delivers responses very slowly.

  • Enabling connection reuse greatly increases performance by using the same TCP connection for multiple HTTP requests. Disable this setting if it causes errors with certain target servers.

  • Disable TLS certificate verification in case you want tests to proceed even if a TLS certificate validation fails for some reason, for example when the certificate is expired.

  • Throttle test requests by waiting between sending requests.

  • Choose number of parallel workers that the test requests will be distributed to. A larger number of workers may help to have your tests complete faster.