Practice Exercises

Theory without practice is useless. Here are hands-on exercises that cover everything from this chapter. Do them in order. Each one builds on the previous.

Exercise 1: Basic Auth with Postman

Open Postman and create a new collection called "Auth Testing Practice"
Find any public API that supports Basic Auth (e.g., httpbin.org/basic-auth/user/pass)
Send a GET request with correct credentials — verify 200
Send with wrong password — verify 401
Send with no auth — verify 401
Open the Postman Console and inspect the Authorization header — decode the Base64 manually

Exercise 2: JWT Token Flow

Use this platform's /api/auth endpoints or any JWT-based API
Send a POST to the login endpoint with valid credentials
Extract the token from the response
Copy the token and paste it into jwt.io — identify the claims (sub, exp, iat, role)
Save the token as {{authToken}} in your Postman environment
Send a GET request to a protected endpoint with the Bearer token — verify 200
Modify one character in the token and resend — verify 401 (tampered token)

Exercise 3: Auto-Token Refresh Script

Add the auto-token pre-request script from Lesson 10 to your collection
Set up environment variables: baseUrl, testEmail, testPassword
Remove the authToken variable manually
Send any request — verify the script auto-fetches a token
Check the Postman Console to see "Token missing or expired. Fetching new token..." message
Send another request immediately — verify it uses the cached token (no re-login)
Manually set tokenExpiry to 0 and resend — verify it refreshes

Exercise 4: IDOR Testing

Using the Banking portal or any authenticated API:
Login as User A — note the user ID and any resource IDs
Login as User B — get a different token
Try to access User A's resources using User B's token
Verify you get 403 (not 200)
If you get 200 — congratulations, you found a real IDOR bug! Document it.

Exercise 5: REST Assured Auth Framework

Create a new Maven project with REST Assured and TestNG
Write a BaseTest class with loginAndGetToken(), asAdmin(), asUser(), asGuest() methods
Write 3 positive tests: valid login, admin access, user profile access
Write 5 negative tests: no token, expired token, malformed token, wrong role, SQL injection in login
Run all tests and verify they pass
Generate a TestNG HTML report and review the results

Exercise 6: Security Checklist

Pick any authenticated endpoint from your test environment
Create a test for each row in the OWASP checklist from Lesson 9
Test for mass assignment: send "role: admin" in a profile update
Test for information leakage: send invalid input and check if error reveals stack traces
Test for broken auth: verify passwords are never returned in responses
Document your findings in a simple table: Endpoint | Vulnerability | Status | Notes

Do not skip the IDOR exercise. It is the most common security bug in real applications and the most common security question in interviews. Practice it until it becomes second nature.

Open Banking Portal→

Key Point: Practice every auth type: Basic Auth, Bearer Token, OAuth. Write both positive and negative tests. Always test for IDOR.

Previous Up NextInterview Corner

Chapter 7: Authentication and Authorization Testing