Body Playbooks
Body playbooks focus on testing the overall structure, syntax, and handling of request bodies, as well as general API behavior related to HTTP methods and endpoint logic. These playbooks are essential for verifying that your API can gracefully handle unexpected or malformed request payloads.
There are 25 body playbooks, which can be grouped into the following categories:
Structure and Syntax Testing
These playbooks test your API's resilience to malformed or structurally incorrect request bodies.
MalformedJsonPlaybook: Sends a JSON body with invalid syntax (e.g., trailing characters) to test the robustness of your JSON parser.EmptyBodyPlaybook: Sends a completely empty request body.EmptyJsonBodyPlaybook: Sends an empty JSON object ({}).EmptyJsonArrayBodyPlaybook: Sends an empty JSON array ([]).NullBodyPlaybook: Sends anullvalue as the request body.NullUnicodeBodyPlaybook: Sends a request body containing only the null character (\u0000).NullUnicodeSymbolBodyPlaybook: Sends a request body containing the unicode null symbol (␀).
Data Type and Content Testing
This group of playbooks sends various primitive data types as the request body to check for type confusion vulnerabilities and improper handling.
DummyRequestPlaybook: Sends a simple, valid JSON object ({'dochia': 'dochia'}).InsertRandomValuesInBodyPlaybook: Injects random, invalid data into an otherwise valid request body.RandomDummyInvalidJsonBodyPlaybook: Sends a randomly generated, structurally invalid JSON body.RandomStringBodyPlaybook: Sends a random string as the request body.RandomUnicodeBodyPlaybook: Sends a random unicode string as the request body.RandomPositiveIntegerBodyPlaybook: Sends a random positive integer.RandomNegativeIntegerBodyPlaybook: Sends a random negative integer.ZeroIntegerBodyPlaybook: Sends the integer0.RandomPositiveDecimalBodyPlaybook: Sends a random positive decimal number.RandomNegativeDecimalBodyPlaybook: Sends a random negative decimal number.ZeroDecimalBodyPlaybook: Sends the decimal0.0.
HTTP Method and Endpoint Testing
These playbooks test how your API responds to unexpected HTTP methods or invalid resource identifiers.
HttpMethodsPlaybook: Tries undocumented HTTP methods (likeTRACE,CONNECT) on each endpoint.NonRestHttpMethodsPlaybook: Tries WebDAV-specific methods (PROPFIND,MKCOL, etc.) that are not expected in a typical REST API.CustomHttpMethodsPlaybook: Tries hypothetical, non-standard HTTP methods.RandomResourcesPlaybook: Sends requests with random values in path parameters to test for invalid resource identifiers (e.g.,/users/random-string-instead-of-uuid).
Authentication and Logic Testing
These playbooks test core application logic and security controls.
HappyPathPlaybook: Sends a valid, well-formed request with all fields populated, serving as a baseline test.BypassAuthenticationPlaybook: If authentication is defined, this playbook attempts to access the endpoint without providing credentials.DeletedResourcesNotAvailablePlaybook: ForDELETEoperations, this playbook first performs the deletion and then attempts to access the deleted resource to ensure it's gone (expects a 404 or similar).
How to Use Body Playbooks
Running All Body Playbooks
Use the built-in flag to run only Body playbooks:
# Run only Body Playbooks
dochia test -c api.yml -s https://api.example.com --body-only
# Short form
dochia test -c api.yml -s https://api.example.com -B
For completeness, you can also target other categories:
# Only Fields playbooks
dochia test -c api.yml -s https://api.example.com --fields-only # or -F
# Only Header playbooks
dochia test -c api.yml -s https://api.example.com --headers-only # or -A
Running Specific Body Playbooks
# Test for malformed JSON and authentication bypass
dochia test -c api.yml -s https://api.example.com \
--playbooks MalformedJsonPlaybook,BypassAuthenticationPlaybook
Use Case: API Hardening
Before a production release, run a suite of body playbooks to ensure your API's parsers and controllers are robust.
# A good suite for hardening against unexpected inputs
dochia test -c api.yml -s https://api.example.com \
--playbooks MalformedJsonPlaybook,EmptyBodyPlaybook,NullBodyPlaybook,HttpMethodsPlaybook,RandomResourcesPlaybook
See Also
- Playbooks Overview - For a general introduction to all playbook types.
- Fields Playbooks - For testing individual field values.
- Headers Playbooks - For testing HTTP header handling.
Detailed Guide to Body Playbooks
Structure and Syntax Testing
MalformedJsonPlaybook
- Description: Sends a JSON body with invalid syntax to test the robustness of your JSON parser.
- Example:
{"key": "value" trailing characters}
EmptyBodyPlaybook
- Description: Sends a completely empty request body.
- Example: ``
EmptyJsonBodyPlaybook
- Description: Sends an empty JSON object.
- Example:
{}
EmptyJsonArrayBodyPlaybook
- Description: Sends an empty JSON array.
- Example:
[]
NullBodyPlaybook
- Description: Sends a
nullvalue as the request body. - Example:
null
NullUnicodeBodyPlaybook
- Description: Sends a request body containing only the null character.
- Example:
\u0000
NullUnicodeSymbolBodyPlaybook
- Description: Sends a request body containing the unicode null symbol.
- Example:
␀
Data Type and Content Testing
DummyRequestPlaybook
- Description: Sends a simple, valid JSON object.
- Example:
{"dochia": "dochia"}
InsertRandomValuesInBodyPlaybook
- Description: Injects random, invalid data into an otherwise valid request body.
- Example:
{"key": "value", "random": "invalid data"}
RandomDummyInvalidJsonBodyPlaybook
- Description: Sends a randomly generated, structurally invalid JSON body.
- Example:
{"key": "value" invalid syntax}
RandomStringBodyPlaybook
- Description: Sends a random string as the request body.
- Example:
"random string"
RandomUnicodeBodyPlaybook
- Description: Sends a random unicode string as the request body.
- Example:
"random unicode string"
RandomPositiveIntegerBodyPlaybook
- Description: Sends a random positive integer.
- Example:
123
RandomNegativeIntegerBodyPlaybook
- Description: Sends a random negative integer.
- Example:
-123
ZeroIntegerBodyPlaybook
- Description: Sends the integer
0. - Example:
0
RandomPositiveDecimalBodyPlaybook
- Description: Sends a random positive decimal number.
- Example:
123.45
RandomNegativeDecimalBodyPlaybook
- Description: Sends a random negative decimal number.
- Example:
-123.45
ZeroDecimalBodyPlaybook
- Description: Sends the decimal
0.0. - Example:
0.0
HTTP Method and Endpoint Testing
HttpMethodsPlaybook
- Description: Tries undocumented HTTP methods on each endpoint.
- Example:
TRACE /users
NonRestHttpMethodsPlaybook
- Description: Tries WebDAV-specific methods that are not expected in a typical REST API.
- Example:
PROPFIND /users
CustomHttpMethodsPlaybook
- Description: Tries hypothetical, non-standard HTTP methods.
- Example:
CUSTOM /users
RandomResourcesPlaybook
- Description: Sends requests with random values in path parameters to test for invalid resource identifiers.
- Example:
/users/random-string-instead-of-uuid
Authentication and Logic Testing
HappyPathPlaybook
- Description: Sends a valid, well-formed request with all fields populated, serving as a baseline test.
- Example:
{"key": "value", "another_key": "another_value"}
BypassAuthenticationPlaybook
- Description: If authentication is defined, this playbook attempts to access the endpoint without providing credentials.
- Example:
GET /users(without authentication headers)
DeletedResourcesNotAvailablePlaybook
- Description: For
DELETEoperations, this playbook first performs the deletion and then attempts to access the deleted resource to ensure it's gone. - Example:
DELETE /users/123, thenGET /users/123(expects a 404 or similar)