Sign up to save your podcasts
Or
Share Course 2 - API Security Offence and Defense | Episode 1: API Fundamentals: Standards, Versioning, and Investigative Techniques
Share to email
Share to Facebook
Share to X
Share to email
Share to Facebook
Share to X
Or
Course 2 - API Security Offence and Defense | Episode 1: API Fundamentals: Standards, Versioning, and Investigative Techniques
In this lesson, you’ll learn about:
You can listen and download our episodes for free on more than 10 different platforms:
https://linktr.ee/cybercode_academy
- APIs — Definition & Evolution:
- API (Application Programming Interface): A mechanism originally designed to allow software to access operating system libraries; now primarily used for data exchange between servers, web apps, mobile apps, and frontend frameworks like React or Vue.
- Evolution of API standards:
- XML-RPC: Early XML-based method, complex and insecure.
- SOAP (Simple Object Access Protocol): Standardized XML-based protocol, widely adopted but rigid.
- REST (Representational State Transfer): Modern standard, relies on HTTP methods (GET, POST, PUT, DELETE) and commonly uses JSON or XML.
- REST API Structure & Versioning:
- HTTP Methods & CRUD mapping:
- GET / HEAD: Read
- POST: Create
- PUT / PATCH: Update
- DELETE: Delete
- Request Components:
- Headers: Authentication (Authorization: Bearer ), Accept for content type negotiation.
- Response Headers: WWW-Authenticate, Content-Type, Set-Cookie, CORS headers.
- Status Codes: e.g., 200 OK, 201 Created, 404 Not Found, 405 Method Not Allowed, 500 Internal Server Error.
- Versioning: Ensures older clients continue functioning; can be implemented via URL path (/v1), Accept headers, or custom headers.
- HTTP Methods & CRUD mapping:
- API Fingerprinting & Discovery:
- Key info to gather:
- API endpoints and domains (e.g., api.example.com)
- Versioning method
- Programming language and backend storage (SQL, NoSQL, caches like Redis)
- Authentication mechanism
- Techniques: Public documentation review, subdomain enumeration, intercepting client traffic via proxies, and deducing backend details from headers or job postings.
- Key info to gather:
- Debugging & Automated Testing:
- Proxy Tools: Burp Suite for intercepting, modifying, and forwarding API requests.
- API Testing Tools: Postman to construct requests, specify methods, headers, and bodies (JSON payloads).
- Fuzzing: Automated testing by sending malformed/unexpected inputs to detect exceptions or abnormal HTTP responses (e.g., 500 errors).
- Authentication vs. Authorization:
- Authentication: Verifying identity (ID/password, tokens, cookies, API keys, JWT, OAuth).
- Authorization: Determining allowed actions for an authenticated client (e.g., admin vs. user privileges).
- Core takeaway: Understanding API architecture, endpoints, authentication/authorization mechanisms, and using proxy/debugging tools is essential for secure interaction, discovery, and testing of APIs.
You can listen and download our episodes for free on more than 10 different platforms:
https://linktr.ee/cybercode_academy
View all episodes
By CyberCode AcademyIn this lesson, you’ll learn about:
You can listen and download our episodes for free on more than 10 different platforms:
https://linktr.ee/cybercode_academy
- APIs — Definition & Evolution:
- API (Application Programming Interface): A mechanism originally designed to allow software to access operating system libraries; now primarily used for data exchange between servers, web apps, mobile apps, and frontend frameworks like React or Vue.
- Evolution of API standards:
- XML-RPC: Early XML-based method, complex and insecure.
- SOAP (Simple Object Access Protocol): Standardized XML-based protocol, widely adopted but rigid.
- REST (Representational State Transfer): Modern standard, relies on HTTP methods (GET, POST, PUT, DELETE) and commonly uses JSON or XML.
- REST API Structure & Versioning:
- HTTP Methods & CRUD mapping:
- GET / HEAD: Read
- POST: Create
- PUT / PATCH: Update
- DELETE: Delete
- Request Components:
- Headers: Authentication (Authorization: Bearer ), Accept for content type negotiation.
- Response Headers: WWW-Authenticate, Content-Type, Set-Cookie, CORS headers.
- Status Codes: e.g., 200 OK, 201 Created, 404 Not Found, 405 Method Not Allowed, 500 Internal Server Error.
- Versioning: Ensures older clients continue functioning; can be implemented via URL path (/v1), Accept headers, or custom headers.
- HTTP Methods & CRUD mapping:
- API Fingerprinting & Discovery:
- Key info to gather:
- API endpoints and domains (e.g., api.example.com)
- Versioning method
- Programming language and backend storage (SQL, NoSQL, caches like Redis)
- Authentication mechanism
- Techniques: Public documentation review, subdomain enumeration, intercepting client traffic via proxies, and deducing backend details from headers or job postings.
- Key info to gather:
- Debugging & Automated Testing:
- Proxy Tools: Burp Suite for intercepting, modifying, and forwarding API requests.
- API Testing Tools: Postman to construct requests, specify methods, headers, and bodies (JSON payloads).
- Fuzzing: Automated testing by sending malformed/unexpected inputs to detect exceptions or abnormal HTTP responses (e.g., 500 errors).
- Authentication vs. Authorization:
- Authentication: Verifying identity (ID/password, tokens, cookies, API keys, JWT, OAuth).
- Authorization: Determining allowed actions for an authenticated client (e.g., admin vs. user privileges).
- Core takeaway: Understanding API architecture, endpoints, authentication/authorization mechanisms, and using proxy/debugging tools is essential for secure interaction, discovery, and testing of APIs.
You can listen and download our episodes for free on more than 10 different platforms:
https://linktr.ee/cybercode_academy