Episode Details

Back to Episodes
Course 2 - API Security Offence and Defense | Episode 1: API Fundamentals: Standards, Versioning, and Investigative Techniques

Course 2 - API Security Offence and Defense | Episode 1: API Fundamentals: Standards, Versioning, and Investigative Techniques

Published 6 months, 2 weeks ago
Description
In this lesson, you’ll learn about:
  • APIs — Definition & Evolution:
    • API (Application Programming Interface): A mechanism originally designed to allow software to access operating system libraries; now primarily used for data exchange between servers, web apps, mobile apps, and frontend frameworks like React or Vue.
    • Evolution of API standards:
      • XML-RPC: Early XML-based method, complex and insecure.
      • SOAP (Simple Object Access Protocol): Standardized XML-based protocol, widely adopted but rigid.
      • REST (Representational State Transfer): Modern standard, relies on HTTP methods (GET, POST, PUT, DELETE) and commonly uses JSON or XML.
  • REST API Structure & Versioning:
    • HTTP Methods & CRUD mapping:
      • GET / HEAD: Read
      • POST: Create
      • PUT / PATCH: Update
      • DELETE: Delete
    • Request Components:
      • Headers: Authentication (Authorization: Bearer ), Accept for content type negotiation.
      • Response Headers: WWW-Authenticate, Content-Type, Set-Cookie, CORS headers.
      • Status Codes: e.g., 200 OK, 201 Created, 404 Not Found, 405 Method Not Allowed, 500 Internal Server Error.
    • Versioning: Ensures older clients continue functioning; can be implemented via URL path (/v1), Accept headers, or custom headers.
  • API Fingerprinting & Discovery:
    • Key info to gather:
      1. API endpoints and domains (e.g., api.example.com)
      2. Versioning method
      3. Programming language and backend storage (SQL, NoSQL, caches like Redis)
      4. Authentication mechanism
    • Techniques: Public documentation review, subdomain enumeration, intercepting client traffic via proxies, and deducing backend details from headers or job postings.
  • Debugging & Automated Testing:
    • Proxy Tools: Burp Suite for intercepting, modifying, and forwarding API requests.
    • API Testing Tools: Postman to construct requests, specify methods, headers, and bodies (JSON payloads).
    • Fuzzing: Automated testing by sending malformed/unexpected inputs to detect exceptions or abnormal HTTP responses (e.g., 500 errors).
  • Authentication vs. Authorization:
    • Authentication: Verifying identity (ID/password, tokens, cookies, API keys, JWT, OAuth).
    • Authorization: Determining allowed actions for an authenticated client (e.g., admin vs. user privileges).
  • Core takeaway: Understanding API architecture, endpoints, authentication/authorization mechanisms, and using proxy/debugging tools is essential for secure interaction, discovery, and testing of APIs.


You can listen and download our episodes for free on more than 10 different platforms:
https://linktr.ee/cybercode_academy
Listen Now

Love PodBriefly?

If you like Podbriefly.com, please consider donating to support the ongoing development.

Support Us