What is API

  • API : Application Programming Interface, api allow us to connects applications together. It set the rules which two entities can share the information between one application and another.

Image

Image

Interacting With API

API address : https://catfact.ninja/

  • we have documentetaion here and there are two main section here , Breeds and Facts

Image

  • /fact url generates random fact we can reach it with https://catfact.ninja/fact

firts request

Image

second request

Image

  • /fact url takes max_length parameter with get request —-> https://catfact.ninja/fact?max_length=40

Image

  • we can interact with api with using burp suite , and with burp repeater we can play with request and response easily….

Here is classic request

Image

for example : What if max_length is taken -1 , this is good point to start to test an api

Image

  • we can interact with api with using postman

Image

  • we can interact with api with using curl
curl -X 'GET' \
  'https://catfact.ninja/fact?max_length=30' \
  -H 'accept: application/json' \
  -H 'X-CSRF-TOKEN: v9q8arv7Vvva8mkcksdKbKfv2ETOHFlrmtahWJhE'

Image

Types of APIs

  • Public , Partner and Private api

  • REST APIs

    • Client-server architecture
    • statelessness
    • cacheability
    • layered system
    • use of http methods (GET, POST , etc…)
    • use of URIs to identify resources
  • SOAP API

  • RPC API

  • here is nice documentation

  • Endpoints

Common APIs Attacks

  • SQL injection
  • Command injection
  • IDOR, Broken Access Control
  • XXE - if XML is processed by the server
  • Lack of output encoding
  • Insecure direct object references

and the list goes on…