API Pentesting Part 1 : Introduction to RESTful API -

Table of Contents

Introduction

REST Stands for Representational State Transfer. It is a web standard based architecture which uses http protocol. RESTful Web Service is a lightweight, maintainable and scalable service that built on REST architecture. RESTful Web Service expose APIs from web servers in a uniform and stateless manner for the client applications, where clients can perform predefined operations using RESTful services. In simple words A RSETful service provides access to resources and REST client accesses and modifies the resources.

Some main points are :

RESTful api uses HTTP
RESTful apis are ‘stateless’
Support CRUD (Create, Read/Retrieve, Update, Delete)
Client-Serer based Architecture

Restful URIs

Each resource in REST architecture refers to URI or Uniform Resource Identifier. Examples of REST URIs are :

<protocol>://<web-server>/<Resource-Path>/<Resource-Type>   
<protocol>://<web-server>/<Resource-Path>/<Resource-Type>/<Resource-ID>  
<protocol>://<web-server>/<Resource-Path>/<Resource-Type>/<Resource-ID>?<Query-parameters>

https://api.restful.com/api/customers
https://api.restful.com/api/customers/1
https://api.restful.com/api/customers/1?role=admin

Resource Collections :

Collection : Contains multiple resource instances and the collection name is in the plural form. Example /api/profiles/users.

Subcollection : A single resource instance can also contain subcollections of resources. Example /api/user/{user_id}/settings.

Singleton : Resources that can only have one instance. Example : /api/user/{user_id}.

RESTful Methods

In RESTful architecture five http methods POST, GET, PUT, PATCH, and DELETE.

Operation	HTTP Method	Purpose
CREATE	POST/PUT	Create new resource
READ/RETRIEVE	GET	Access resource
UPDATE	PUT/POST/PATCH	Update resource
DELETE	DELETE	Remove resource

API Endpoints

Endpoints specify where resources are located and how they can be accessed by the client applications. Examples of API endpoints are :

POST https://api.mysite.com/api/customers      [Create new customer]    
GET https://api.mysite.com/api/customers       [Returns all customers details]    
GET https://api.mysite.com/api/customers/1     [Returns Details of customer with customer_id 1]   
PUT https://api.mysite.com/api/customers/1     [Update of customer details with customer_id 1]   
DELETE https://api.mysite.com/api/customers/1  [Delete customer with customer_id 1]

Content Type of REST API

Some common Content-Type headers for REST APIs:

application/json : Used to specify JavaScript Object Notation (JSON) as a media type. JSON is the most common media type for REST APIs.
application/xml : Used to specify XML as a media type.
application/x-www-form-urlencoded : A format in which the values being sent are encoded and separated by an ampersand (&), and an equal sign (=) is used between key/value pairs.

X-Middleware headers

Some important middleware headers are as follows :

X-Response-Time : can be used as an API response to indicate how long a response took to process.
X-API-Key : can be used as an authorization header for API keys.
X-Powered-By : can be used to provide additional information about backend services.
X-Rate-Limit : can be used to tell the consumer how many requests they can make within a given time frame.
X-RateLimit : remaining can tell a consumer how many requests remain before they violate rate-limit enforcement.

Middleware headers can provide a lot of useful information about the api.

Tools for Testing

Postman : Postman is an application used for API testing. It is an HTTP client that tests HTTP requests, utilizing a graphical user interface, through which we obtain different types of responses that need to be subsequently validated.

The Postman application can be downloaded from its official website