API Pentesting Part 1 : Introduction to RESTful API

Introduction

REST Stands for Representational State Transfer. It is a web standard based architecture which uses http protocol. RESTful Web Service is a lightweight, maintainable and scalable service that built on REST architecture. RESTful Web Service expose APIs from web servers in a uniform and stateless manner for the client applications, where clients can perform predefined operations using RESTful services. In simple words A RSETful service provides access to resources and REST client accesses and modifies the resources.

Some main points are :

  • RESTful api uses HTTP
  • RESTful apis are ‘stateless’
  • Support CRUD (Create, Read/Retrieve, Update, Delete)
  • Client-Serer based Architecture

Restful URIs

Each resource in REST architecture refers to URI or Uniform Resource Identifier. Examples of REST URIs are :

<protocol>://<web-server>/<Resource-Path>/<Resource-Type>   
<protocol>://<web-server>/<Resource-Path>/<Resource-Type>/<Resource-ID>  
<protocol>://<web-server>/<Resource-Path>/<Resource-Type>/<Resource-ID>?<Query-parameters>   
https://api.restful.com/api/customers
https://api.restful.com/api/customers/1
https://api.restful.com/api/customers/1?role=admin

RESTful Methods

In RESTful architecture five http methods POST, GET, PUT, PATCH, and DELETE.

OperationHTTP MethodPurpose
CREATEPOST/PUTCreate new resource
READ/RETRIEVEGETAccess resource
UPDATEPUT/POST/PATCHUpdate resource
DELETEDELETERemove resource

API Endpoints

Endpoints specify where resources are located and how they can be accessed by the client applications. Examples of API endpoints are :

POST https://api.mysite.com/api/customers      [Create new customer]    
GET https://api.mysite.com/api/customers       [Returns all customers details]    
GET https://api.mysite.com/api/customers/1     [Returns Details of customer with customer_id 1]   
PUT https://api.mysite.com/api/customers/1     [Update of customer details with customer_id 1]   
DELETE https://api.mysite.com/api/customers/1  [Delete customer with customer_id 1]   

Tools for Testing

Postman : Postman is an application used for API testing. It is an HTTP client that tests HTTP requests, utilizing a graphical user interface, through which we obtain different types of responses that need to be subsequently validated.

The Postman application can be downloaded from its official website

Postman Documentation : Official Documentation

Setting up proxy with Burpsuite

  1. go to the “Settings > Proxy”

and change the below things

And if it shows the ssl certificate validation, then disable the “SSL Certificate verification”

Configuring Parameter Variables

  1. Configuring parameter Variables for URL Collection of urls

2. And give it a name to save with like “MainKeys” in this case

3. Similarly, you can set global variables which apply to all apis from current workspace.

Using Variables :

Select The Environment variable

Then go to ‘Params’ and add key name and for value use Environment variable name in double curly brackets ‘{{Variable_Name}}’.

Similarly Global api key

Adding Authorization values

Adding Authorization values for entire collection of urls :

  1. Click the three dots on the side of the collection/sub-collection name and choose the Edit option

2. Go to the Authorization tab, select the type of auth and add its value.

3. Go to an individual API request and select the Inherit auth from parent option

Checkout the full list of API Pentesting Series.

References

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.