API Pentesting Part 1 : Introduction to RESTful API

Introduction

REST Stands for Representational State Transfer. It is a web standard based architecture which uses http protocol. RESTful Web Service is a lightweight, maintainable and scalable service that built on REST architecture. RESTful Web Service expose APIs from web servers in a uniform and stateless manner for the client applications, where clients can perform predefined operations using RESTful services. In simple words A RSETful service provides access to resources and REST client accesses and modifies the resources.

Some main points are :

  • RESTful api uses HTTP
  • RESTful apis are ‘stateless’
  • Support CRUD (Create, Read/Retrieve, Update, Delete)
  • Client-Serer based Architecture

Restful URIs

Each resource in REST architecture refers to URI or Uniform Resource Identifier. Examples of REST URIs are :

<protocol>://<web-server>/<Resource-Path>/<Resource-Type>   
<protocol>://<web-server>/<Resource-Path>/<Resource-Type>/<Resource-ID>  
<protocol>://<web-server>/<Resource-Path>/<Resource-Type>/<Resource-ID>?<Query-parameters>   
https://api.restful.com/api/customers
https://api.restful.com/api/customers/1
https://api.restful.com/api/customers/1?role=admin

Resource Collections :

  • Collection : Contains multiple resource instances and the collection name is in the plural form. Example /api/profiles/users.
  • Subcollection : A single resource instance can also contain subcollections of resources. Example /api/user/{user_id}/settings.
  • Singleton : Resources that can only have one instance. Example : /api/user/{user_id}.

RESTful Methods

In RESTful architecture five http methods POST, GET, PUT, PATCH, and DELETE.

OperationHTTP MethodPurpose
CREATEPOST/PUTCreate new resource
READ/RETRIEVEGETAccess resource
UPDATEPUT/POST/PATCHUpdate resource
DELETEDELETERemove resource

API Endpoints

Endpoints specify where resources are located and how they can be accessed by the client applications. Examples of API endpoints are :

POST https://api.mysite.com/api/customers      [Create new customer]    
GET https://api.mysite.com/api/customers       [Returns all customers details]    
GET https://api.mysite.com/api/customers/1     [Returns Details of customer with customer_id 1]   
PUT https://api.mysite.com/api/customers/1     [Update of customer details with customer_id 1]   
DELETE https://api.mysite.com/api/customers/1  [Delete customer with customer_id 1]   

Content Type of REST API

Some common Content-Type headers for REST APIs:

  • application/json : Used to specify JavaScript Object Notation (JSON) as a media type. JSON is the most common media type for REST APIs.
  • application/xml : Used to specify XML as a media type.
  • application/x-www-form-urlencoded : A format in which the values being sent are encoded and separated by an ampersand (&), and an equal sign (=) is used between key/value pairs.

X-Middleware headers

Some important middleware headers are as follows :

  • X-Response-Time : can be used as an API response to indicate how long a response took to process.
  • X-API-Key : can be used as an authorization header for API keys.
  • X-Powered-By : can be used to provide additional information about backend services.
  • X-Rate-Limit : can be used to tell the consumer how many requests they can make within a given time frame.
  • X-RateLimit : remaining can tell a consumer how many requests remain before they violate rate-limit enforcement.

Middleware headers can provide a lot of useful information about the api.

Tools for Testing

Postman : Postman is an application used for API testing. It is an HTTP client that tests HTTP requests, utilizing a graphical user interface, through which we obtain different types of responses that need to be subsequently validated.

The Postman application can be downloaded from its official website

Postman Documentation : Official Documentation

Setting up proxy with Burpsuite

  1. Go to the “Settings > Proxy”

and change the below things

And if it shows the ssl certificate validation, then disable the “SSL Certificate verification”

Configuring Parameter Variables

  1. Configuring parameter Variables for URL Collection of urls

2. And give it a name to save with like “MainKeys” in this case

3. Similarly, you can set global variables which apply to all apis from current workspace.

Using Variables :

Select The Environment variable

Then go to ‘Params’ and add key name and for value use Environment variable name in double curly brackets ‘{{Variable_Name}}’.

Similarly Global api key

Adding Authorization values

Adding Authorization values for entire collection of urls :

  1. Click the three dots on the side of the collection/sub-collection name and choose the Edit option

2. Go to the Authorization tab, select the type of auth and add its value.

3. Go to an individual API request and select the Inherit auth from parent option

Checkout the full list of API Pentesting Series.

References

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.