API Hacking- RESTful API ( P-2 )

API consumer can request resources

API Endpoints :
from API endpoints, which is a URL for
example.com/api/3/users interacting with part of API
example.com/api/v3/customers

example.com/api/users

example.com/users

Collection: a group of
resources such as
/api/profiles/users Acronym CRUD
Stands for Create, Read, Update and
Subcollection:
Delete
refers to collection within a particular
resource Create a process of making new
req. accomplished through POST
/api/users/{user_id}/settings
method

Gateway: Read data retrieval, through GET

filters bad request req.

Update: record modification through

monitor incoming traffic
POST OR PUT overwritten
route each req. to proper service or
Delete: Erasing record through
microservice
Delete or POST
it also handles security controls
such as authentication, encryption
6 Constraint
in transit using ssl, rate limit, load
balancing Restful API depends on 6
Constants, Rest is essentially a set
Microservices: of guidelines for an HTTP resource-
based architecture.
Modular piece of web app that handles
a specific function

API Hacking- RESTful API ( P-2 ) 1

 💡 API Doc. might user colon or
square bracket or curly
bracket
/api/v2/:customer_id or
/api/v2/[customer_id] or
/api/v2/{customer_id}
Standard web API Types
Restful API:
Rest stands for representation state
transfer
it is set of Architectural constrant
that defines how web shoulid work
designed to improve upon
inefficiencies of other older APIs,
such as SOAP API
Rest API Primiarly user the HTTP
method GET, POST, PUT &
DELETE to accomplish CRUD
RESTful API may be different. It may have different method beyond CRUD It’s our
set of authentication requirement, subdomain instead of Endpoint different rate-limit
requirement
It can be configured to call their RestAPI without adhering to the standard
An RestAPI GET req. used to find out how many bedsheet are in store inventory
GET /api/v3/inventory item/pillow HTTP/1.1
HOST: rest-shop.com
User-Agent: Google/11.0
API Hacking- RESTful API ( P-2 )
1. Uniform Interface: RestAPI
Should have a uniform
interface, the req. devices
should not matter. All be able to
access server in same way
2. Client/ Server: RestAPI Should
have client/ Server architecture,
client are consumer of req. info.
while server are provider of that
info.
3. Stateless: RestAPI should not
require stateful communication
4. Cacheable: Response from
Rest API Provider should
indicate weather the response
is cacheable
5. Layered System: Client should
be able to req. data from
endpoint without knowing about
the underlying server
architecture
6. Code on Demand (Optional):
Allows for code to be send to
the client for execution
HTTP/1.1 200 OK
Server: RESTful server/0.1
Cache-control: no store
Content-type: application/json
2
 Accept: application/json {
REQUEST "item":{
"id":00101
"name": "bedsheet"
"count": 25
rest-shop.com provided all information it had about "price":{
bedsheet consumer need to filter the response if "currency": "USD"
"value":"19.99"
they need some specific details like only name & }
value. }
}
RESPONSE

The amount of data sent back is depends on how

API is being programmed by the API providers

Some Common Headers from that it’s high probability that it

could be RESTful API

1. Authorization: used to pass the token or credentials to the API Providers

Authorization: Bearer Abdf123Ab

2. Content-type

used to indicate the type of media being transferred these diff from Accept, which
states the media type you want to receive.

application/json

application/xml

application/x-www-urlencoded

3. Middle (x) header

X-(anything) headers are known as middleware headers. They are fairly common
outside API req. as well.

x-response-time used to indicate how long response took to process

There are many but you get idea x-(anything) middleware headers can provide a lot
of useful information to API consumers and hackers alike

RESTful API Specification

API Hacking- RESTful API ( P-2 ) 3

 API Specification are framework that help org. design their APIs, automatically create
consistent human-readable doc.

OpenAPI Specification 3.0 (OAS), known as Swagger - one of the leading

specifications for RESTful API. OAS helps organize and manage API by allowing
to describe endpoints, resources, operations and authentication, and
authorization req.

RESTful API Modeling Language. RAML is an open specification that works

with YAML for document formatting. Similar to OAS, RAML designed to
document, design, build, and test REST APIs

API Hacking- RESTful API ( P-2 ) 4