Application Programming Interface(API)
A set of rules and endpoints that let different software applications talk to each other, like a menu of available functions.
Short Definition
API is like a restaurant menu for programmers. Instead of ordering food, you're asking an application to do something: "give me user data," "save this," "delete that." The API defines what you can ask for and how to ask for it.
Full Definition
An API (Application Programming Interface) is a contract between different software components defining how they communicate. Modern web APIs typically:
Key concepts:
- Endpoints: Specific URLs for different functions
- Methods: HTTP verbs (GET, POST, PUT, DELETE)
- Request: What you send (parameters, body)
- Response: What you get back (usually JSON)
Example:
1GET /api/users/1232→ Returns user data34POST /api/users5→ Creates new user67DELETE /api/users/1238→ Deletes user
Common API types:
- REST: Uses HTTP methods, stateless
- GraphQL: Query exactly what you need
- SOAP: XML-based, more rigid
- WebSocket: Real-time, two-way
Why It Matters
- Modern apps are built on APIs
- Mobile apps communicate via APIs
- Microservices talk through APIs
- Third-party integrations use APIs
- APIs expose business logic to attackers
How Attackers Use It
Common API attacks:
- Broken authentication: Weak or missing auth
- Broken authorization: Access other users' data
- Excessive data exposure: API returns too much info
- Rate limiting issues: Brute force attacks
- Mass assignment: Modify fields that should be protected
- SSRF through API: API fetches external URLs
- Injection: SQL/command injection through parameters
Example attack:
1# API endpoint2GET /api/users/12334# IDOR attack (change ID)5GET /api/users/456 # Access other user's data
How to Detect or Prevent It
Prevention:
- Implement proper authentication (OAuth 2.0, JWT)
- Validate all inputs
- Apply rate limiting
- Use API gateways
- Version your API properly
- Document security requirements
- Never expose internal IDs directly
- Return minimal data (only what's needed)
Detection:
- Log all API requests
- Monitor for unusual patterns:
- High request frequency
- Sequential ID enumeration
- Unauthorized endpoint access
- Suspicious parameter values
- Use API security tools (42Crunch, Salt Security)
- Implement anomaly detection
Common Misconceptions
- "APIs are just for public services" - Most are internal
- "Authentication means authorization" - Two different things
- "Rate limiting solves security" - It helps but isn't enough
- "Private API keys are secure" - Can be leaked/stolen
- "API == REST" - REST is one type of many
Real-World Example
Venmo API Privacy Fail (2019)
Issue: Public API exposed:
- All transactions (amounts, participants)
- No authentication required
- Could scrape millions of transactions
- Revealed financial relationships
Uber API Vulnerabilities (2016)
Found issues:
- Rider endpoints accessible without proper auth
- Could retrieve other users' trip history
- Mass assignment allowed privilege escalation
- Led to data breach of 57M accounts
OWASP API Top 10 (2023):
- Broken Object Level Authorization (IDOR)
- Broken Authentication
- Broken Object Property Level Authorization
- Unrestricted Resource Consumption
- Broken Function Level Authorization
Related Terms
Endpoint, HTTP Request, REST, JSON, Authentication