REST API Security - Part 1: Introduction
How Web Applications Work
Understanding how web applications operate is crucial for grasping REST API security. This chapter explores the client-server architecture, the HTTP protocol, URLs, requests, responses, headers, cookies, and the stateful vs. stateless nature of web communicationsโall of which directly impact API security.
๐ Web App Basics
Web applications run on a client/server model:
- Client: Usually a browser or app making requests.
- Server: Hosts the application and sends resources/data in response.
Unlike static websites, web apps support bi-directional communication. Users can interact (e.g., post, comment, upvote), and the server processes and responds accordingly. These interactions are handled via HTTP, and often involve REST APIs behind the scenes.
Example:
- Website: Shows you content.
- Web App: Lets you log in, post content, update settings, etc.
๐ The URL: Uniform Resource Locator
Every web app interaction starts with a URL. It specifies the protocol, host, path, and optional query string.
1Protocol://Hostname[:Port]/[Path]?[Query]=[Value]Example:
https://twitter.com/search?q=hacking&src=typed_query
- Protocol: https
- Hostname: twitter.com
- Path: /search
- Query: ?q=hacking&src=typed_query
URLs are essential in API requests, as each endpoint represents a specific resource or function.
๐ก HTTP Requests
Web applications communicate over HTTP. Each browser interaction generates a request like this
1POST /sessions HTTP/1.1
2Host: twitter.com
3User-Agent: Mozilla/5.0
4Content-Type: application/x-www-form-urlencoded
5Cookie: _auth=abc123
6Content-Length: 60
7
8username=hAPI_hacker&password=NotMyPassword%217Key components:
- Method: Defines action (GET, POST, etc.)
- Headers: Provide metadata (User-Agent, Cookies, etc.)
- Body: Data to be processed (e.g., login credentials)
๐จ HTTP Responses
Servers respond with HTTP messages:
1HTTP/1.1 302 Found
2Set-Cookie: auth_token=abc123; HttpOnly
3Location: https://twitter.com/Status Codes indicate result:
- 200 OK: Success
- 302 Found: Redirect
- 401 Unauthorized: Auth required
- 500 Internal Server Error: Server-side issue
Headers may include:
- Set-Cookie: For authentication
- Content-Type: Data format
- Location: Redirection URL
๐ HTTP Methods
Each method maps to CRUD operations:
| Method | Purpose |
|---|---|
| GET | Retrieve a resource |
| POST | Submit or create new data |
| PUT | Update or replace a resource |
| PATCH | Partially update a resource |
| DELETE | Remove a resource |
REST APIs heavily rely on these methods, so understanding their semantics is crucial.
๐ Stateless vs. Stateful HTTP
Stateful: Server retains session info (e.g., login cookies).
- Vulnerability: Cookie theft can lead to session hijacking.
Stateless: Each request includes all required data.
- Common in REST APIs using JWTs or tokens.
Stateless APIs are more scalable and secure when implemented properly.
๐๏ธ Web Server Databases
eb apps store data in databases:
- Frontend: HTML, CSS, JS (what users see)
- Backend: Server, app logic, and database (what processes data)
Two common types:
- SQL (Relational):
- Tables, rows, columns
- Query language: SELECT * FROM users WHERE id=1
- NoSQL (Non-relational):
- Flexible document/JSON-based storage
- Example: MongoDB
Security implication: Direct DB access from client = increased attack surface. APIs act as controlled intermediaries to protect the DB.
๐ How APIs Fit into the Picture
APIs act as a bridge between client and backend systems:
- Frontend triggers API calls.
- APIs handle data retrieval and manipulation securely.
Real-world Example: A ridesharing app may use:
- Google Maps API for navigation
- Stripe API for payments
These services are modular and communicate via HTTP(S).
โ ๏ธ Security Implications for REST APIs
- Attack Surface Expansion: Each exposed endpoint is a potential vulnerability.
- Improper Authorization: Insecure tokens or missing checks can expose sensitive data.
- Data Exposure: Poor request validation may lead to over-fetching.
- Replay Attacks: Stateless tokens can be reused if not expired or protected.
- Injection Risks: Unsanitized data passed to SQL/NoSQL queries.
Understanding how web apps function helps identify where REST APIs might be abused or misconfigured, which is foundational for any penetration tester or security engineer.