The What, Why, and How of API Penetration Testing

Read the original article: The What, Why, and How of API Penetration Testing


I have come to realize and appreciate when having conversations about API Penetration Testing with colleagues and other professionals that not all understand what API is. Yes, sure it means an Application Programming Interface, and it is a software component that enables different systems/applications to interact with each other, but there is a bit more to its story…

  • The most common description for API is that it acts like a messenger to send a request from an entity (a person or an application) to another application and get a response.
  • The API is a system in itself; it is a toolset consisting of codes and commands that can be used across multiple applications, can be reused, and go a long way in making the lives of developers easy and productive, as they do not need to create code from scratch.
  • As a system/application user, we do not need to know what the API is made of. We simply make a request of the application, wait for the API and underlying application code to do their thing, and get a response.

If we had to draw a parallel with everyday life, let’s consider the post office. The postal system is a robust system in itself; made up of rules, codes, and policies, etc. that enable to function repeatedly for all mailing purposes.




Read the original article: The What, Why, and How of API Penetration Testing