Understanding REST APIs: How They Work and What They Look Like
An API (Application Programming Interface) is a messenger between different parts of a program — like a middleman that delivers your order to the kitchen.
In the web world, APIs allow:
- Frontend apps (your browser or mobile app) to talk to
- Backend systems (databases, logic, authentication, etc.)
You don’t see APIs directly, but every time you:
- Log in to Instagram
- Check the weather on your phone
- View your online banking balance
You’re using an API in the background.
What Makes It a “REST” API?
REST is a design style for building APIs. It uses standard HTTP methods and URLs to work with data.
REST = Representational State Transfer (you don’t need to remember that)
A REST API is like a set of URL-based rules to:
- Create
- Read
- Update
- Delete
resources (also known as CRUD operations).
Example: A Simple Web App API
Imagine a basic book store web app.
The website’s API might live at:
https://bookstore.com/api/
Here’s how the REST API might be designed:
| Action | HTTP Method | Endpoint | What It Does |
|---|---|---|---|
| View all books | GET | /books | Get a list of books |
| View one book | GET | /books/5 | Get book with ID 5 |
| Add a new book | POST | /books | Add a book to the database |
| Update a book | PUT | /books/5 | Change book 5’s info |
| Delete a book | DELETE | /books/5 | Remove book 5 |
Example 1: Viewing Books (GET)
curl https://bookstore.com/api/books
Response:
[
{
"id": 1,
"title": "Hack the Planet",
"author": "Cyber Wizard"
},
{
"id": 2,
"title": "The Art of Exploitation",
"author": "Security Ninja"
}
]
Example 2: Adding a New Book (POST)
curl -X POST https://bookstore.com/api/books \
-H "Content-Type: application/json" \
-d '{"title":"Red Team Cookbook","author":"Wilko"}'
Response:
{
"status": "success",
"book_id": 3
}
Example 3: Updating a Book (PUT)
curl -X PUT https://bookstore.com/api/books/3 \
-H "Content-Type: application/json" \
-d '{"title":"Red Team Cookbook - 2nd Edition"}'
Example 4: Deleting a Book (DELETE)
curl -X DELETE https://bookstore.com/api/books/3
Key Terms You’ll See Everywhere
| Term | Meaning |
|---|---|
| Endpoint | A URL path (like /books or /login) |
| Method | HTTP verb: GET, POST, PUT, DELETE, etc. |
| Payload | The data you send (e.g. new user info in JSON) |
| Header | Extra info (e.g. Authorization, Content-Type) |
| Status Code | Result: 200 OK, 404 Not Found, 403 Forbidden |
Real-World Example: Login API
Let’s say our site has a login API:
POST /api/login
You send your username and password:
curl -X POST https://bookstore.com/api/login \
-H "Content-Type: application/json" \
-d '{"username":"admin","password":"letmein"}'
Response:
{
"status": "success",
"auth_token": "eyJhbGciOiJIUzI1NiIsInR5..."
}
Now that token proves you’re logged in — you include it in every request:
-H "Authorization: Bearer eyJhbGciOi..."
Tools to Interact with REST APIs
| Tool | Use Case |
|---|---|
curl | Quick testing via CLI |
| Postman | GUI tool for building/testing API requests |
| Burp Suite | Intercept, edit, and replay requests |
| Gobuster / ffuf | Discover hidden API paths |
jwt_tool | Decode and manipulate JSON Web Tokens |
httpie | Friendly curl alternative for humans |
Why REST APIs Are a Big Deal in Pentesting
Websites today are just pretty frontends — the real power lives in the backend APIs. If you’re attacking a modern web app, you’re almost always attacking its API.
Common API Flaws:
- Exposed admin endpoints (e.g.
/admin/delete-user) - Broken auth checks
- Insecure data exposure (
/users/1234) - No rate limiting (brute force login)
- Unvalidated input (SQLi, XSS via API)
Bonus: Tips for Testing an Unknown API
- Start with Gobuster or ffuf to brute-force endpoints like
/api,/v1,/admin, etc. - Use Burp or curl to probe responses and test different HTTP methods.
- Look for:
200 OK(endpoint exists)403 Forbidden(you might need a token)405 Method Not Allowed(wrong HTTP method)401 Unauthorized(missing or invalid auth)
- Read the responses — many APIs spill useful info in error messages or metadata.
- Always check
robots.txtandsitemap.xml— hidden gems often live there.
Final Thoughts
REST APIs are the invisible glue of the modern web. As pentesters, understanding how they’re built, what they expose, and how to communicate with them gives you a massive edge.
Knowing REST isn’t just about sending GET and POST requests — it’s about seeing the structure of a web app clearly, like x-ray vision.
In the next post, we’ll demystify Authentication on the Web: Sessions vs JWTs — and why this difference matters so much when you’re hacking APIs.