An Application Programming Interface (API) is a type of interface, mechanism, or service for enabling the communication between software components. An API can be a set of protocols, tools, or definitions that specify how these software components should interact, and allowing different applications to communicate and exchange data.
In modern web and mobile applications, APIs have become fundamental components for frontend applications to communicate with backend services, for microservices to communicate with each other on the backend, or for third-party integrations that allow access to functionality and data without developing a custom solution.
From a security perspective, APIs represent a critical attack surface that requires rigorous testing and protection. Common API vulnerabilities include:
- Broken authentication and authorisation (allowing unauthorised access to sensitive endpoints)
- Excessive data exposure (returning more information than necessary in responses)
- Lack of rate limiting (enabling brute force and denial of service attacks)
- Mass assignment vulnerabilities (allowing users to modify object properties they shouldn’t access)
- Injection flaws (SQL injection, command injection through API parameters)
- Security misconfiguration, which exposes sensitive functionality
The OWASP API Security Top 10 provides specific guidance on API-related risks that are distinct from general web application vulnerabilities. APIs often handle sensitive data and business-critical functionality, whilst being exposed to untrusted clients, making them attractive targets for attackers.
Organisations deploying APIs should implement strong authentication and authorisation on all endpoints, validate and sanitise all inputs, implement rate limiting and throttling, use HTTPS for all communications, avoid exposing sensitive data in responses, implement comprehensive logging and monitoring, regularly test APIs for security vulnerabilities, and consider API gateways for centralised security policy enforcement.
As APIs increasingly drive business functionality and data exchange, API security testing has become a critical component of wider penetration testing programmes.
REST API
Representational State Transfer (REST) is an API architecture style that’s now a common method of designing and implementing application communications, such as with a frontend user interface communicating with a backend API.
REST APIs use standard HTTP methods (GET, POST, PUT, DELETE, PATCH) to perform operations on resources that are identified by URLs (endpoints) by following general principles such as statelessness (each request contains all necessary information), client-server architecture, and cacheability. REST’s simplicity and alignment with web standards have made it the preferred choice for most modern web services, mobile applications, and microservices architectures.
From a security perspective, REST APIs face several specific challenges and vulnerabilities. Because REST APIs are stateless, authentication typically relies on tokens (e.g. JSON Web Tokens, or JWT) passed with each request instead of server-side sessions. This creates a risk if tokens are stolen or are improperly validated server-side.
Additionally, REST APIs often expose predictable URL structures that can allow for easier enumeration for attackers. REST APIs should never rely on obscurity or assume that the URL structure provides adequate security, and all endpoints should require proper authentication and authorisation checks.