Section 04: Web API, Webhooks, Web Shells

Web API

API (Application programming interface)

An application programming interface (API) is a way for two or more computer programs to communicate with each other. It is a type of software interface, offering a service to other pieces of software. A document or standard that describes how to build or use such a connection or interface is called an API specification.

HTTP (Hypertext transer protocol)

The Hypertext Transfer Protocol (HTTP) is an application layer protocol in the Internet protocol suite model for distributed, collaborative, hypermedia information systems. HTTP is the foundation of data communication for the World Wide Web, where hypertext documents include hyperlinks to other resources that the user can easily access, for example by a mouse click or by tapping the screen in a web browser.

SOAP (Simple object access protocol)

SOAP (formerly a backronym for Simple Object Access Protocol) is a messaging protocol specification for exchanging structured information in the implementation of web services in computer networks. It uses XML Information Set for its message format, and relies on application layer protocols, most often Hypertext Transfer Protocol (HTTP), although some legacy systems communicate over Simple Mail Transfer Protocol (SMTP), for message negotiation and transmission.

REST (Representational state transfer)

Representational state transfer (REST) is a software architectural style that describes a uniform interface between physically separate components, often across the Internet in a client-server architecture.

Webhook

A webhook in web development is a method of augmenting or altering the behavior of a web page or web application with custom callbacks. These callbacks may be maintained, modified, and managed by third-party users and developers who may not necessarily be affiliated with the originating website or application.

OWASP API security project. The top 2019 from the project can be found in the links below.

CORS (Cross origin resource sharing)

Cross-origin resource sharing (CORS) is a mechanism that allows restricted resources on a web page to be requested from another domain outside the domain from which the first resource was served.

RBAC (Role based access control)

In computer systems security, role-based access control (RBAC) or role-based security is an approach to restricting system access to authorized users. It is an approach to implement mandatory access control (MAC) or discretionary access control (DAC).

SAML (Security assertion markup language)

Security Assertion Markup Language (SAML, pronounced SAM-el, /ˈsæməl/)[1] is an open standard for exchanging authentication and authorization data between parties, in particular, between an identity provider and a service provider. SAML is an XML-based markup language for security assertions (statements that service providers use to make access-control decisions).

OAuth (Open authorization)

OAuth (short for "Open Authorization") is an open standard for access delegation, commonly used as a way for internet users to grant websites or applications access to their information on other websites but without giving them the passwords.

Postman

Postman is an API platform for developers to design, build, test and iterate their APIs.

Fuzzing

In programming and software development, fuzzing or fuzz testing is an automated software testing technique that involves providing invalid, unexpected, or random data as inputs to a computer program.

Credential stuffing

Credential stuffing is a type of cyberattack in which the attacker collects stolen account credentials, typically consisting of lists of usernames and/or email addresses and the corresponding passwords (often from a data breach), and then uses the credentials to gain unauthorized access to user accounts on other systems through large-scale automated login requests directed against a web application.

IDOR (Insecure direct object reference)

Insecure direct object reference (IDOR) is a type of access control vulnerability in digital security.

Auth0

Rapidly integrate authentication and authorization for web, mobile, and legacy applications so you can focus on your core business.

Cross site request forgery

Cross-site request forgery, also known as one-click attack or session riding and abbreviated as CSRF (sometimes pronounced sea-surf) or XSRF, is a type of malicious exploit of a website or web application where unauthorized commands are submitted from a user that the web application trusts.

Reverse engineering

Reverse engineering (also known as backwards engineering or back engineering) is a process or method through which one attempts to understand through deductive reasoning how a previously made device, process, system, or piece of software accomplishes a task with very little (if any) insight into exactly how it does so.

Replay attack

A replay attack (also known as a repeat attack or playback attack) is a form of network attack in which valid data transmission is maliciously or fraudulently repeated or delayed.

Web shell

A web shell is a shell-like interface that enables a web server to be remotely accessed, often for the purposes of cyberattacks. A web shell is unique in that a web browser is used to interact with it.

CMS (Content management system)

A content management system (CMS) is computer software used to manage the creation and modification of digital content (content management). A CMS is typically used for enterprise content management (ECM) and web content management (WCM).

File inclusion vulnerability

A file inclusion vulnerability is a type of web vulnerability that is most commonly found to affect web applications that rely on a scripting run time. This issue is caused when an application builds a path to executable code using an attacker-controlled variable in a way that allows the attacker to control which file is executed at run time.

Remote file inclusion

Remote file inclusion (RFI) occurs when the web application downloads and executes a remote file. These remote files are usually obtained in the form of an HTTP or FTP URI as a user-supplied parameter to the web application.

MFA (Multi factor authentication)

Multi-factor authentication (MFA; encompassing two-factor authentication, or 2FA, along with similar terms) is an electronic authentication method in which a user is granted access to a website or application only after successfully presenting two or more pieces of evidence (or factors) to an authentication mechanism: knowledge (something only the user knows), possession (something only the user has), and inherence (something only the user is).

Links

• https://en.wikipedia.org/wiki/API

• https://en.wikipedia.org/wiki/Hypertext_Transfer_Protocol

• https://en.wikipedia.org/wiki/SOAP

• https://en.wikipedia.org/wiki/Representational_state_transfer

• https://en.wikipedia.org/wiki/Webhook

• https://owasp.org/www-project-api-security

• https://en.wikipedia.org/wiki/Cross-origin_resource_sharing

• https://en.wikipedia.org/wiki/Role-based_access_control

• https://en.wikipedia.org/wiki/OAuth

• https://www.postman.com

• https://en.wikipedia.org/wiki/Fuzzing

• https://en.wikipedia.org/wiki/Credential_stuffing

• https://en.wikipedia.org/wiki/Insecure_direct_object_reference

• https://auth0.com

• https://en.wikipedia.org/wiki/Cross-site_request_forgery

• https://en.wikipedia.org/wiki/Reverse_engineering

• https://en.wikipedia.org/wiki/Replay_attack

• https://en.wikipedia.org/wiki/Web_shell

• https://en.wikipedia.org/wiki/Content_management_system

• https://en.wikipedia.org/wiki/File_inclusion_vulnerability

• https://en.wikipedia.org/wiki/Multi-factor_authentication