Introduction


API testing provides an alternative to stuff like evading AV or dealing with firewalls. Projected to become one of the widest attack vectors soon due to its wide spread adoption outpacing cybersecurity standards. In other words, VERY VULNERABLE.

Background


Most of this stuff should be a refresher

Client-Server Model

You, the client, sends requests to the server and in return, the server responds with the requested resource. The responses can be summarized as:

Code Type
200s Success
300s Redirect
400s Client Errors
500s Server Errors

Stateful vs Stateless

Stateful carries the user session within a cookie.

Stateless uses the database to store the user data.

The difference? Stateful uses the webserver’s computing resources as it requires the maintenance of a stateful connection whereas in a stateless connection, changes are made by updating a database. This requires a form of authentication.

Sql vs NoSql

Sql databases are relational ones while NoSql uses keys and values. Relational means that items are stored and contain attributes. You can search for these attributes with a search such as SELECT username,password FROM redemption.userdata where we are selecting the username and password attributes from the userdata table within the redemption database. A query for a relationless database would look like db.getCollection('accounts').update({username:"admin"} where we are attempting to update the admin user within the accounts.