When an API request is made by one program to another to access its functionality or data, it’s referred to as an API call. API calls can be used for a variety of purposes such as, making an online purchase or accessing third-party services. However, despite this clear utility, API calls can lead to an attack if they are not properly secured.
An application programming interface, better known as an API, is essentially a set of rules and protocols that allow software programs to communicate with each other. APIs are especially useful when writing programs that need to access data from another program, such as a mobile app that needs access to the data stored by a database or web app. With that in mind, when an API request is made by one program to another to access its functionality or data, it’s referred to as an API call.
When a client makes an API call, the destination of that request is an API endpoint. API endpoints are a way to access the data or functionality of an application, service, or software. It’s a specific URL that can be used to access data from an external source, such as a database or web service. It can also be used to create and manage data on the fly, such as in a web application.
When the API endpoint communicates back, it’s known as a response. It’s important to know that responses can vary. Often times the response is the data that the client requested in the API call. If the API is unable to verify API clients, responses can also return error codes.
The most common types of APIs are REST APIs which use HTTP-based API call methods. The most common methods are GET,POST, PUT, DELETE, and BATCH. We’ll cover those below. But keep in mind that there are other types of APIs including SOAP, GraphQL, XML, FORMS, and more.
Normally used for retrieving records to the calling application from an access point provided by the API provider. These calls retrieve or update/create a record and return a status code along with a response header and body which contains the payload. GET/POST calls can be used to get data from the internet and/or change what is displayed on a website; for example, you may have a messaging app that lets you search for a friend’s location based on the city they live in and then click on the friend’s profile picture to see where they are located on a map. In this case the ‘GET’ call would be used for searching for that friend and the API would return their city name and the country they are located in in the response payload. GET calls can also be used by applications to do things like check your account balance, pay bills online, or get updates on the weather in your local area.
These methods are used for updating or deleting records using the API. The request must contain the appropriate HTTP headers (usually authentication, at a minimum) as well as the body of the request that contains the necessary information for the update or deletion to occur. Similar to GET/POST calls, these also return a status code and potentially a body with the response payload. PUT/DELETE calls are also sometimes called ‘application-to-application’ (A2A) or ‘self-service’ calls because they allow one application to communicate with another. For example, say you are using the Pinterest app on your phone and you want to create a board for your favorite recipes. Clicking to create the board would cause your Pinterest mobile app to make a PUT call to POST the board to Pinterest’s API. Or say you are watching a video on YouTube and you tap the screen to pause the video. The platform might send a GET call to check your channel subscriptions to see what other videos you might like to watch next.
These are used for submitting multiple requests at once to an API endpoint. Each BATCH must consist of a valid header as well as an array of body data. Batches may be repeated several times to gather more data over a period of time. Batch calls are great for issuing multiple requests in one go. They are useful for things like uploading large volumes of data or taking many actions in a short period of time. For instance, a developer might set up an automated job that runs every hour to fetch new content from a website or add new products to an online store using a BATCH call. If you want to issue multiple requests at once, a batch call, which is similar to the GET/POST calls mentioned previously, is most efficient.
An API call is considered safe if it is made with the correct credentials and if it’s not being used for malicious purposes. However, API calls can lead to an attack if they are not properly secured. This is because the API call is made from a different domain than the one that it is being called from. This means that if an attacker manages to get access to your API call, they will have access to your entire system and all of its data.
There are many ways that API calls can be used for malicious purposes, such as:
Protecting API calls can be tricky because a lot of popular websites and apps have millions of users accessing them simultaneously, so it’s easy to get confused with where requests are coming from. Furthermore, there are so many new threats created every day that it’s tough to keep up with them all. However, there are a few things you can do to make sure your API calls are safe and secure.
Developers will use APIs to cross connect microservices and applications in order to exchange data. The first thing an organization can do to make this process more secure is have an accurate inventory of the APIs available to the development teams. Oftentimes a duplicate API will be created because the existing one is unknown to the development team. This unnecessarily increases the attack surface of the organization.
Another common threat is excessive data exposure, where developers keep adding new data types to a single API, in an attempt to re-use existing tooling. The risk here is that all data types for a given record may be exposed by the API, even if they are not needed for by the requesting client. This data could be harvested by an attacker. Finally, business logic should be built into the API code to make sure it cannot be abused. Your API security testing solution should be able test and uncover any flaws with your business logic.
Protecting your API calls sounds like quite a feat, yea? Well luckily for you, Noname can help secure your API calls among a myriad of other things. And not just for REST APIs. We protect a wide range of API types including SOAP, GraphQL, XML, FORMS, gRPC, and more. Learn more about how we inventory APIs, monitor sensitive data, and secure your API calls here.
Experience the speed, scale, and security that only Noname can provide. You’ll never look at APIs the same way again.