Skip to main content
Room Banner
Back to all walkthroughs
Room Icon

AWS API Gateway

Premium room

An overview of security features and common attacks for the AWS API Gateway service.

medium

50 min

275

User profile photo.
User profile photo.

To access material, start machines and answer questions login.

It's hard to find a website in 2022 that doesn't make extensive use of Application Programming Interfaces, or APIs, to provide the various functionalities of the website to end users in their browsers. APIs have become a ubiquitous and critical part of the modern technology stack. As a quick overview for those unfamiliar, this task will discuss the basics of an .

Before explaining what an is, it is helpful to define key components of an /HTTPS :

Components

Endpoint: This is the URL location of the , e.g., the address where you can "call" an and the resources it can access on your behalf.

Method: This specifies the type of request being made to the , such as GET, POST, PUT, DELETE, etc.

Headers: These are a component of , but are used by APIs to contain additional information about the request, such as authentication details, content type, and other metadata.

Request body: This is the data sent to the as part of the request. GET requests won't typically have a request body, but POST, PUT, and DELETE requests almost always do.

Response: This is the data that the sends in response to the request. It may include a status code, headers, and a response body.

Purpose

APIs provide a granular mechanism for developers to allow user access to (potentially) sensitive "back-end" resources. Not only do APIs expose these capabilities for end users, but they also allow third-parties to build reliable ecosystems around a product that exposes an . Notably, this caused recent controversy as Twitter burned third-party client access (opens in new tab) to the Twitter . This controversy only reiterates the significance of APIs for organizations using modern technology.

Furthermore, as mentioned, modern APIs often expose a number of sensitive "back-end" resources hosted on behalf of the . These resources are often "micro-services" that the user request as a direct database write or query to the various systems that may be supporting the functionality. If security errors are made in the development of the capabilities, they may be exposed to any user who can authenticate to the or even to unauthenticated users who attempt to use the . These characteristics make Gateway a prime target for attackers.

Answer the questions below
What is the URL location of an API called?

What request type commonly doesn't include a request body?