OBJECTIVE 04 — WEB APIs AND WEBHOOKS
1. WEB API — CEH DEFINITION
| Item | Memorize |
| Web API | An application programming interface that enables interaction between different software applications over HTTP/HTTPS |
2. PURPOSE OF WEB APIs
| Purpose |
| Enable system-to-system communication |
| Exchange data |
| Integrate third-party services |
| Support mobile and web clients |
3. COMMON WEB API TYPES (EXAM MUST)
| API Type | Description |
| REST API | Uses HTTP methods and stateless communication |
| SOAP API | Uses XML and strict messaging standards |
| GraphQL API | Client-defined data queries |
4. REST API — CORE CONCEPTS
REST ARCHITECTURAL PRINCIPLES
| Principle |
| Stateless communication |
| Client-server separation |
| Cacheable responses |
| Uniform interface |
HTTP METHODS USED IN REST APIs
| Method | Purpose |
| GET | Retrieve data |
| POST | Submit data |
| PUT | Update data |
| PATCH | Partial update |
| DELETE | Remove data |
MEMORY HOOK:
G P P P D
REST API COMPONENTS
| Component | Description |
| Endpoint | API URL |
| Headers | Metadata |
| Body | Payload |
| Parameters | Input values |
5. SOAP API — CORE CONCEPTS
| Item | Memorize |
| SOAP | Simple Object Access Protocol |
| Data Format | XML only |
| Security | WS-Security |
SOAP COMPONENTS
| Component | Description |
| WSDL | Service description |
| Envelope | Message wrapper |
| Header | Security and metadata |
| Body | Request/response |
6. API AUTHENTICATION METHODS (VERY IMPORTANT)
| Method | Description |
| API Keys | Static token |
| Basic Auth | Username/password |
| OAuth 2.0 | Token-based delegated access |
| JWT | Signed JSON tokens |
MEMORY HOOK:
Key → Basic → Token → JWT
7. COMMON API VULNERABILITIES (CEH LIST)
| Vulnerability |
| Broken Object Level Authorization (BOLA) |
| Broken User Authentication |
| Excessive Data Exposure |
| Lack of Rate Limiting |
| Mass Assignment |
| Injection |
| Improper Assets Management |
8. API ATTACK SURFACE
| Attack Surface |
| Endpoints |
| Parameters |
| Headers |
| Authentication tokens |
| API versions |
9. API ATTACK LOGIC (GENERIC)
| Step | Action |
| 1 | Discover API endpoints |
| 2 | Analyze authentication |
| 3 | Test authorization |
| 4 | Manipulate parameters |
| 5 | Exploit vulnerability |
| Tool | Purpose |
| Postman | API testing |
| Burp Suite | Interception |
| SoapUI | SOAP API testing |
| OWASP ZAP | API scanning |
| Insomnia | REST API testing |
11. WEBHOOK — CEH DEFINITION
| Item | Memorize |
| Webhook | A mechanism that sends real-time data from one application to another when an event occurs |
12. HOW WEBHOOKS WORK (EXAM FLOW)
| Step | Action |
| 1 | Event occurs |
| 2 | Webhook triggered |
| 3 | HTTP POST sent |
| 4 | Receiver processes payload |
MEMORY HOOK:
Event → Trigger → POST → Process
13. WEBHOOK SECURITY RISKS
| Risk |
| No authentication |
| Payload tampering |
| Replay attacks |
| Data leakage |
14. WEBHOOK ATTACK LOGIC
| Step | Action |
| 1 | Attacker discovers webhook URL |
| 2 | Crafts fake payload |
| 3 | Sends POST request |
| 4 | Receiver processes malicious data |
15. API VS WEBHOOK (EXAM COMPARISON)
| Feature | API | Webhook |
| Communication | Client pulls data | Server pushes data |
| Trigger | Request-based | Event-based |
| Direction | Bidirectional | One-way |
16. API SECURITY CONTROLS (MEMORIZE)
| Control |
| Strong authentication |
| Authorization checks |
| Input validation |
| Rate limiting |
| Logging and monitoring |