Web Foundations & Databases · beginner · ~10 min
Read a REST request, match HTTP methods to actions, and recognise JSON.
REST maps resources to URLs and actions to HTTP methods (GET read, POST create, PUT/PATCH update, DELETE remove), carrying JSON. Methods, JSON fields, and URL IDs are exactly where verb-tampering, mass assignment, and IDOR appear.
APIs are the backend's real attack surface. Understanding method semantics, JSON bodies, and resource IDs is the prerequisite for spotting IDOR, mass assignment, and verb tampering — and for driving requests with curl/Postman/Burp.
Methods as verbs. GET/POST/PUT/PATCH/DELETE. Resources as URLs. /api/users/42. JSON. Objects/arrays/scalars; the default payload. Attack hooks. Verb tampering (method), mass assignment (fields), IDOR (URL IDs).
Modern apps talk to their backend through APIs, most commonly REST over HTTP exchanging JSON.
Resources are URLs; the HTTP method is the verb:
GET /api/users/42 reads user 42; DELETE /api/users/42 removes it.Data is carried as JSON — objects {"id":42,"role":"user"}, arrays, strings, numbers, booleans, null. Human-readable and the default API format.
DELETE in the UI but accept it directly — verb tampering."role":"admin" to an endpoint that blindly binds fields)./users/42) are where IDOR lives (change 42 to 43).
A web tester reads and rewrites these requests constantly (curl, Postman, Burp). The full API attack surface is covered in the API Security track.REST APIs expose resources as URLs with HTTP-method verbs and JSON payloads; those three elements are the foundation for the API and web attack classes covered later.