๐ OWASP API Security Training
Working with APIs: Mastering cURL Communication
Welcome to this comprehensive guide on API communication using cURL. This training module covers everything
you need to know about interacting with APIs using one of the most powerful command-line tools available to
developers and security professionals.
๐ก Introduction to cURL
cURL is a command-line tool that allows you to communicate with APIs directly from your terminal. It's
universally available, easy to use, and every developer understands it. This makes it an essential tool for
API testing and security assessment.
Basic cURL Syntax
The basic structure of a cURL command includes the request method, URL, headers, and body data:
curl -X [REQUEST_METHOD] [URL] -H "[HEADER]" -d "[BODY_DATA]"
๐ฏ Basic cURL Operations
1. Simple GET Request
The simplest form of API communication is a GET request. This retrieves data from the API endpoint.
curl https://petstore.swagger.io/v2/pet/1
2. POST Request with Data
When you need to send data to an API, you use the POST method with the -X POST
flag and include your data with -d.
curl -X POST https://api.example.com/users -H "Content-Type: application/json" -d
'{"name":"John","email":"[email protected]"}'
3. PUT Request for Updates
Use PUT when you need to update existing resources.
curl -X PUT https://api.example.com/users/123 -H "Content-Type: application/json"
-d '{"name":"John Updated"}'
4. DELETE Request
Remove resources using the DELETE method.
curl -X DELETE https://api.example.com/users/123
๐ Authentication Methods
Basic Authentication
Using username and password credentials.
curl -u username:password https://api.example.com/data
Bearer Token
Using token-based authentication.
curl -H "Authorization: Bearer YOUR_TOKEN"
https://api.example.com/data
API Key
Using API key in headers.
curl -H "X-API-Key: YOUR_API_KEY" https://api.example.com/data
๐ก Authentication Tip:
Basic Authentication uses Base64 encoding of username:password. You can also manually create the header:
curl -H "Authorization: Basic base64(username:password)"
https://api.example.com/data
๐ค Sending Data in Different Formats
Form Data
Send data as URL-encoded form parameters.
curl -X POST https://api.example.com/submit -d
"param1=value1¶m2=value2"
JSON Data
Send data in JSON format (most common for modern APIs).
curl -X POST https://api.example.com/submit -H "Content-Type: application/json"
-d '{"key1":"value1","key2":"value2"}'
๐ Advanced cURL Features
| Flag |
Description |
Example Usage |
| -L |
Follow redirects |
Automatically follows 301/302 redirects |
| -I |
Fetch headers only |
Returns only HTTP headers, no body |
| -v |
Verbose mode |
Shows detailed request/response info |
| -o |
Output to file |
Saves response to specified file |
| -c |
Save cookies |
Stores cookies to a file |
| -b |
Use cookies |
Reads cookies from a file |
Example: Following Redirects
curl -L https://api.example.com/redirect-endpoint
Example: Viewing Response Headers Only
curl -I https://api.example.com/endpoint
Example: Verbose Output for Debugging
curl -v https://api.example.com/endpoint
๐ช Working with Cookies
Sending Cookies in Request
curl -H "Cookie: session_id=abc123; user_token=xyz789"
https://api.example.com/protected
Saving Cookies to File
curl -c cookies.txt https://api.example.com/login -d
"username=user&password=pass"
Using Saved Cookies
curl -b cookies.txt https://api.example.com/protected-resource
๐ File Operations
Downloading Files
curl -O https://api.example.com/files/document.pdf
Saving Response to Custom File
curl -o output.html https://api.example.com/page
Uploading Files
curl -X POST https://api.example.com/upload -F "file=@/path/to/file.txt"
๐จ API Request Flow Diagram
Typical API Request/Response Cycle
Client
(cURL)
โ
HTTP Request
Method + Headers + Body
โ
API Server
Processing
โ
HTTP Response
Status + Headers + Body
โ
Client
Receives Data
๐ Complete Examples with Real APIs
Example 1: Swagger Petstore - Get Pet by ID
curl -X GET "https://petstore.swagger.io/v2/pet/1" -H "accept:
application/json"
Example 2: Swagger Petstore - Add New Pet
curl -X POST "https://petstore.swagger.io/v2/pet" -H "accept:
application/json" -H "Content-Type: application/json" -d
'{"id":123,"name":"Fluffy","status":"available"}'
Example 3: Swagger Petstore - Update Pet
curl -X PUT "https://petstore.swagger.io/v2/pet" -H "accept:
application/json" -H "Content-Type: application/json" -d '{"id":123,"name":"Fluffy
Updated","status":"sold"}'
Example 4: Swagger Petstore - Delete Pet
curl -X DELETE "https://petstore.swagger.io/v2/pet/123" -H "accept:
application/json"
๐ง API Authentication Examples
Stripe API Example (Bearer Token)
Stripe requires an API key passed as a Bearer token or as basic auth.
curl https://api.stripe.com/v1/charges -u sk_test_YOUR_KEY: -d amount=2000 -d
currency=usd -d source=tok_visa
๐ Labs to Practice
โก Quick Reference Commands
curl --help
curl --version
curl -X GET https://api.example.com/endpoint
curl -X POST https://api.example.com/endpoint -d "data"
curl -H "Header: Value" https://api.example.com/endpoint
curl -i https://api.example.com/endpoint
curl -v https://api.example.com/endpoint
curl -L https://api.example.com/redirect
curl -o filename.txt https://api.example.com/file
curl -u username:password https://api.example.com/auth
โ ๏ธ Important Security Considerations
๐ก๏ธ Security Best Practices:
- Never expose API keys in command history or scripts
- Use environment variables for sensitive data
- Always use HTTPS for API communications
- Validate SSL certificates in production
- Be careful with verbose mode - it may expose sensitive information
- Clear your bash history after testing with credentials
- Use proper authentication methods appropriate for each API
๐ Common HTTP Status Codes
| Code |
Status |
Meaning |
| 200 |
OK |
Request successful |
| 201 |
Created |
Resource created successfully |
| 400 |
Bad Request |
Invalid request syntax |
| 401 |
Unauthorized |
Authentication required |
| 403 |
Forbidden |
Access denied |
| 404 |
Not Found |
Resource doesn't exist |
| 500 |
Internal Server Error |
Server-side error occurred |
โจ Summary
cURL is an essential tool for API security testing and development. Master these commands to effectively
communicate with any API, test security vulnerabilities, and understand API behavior. Remember to always
practice on authorized systems and follow responsible disclosure practices.
๐ฏ Key Takeaways:
- cURL is universally available and understood by developers
- Use appropriate HTTP methods (GET, POST, PUT, DELETE) for different operations
- Authentication methods vary by API (Basic, Bearer, API Keys)
- Headers and body data are crucial for API communication
- Flags like -L, -I, -v, -o enhance cURL functionality
- Always practice on legal, authorized testing environments
Happy API Hacking! ๐
Remember: With great power comes great responsibility.