How POST Request Parameters work? With Breakdown for API Attacks

POST request is the parent method for all the other Request types. Hence understanding its implementation and its internal working can benefit your Testing and QA process.

What is POST request?

HTTP POST request is a method used by the web to send data to a server to create or update a resource.

Commonly POST requests are used while filling up new user form data, address information etc.

Post Requests use the data in the request payload, which helps in transferring large amount data easily.

Structure of POST Request

A POST request consists of several key components:

1. URL: The complete address of the server endpoint
2. Headers: Metadata for the request such as content-type & authorization
3. Body: Request Payload which is used to create, update data

Example: curl 'https://reqres.in/api/users' \ -H 'accept: /' \ -H 'accept-language: en-IN,en-GB;q=0.9,en-US;q=0.8,en;q=0.7' \ -H 'cache-control: no-cache' \ -H 'content-type: application/json' \

--data-raw '{"name":"morpheus","job":"leader"}'

Let's decode the above Request:

1. URL:https://reqres.in/api/usersThis is the endpoint where the request is sent
2. Headers: These are the HTTP headers added to the request to provide metadata about the request:

• 'accept: */*': Accepts any content type in the response.
• 'accept-language: en-IN,en-GB;q=0.9,en-US;q=0.8,en;q=0.7': Specifies the preferred languages.
• 'cache-control: no-cache': Disables cache for the request.
• 'content-type: application/json': Specifies that the request body is in JSON format.

Refer this post to get practice APIs & Websites for Test Automation: Link

Different Types Encoding:

1. Application/x-www-form-urlencoded

This is the default encoding type for form data. Each key-value pair is encoded as key=value with pairs separated by "&"

Example:

curl -X POST https://example.com/api/login \

-H "Content-Type: application/x-www-form-urlencoded" \

-d "username=user123&password=pass123"

2. Multipart/form-data

This encoding type is used for forms that include file uploads. It splits the form data into parts, each with its own content type

Example:

curl -X POST https://example.com/api/profile-picture \

-H "Content-Type: multipart/form-data" \

-F "image=@/path/to/image.jpg" \

-F "userId=12345" \

-F "description=Profile picture upload"

Note: "image=@/path/to/image.jpg" — The file being uploaded, specified with @ to indicate the file path.

3. Application/json

When working with APIs, JSON is often the preferred format due to its simplicity and readability

Example:

curl -X POST https://example.com/api/register \

-H "Content-Type: application/json" \

-d '{"username":"user123","password":"securepass","email":"[email protected]"}'

Common Security Flaws:

• CSRF (Cross-Site Request Forgery): This attack tricks a user into unknowingly submitting a malicious request from their browser to a web application where they are authenticated. For example, the attacker could perform unauthorized actions (like transferring funds) by exploiting the user’s authenticated session
• SQL Injection: This occurs when an attacker injects malicious SQL code into a query via input fields, allowing them to manipulate the database. They can gain unauthorized access to data, modify it, or even destroy it. Sometimes a basic query like:

Select * From Table_Name        

Can display internal details.

• XSS (Cross-Site Scripting): XSS happens when an attacker injects malicious scripts into web pages viewed by other users. These scripts can hijack user sessions, steal sensitive data, or redirect users to malicious sites
• Rate Limiting: Without rate limiting, an API is vulnerable to abuse, such as brute-force login attempts or DDoS attacks. Attackers can flood the API with requests, overloading the server and disrupting service
• Input Validation: Insufficient input validation allows attackers to send unexpected data that the server can misinterpret. This may result in vulnerabilities like SQL injection, buffer overflow, or remote code execution
• API Key Management Flaws: Poor API key management (e.g., exposing API keys in the client-side code or failure to rotate/revoke them) allows attackers to steal and misuse these keys. Attackers can then impersonate legitimate clients or exceed usage limits
• Replay Attack: In a replay attack, an attacker intercepts a valid API request and replays it to perform the same action repeatedly. This is especially dangerous in transactions, such as money transfers, where repeating the same request can lead to fraudulent activities

Top Tools for API Testing:

1) Postman

2) Same Old Curl Requests

3) Bruno

-x-x-

Get Access to Specialised E-Books for SDETs: Link

Become a Future SDET Manager using my updated course with Questions/Answers for Interview Prep: Link

Follow for more: Japneet Sachdeva

#japneetsachdeva