I'll keep it short and to the point. I'm currently taking a ciber-security course where we cover OWASP's top 10s (API and Web Apps), but I just can't seem to get the difference between those 2 concepts/terms.
I mean, I just get EXTREMELY confused when they say: "ok, so Injection is 1st place in top 10 for Web Applications, but 8th in API"
The main problem with all of this is that not even OWASP's official site provides a clarification of the differences between "Web Apps" and "APIs" (or why there are 2 "top 10s"), and I haven't been able to find the answer elsewhere (to the point I ended up reaching the 4th page on google results).
Is the "Web Apps top 10" only referring to the front-end?
Is the "APIs top 10" referring to both: web APIs and non-web-based APIs?
If anyone could provide me with a good clarification of the differences between those 2 concepts, I'd really appreciate it.
A web app is something that a human interacts with, so things like Facebook, Amazon, a website that a human uses. The UI will typically use HTML, JavaScript, CSS etc delivered over HTTP(S). It may also use web APIs.
Web APIs dont have a UI, they return structured data, eg XML, JSON, CSV etc etc. They are used by web apps (and other apps as well potentially). They are also delivered over HTTP(S) but do not (typically) use HTML, JavaScript, CSS or any other technologies more focused on the UI.
Web apps and web APIs are related but they have very different profiles and different potential vulnerabilities, which is why there are separate OWASP Top 10s for them.
As an example Cross Site Scripting is a very significant problem but it only really affects web apps, not web APIs.
I want to build a simple UI that surfaces a subset of the functionality of Google Ads UI by using the Google Ads API. Is there an example that shows how this can be done?
I believe there is no such thing, however there is a lot of examples on HOW to use the Google Ads API, and as a developer it's up to you how you want to turn that into a UI.
After all, WHAT you use the API for is entirely up to you, i.e. it is your design. Making the UI is a separate task from accessing the API, so a tutorial on how to design a UI is separate from how to access the API.
You can read about the Google Ads API here, and it's littered with examples. Warning, it has a pretty high technical level and just getting OAuth setup can prove to be a major hassle. Good Luck.
enter link description here
An application-programming interface (API) is a set of programming instructions and standards for accessing a Web-based software application. Could someone explain to me in case of Google maps or Youtube which is the API and which is the software application? Are both visible to us and how? I know there are tons of articles out there, however I cannot clarify the above. APIs are like the waiters that transfer data among different machines. Okay, which exactly is the Google maps API and how do we call/use it? And which is the Google maps software application which is accessed by the API? When we write for example http://maps.google.co.uk/ do we call the API? My query may seem silly but I cannot find a good answer for that.
An application-programming interface (API) is a set of programming
instructions and standards for accessing a Web-based software
application.
Firstly, an API is not just for web-based software. Even your computer's OS provides APIs for hardware and software installed in the box.
For your question, an API is a method (code instructions) to connect your application to the features of another system. Allowing your application to use thay system's features as provided via the API.
Could someone explain to me in case of Google maps or Youtube which is
the API and which is the software application?
In the case of Youtube... Let's say you are making some Android video player app that you also want to be able to playback Youtube videos within that app. The software application is your own Android player code and to access the Youtube data you would use Youtube's Android API.
An example of using the API is this module : YouTubePlayer which as you can see provide API commands like loadVideo(String videoId, int timeMillis). Where videoId is the Youtube ID and timeMillis is the desired start time within the video).
When we write for example http://maps.google.co.uk/ how do we call the
API?
That's not how you would call the API. You must first visit the documentation of the API to see how it's expected to call features within your own app.
Google Maps : https://developers.google.com/maps/documentation/
Let's assume now you're coding a Javascript app, you can see the commands here as a startng point. There is also an example page showing code & result.
Simple terms:
API = the waiter
Application Software = the chef
You order from the waiter. The waiter brings it to the chef. The chef prepares the food. The waiter then brings you your food. Then you figure out what to do with the food; eat it, take it home, throw it on the floor, let your dog eat it, give it the homeless, etc...
A website, app, etc... would send an API request (your order with the waiter) to Google Maps (the chef). If your API request is valid, Google Maps will send back an response (your cooked food with the waiter). Then the website or app takes the returned data and displays it in their custom way to you.
In the case of Google Maps, apps like Yelp and others use Google Maps' API to request specific data; routes, addresses, etc… and then they display it on their app.
To make an API request/call you have access to use the API, format it correctly, and figure out what to do when Google sends a response back : https://developers.google.com/maps/documentation/
API is a set of functions and procedures that allow the creation of applications which access the features or data of an operating system, application, or other service.
An API is like building block for your application. Multiple API's can exchange data without knowing the other's implementation. In a good design pattern , we should design API's for different independent tasks and then merge them.
Google Maps API
This is the google maps API which a developer can use to develop his own piece of software.
Whenever we use any software and it's different features, we might be using their API's without generally knowing of them.
A software application is always visible to us, but an API is visible only if the developer wants to expose it for community use.
EDIT
Using Google maps API
This link has the documentation and examples on how to use the google maps API using javascript.
Hope it helps!
When you use software, web applications included, you are in most cases using a wrapped API. Software developers took the time to take a raw back end API which executes commands on the system, and made these endpoints easy to use for a specific user in an intended universe of discourse, or domain. End users do not have direct access to everything the API has to offer all at once, so it is not "available" in the same sense that it is available to the developers, but it is available in another sense because they are using the API to execute commands on the system by virtue of the Application that was Programmed with that Interface existing and working.
The Google Maps API is used to integrate the power of Google Maps into almost any application. It provides facilities for customization and much more. When you use the Google Maps webapp, it is, to my knowledge, built using many components of the Google Maps API, as are the Google Maps apps for any other platform, such as Android. Does this mean you as a user are using the API? Only through the application; the application talks to the API for you.
“An application programming interface (API) is a set of routines, protocols, and tools for building software applications. An API expresses a software component in terms of its operations, inputs, outputs, and underlying types. An API defines functionalities that are independent of their respective implementations, which allows definitions and implementations to vary without compromising each other. A good API makes it easier to develop a program by providing all the building blocks.
APIs often come in the form of a library that includes specifications for routines, data structures, object classes, and variables. In other cases, notably SOAP and REST services, an API is simply a specification of remote calls exposed to the API consumers.
An API specification can take many forms, including an International Standard, such as POSIX, vendor documentation, such as the Microsoft Windows API, or the libraries of a programming language, e.g., the Standard Template Library in C++ or the Java APIs.
An API differs from an application binary interface (ABI) in that an API is source code-based while an ABI is a binary interface. For instance POSIX is an API, while the Linux Standard Base provides an ABI”.
To speak plainly, an API is the messenger that runs and delivers your request to the provider you’re requesting it from, and then delivers the response back to you.
To give you a familiar example, think of an API as a waiter in a restaurant.
Imagine you’re sitting at the table with a menu of choices to order from, and the kitchen is the provider who will fulfill your order.
What’s missing is the critical link to communicate your order to the kitchen and deliver your food back to your table.
That’s where the waiter (or API) comes in. ”AHEM”
The waiter takes your order, delivers it to the kitchen, and then delivers the food (or response) back to you. (Hopefully without letting your order crash if designed correctly)
Now that we’ve whetted your appetite, let’s apply this to a real API example. In keeping with our theme, let’s book a flight to a culinary capital – Paris.
You’re probably familiar with the process of searching for airline flights online. Just like at a restaurant, you have a menu of options to choose from ( a dropdown menu in this case). You choose a departure city and date, a return city and date, cabin class, and other variables (like meal or seating, baggage or pet requests)
In order to book your flight, you interact with the airline’s website to access the airline’s database to see if any seats are available on those dates, and what the cost might be based on certain variables.
But, what if you are not using the airline’s website, which has direct access to the information? What if you are using online travel service that aggregates information from many different airlines? Just like a human interacts with the airline’s website to get that information, an application interacts with the airline’s API.
The API is the interface that, like your helpful waiter, runs and and delivers the data from that online travel service to the airline’s systems over the Internet.
It also then takes the airline’s response to your request and delivers right back to the online travel service .
And through each step of the process it facilitates that interaction between the travel service and the airline’s systems - from seat selection to payment and booking.
So now you can see that it’s APIs that make it possible for us all to use travel sites. They interface with with airlines’ APIs to gather information in order to present options back to us
The same goes for all interactions between applications, data and devices - they all have API’s that allow computers to operate them, and that's what ultimately creates connectivity.
API’s provide a standard way of accessing any application, data or device whether it is shopping from your phone, or accessing cloud applications at work.
So, whenever you think of an API, just think of it as your waiter running back and forth between applications, databases and devices to deliver data and create the connectivity that puts the world at our fingertips. And whenever you think of creating an API,
--MuleSoft
I am building a SMALL subscription-based educational video site (openly accessible examples of similar technical implementations would include RailsCasts Pro, Egghead.io Pro, Codeschool.com, etc.) where users pay to get access to a certain array of videos.
Obviously, I don't want to spend time on reinventing the video hosting wheel, so I would like to use a hosted solution for that.
Now, googling "hosted video access control" or anything like that hasn't yielded any meaningful results, since it seems to be the wrong search phrase - this has less to do with access control and more with restricting video access based on some from of authentication & authorization. My guess this would be in practice implemented by some token system.
I'm having trouble of knowing where to start.
My questions are:
1) What is the de facto way of doing access control to videos on these subscription video sites?
2) Are these providers doing it from scratch; is there a provider that has a easy to setup, simple and affordable solution for this; or is there a set of tools that you can use to build the system?
3) Are some of the major video hosting providers such as YouTube, Vimeo, etc. usable for this kind of a use case, perhaps using some 3rd party solutions to handle the access control part?
Thank you!
Although not a definitive answer, the best thing so far I've found is Wistia (http://wistia.com/product). And Udemy (http://udemy.com) is a more controlled learning video / online course environment.
Twitter offers 'web intents' that are an alternative to OAuth access to their API. Basically, this provides a less feature rich experience, but can still be quite handy. User clicks on 3rd parts websites can create popup windows that check whether the user is logged in to twitter and if they are, allows them to us some Twitter features such as tweeting, retweeting, or following users.
My question is, how could I go about implementing an API like this? Are there tutorials or libraries? I'm not sure what technologie(s) power web intents or where I should start searching.
Thanks.
You can read more about web intents at webintents.org and read the W3C's draft spec. As far as I know, web intents are still somewhat of a new beast on the web and they have not been standardized.
Still, you may want to read this blog which contains a few examples of registering web intents and check out Paul Kinlan's git repo https://github.com/PaulKinlan/WebIntents
Hope that helps you get started.