Task 1 of 5

What is an API?

An API (Application Programming Interface) is how software talks to other software. To understand APIs, it helps to first understand the data format they use to communicate: JSON.

What is JSON?

JSON (JavaScript Object Notation) is a text format for sending structured data. Think of it as filling out a form — name, age, address — but written in a way computers can easily read and write.

JSON — READING IT FOR THE FIRST TIME
{
  "name": "Sarah",
  "age": 28,
  "premium": true,
  "orders": [1001, 1002],
  "address": {
    "city": "London",
    "postcode": "E1 6RF"
  }
}
"name": "Sarah"
A key-value pair. The key is always in quotes. The value can be text, a number, true/false, a list, or another object.
"orders": [1001, 1002]
Square brackets = a list (array). This user has two orders.
"address": { ... }
Curly braces inside curly braces = a nested object. Address has its own fields inside.

That's it. JSON is just keys and values. Text values go in quotes, numbers don't, true/false are lowercase. When a server sends you data, it's almost always in this format.

What is an API?

An API is a way for a browser (or any program) to ask a server for data — and get just the data back, as JSON. No HTML, no styling, no menus. Just the raw information.

When you open Instagram and your feed loads, Instagram's app sends a request like GET /api/feed to Instagram's server. The server replies with a JSON list of posts. The app then takes that data and draws the images and text on screen. The API is that connection in between — the structured way of asking for and receiving data.

HOW AN API CALL WORKS
REQUEST GET /api/orders/1001 Browser asks: "give me order 1001"
RESPONSE {"id":1001,"status":"shipped","total":49.99}

Why this matters for hacking

Every website that shows you your data — orders, messages, profile — is making API calls in the background. Those calls are visible in the browser's DevTools under the Network tab. Each one is a potential target.

API responses often contain more data than the page actually displays. The app might show only the order status, but the raw JSON response includes the user ID, delivery address, internal notes, and other fields. Looking at the raw response, not just what's on screen, is one of the first things to do when testing a web application.

// What the page shows you: just "Order shipped — £49.99"

// What the API actually returned:
{
  "order_id": 1042,
  "user_id": 9,          ← this user ID might be useful
  "status": "shipped",
  "total": 49.99,
  "address": "42 Beech Lane, Manchester",  ← not displayed, but here
  "internal_notes": "VIP customer"         ← definitely not displayed
}
1

In a modern API-driven app, what does the server return in response to API calls?

2

Why should you look at raw API responses rather than just what the page displays?

Answer all 2 questions to continue