I'll keep it short and to the point. I'm currently taking a cyber-security course where we cover OWASP's top 10s (API and Web Apps), but I just can't seem to get the difference between those two concepts/terms. I mean, I just get EXTREMELY confused when they say: "ok, so Injection is first place in top 10 for Web Applications, but 8th in API"
The main problem with all of this is that not even OWASP's official site provides a clarification of the differences between "Web Apps" and "APIs" (or why there are two "top 10s"), and I haven't been able to find the answer elsewhere (to the point I ended up reaching the 4th page on Google results).
Is the "Web Apps top 10" only referring to the front-end?
Is the "APIs top 10" referring to both: web APIs and non-web-based APIs?
If anyone could provide me with a good clarification of the differences between those two concepts, I'd really appreciate it.
A web app is something that a human interacts with, so things like Facebook, Amazon, a website that a human uses. The UI will typically use HTML, JavaScript, CSS etc delivered over HTTP(S). It may also use web APIs.
Web APIs dont have a UI, they return structured data, eg XML, JSON, CSV etc etc. They are used by web apps (and other apps as well potentially). They are also delivered over HTTP(S) but do not (typically) use HTML, JavaScript, CSS or any other technologies more focused on the UI.
Web apps and web APIs are related but they have very different profiles and different potential vulnerabilities, which is why there are separate OWASP Top 10s for them.
As an example Cross Site Scripting is a very significant problem but it only really affects web apps, not web APIs.