IoT Protocols
CoAP
CoAP (Constrained Application Protocol) is a specialized web transfer protocol designed for constrained nodes and constrained networks in the Internet of Things. Standardized as RFC 7252 with extensions, it provides a UDP-based REST-equivalent API for IoT devices that cannot support HTTP.
Definition
CoAP (Constrained Application Protocol) is a specialized web transfer protocol designed for constrained nodes and constrained networks in the Internet of Things. Standardized as RFC 7252 with extensions, it provides a UDP-based REST-equivalent API for IoT devices that cannot support HTTP.
What it means
CoAP follows REST semantics (GET, POST, PUT, DELETE on URI-identified resources) but uses UDP as the transport, with optional message reliability through Confirmable / Non-confirmable message types. It is the protocol behind several IoT device-management standards including LWM2M.
Security in CoAP is provided by DTLS (Datagram TLS) — the UDP-compatible variant of TLS. The combination of UDP + DTLS introduces specific attack-surface considerations: amplification attacks (CoAP responses can be larger than requests), reflection attacks if proxying is misconfigured, and session-management weaknesses in DTLS handshake state machines.
For offensive-security assessment, CoAP testing covers: resource enumeration, DTLS handshake fuzzing, request-method enumeration on each resource, observability of device internal state through CoAP-exposed resources, and amplification-attack-surface analysis.
Related terms
Authoritative sources
- RFC 7252 (CoAP base specification) - RFC 9147 (DTLS 1.3)
---