Want Sweet Deals? Join our Mailing List

Hacking APIs
Hacking APIs - Image 2
Hacking APIs - Image 3
Hacking APIs - Image 4

Hacking APIs

Breaking Web Application Programming Interfaces

By Corey Ball

Clear

Learn how to test APIs for security vulnerabilities so you can uncover high-payout bugs and improve the security of web apps.

LEARN MORE

Description

Download Chapter 7: ENDPOINT ANALYSIS

An Application Programming Interface (API) is a software connection that allows applications to communicate and share services. Hacking APIs will teach you how to test web APIs for security vulnerabilities. You’ll learn how the common API types, REST, SOAP, and GraphQL, work in the wild. Then you’ll set up a streamlined API testing lab and perform common attacks, like those targeting an API’s authentication mechanisms, and the injection vulnerabilities commonly found in web applications.

In the book’s guided labs, which target intentionally vulnerable APIs, you’ll practice:

  • Enumerating API users and endpoints using fuzzing techniques
  • Using Postman to discover an excessive data exposure vulnerability
  • Performing a JSON Web Token attack against an API authentication process
  • Combining multiple API attack techniques to perform a NoSQL injection
  • Attacking a GraphQL API to uncover a broken object level authorization vulnerability

By the end of the book, you’ll be prepared to uncover those high-payout API bugs that other hackers aren’t finding, and improve the security of applications on the web.

DETAILS

April 2022, 368 pp
ISBN-13: 9781718502444
Lay-flat binding

TABLE OF CONTENTS

Table of contents
Introduction
Part 1: The State of Web Security
Chapter 0: Preparing for API Security Testing
Chapter 1: How Web Applications Work
Chapter 2: The Anatomy of Web APIs
Chapter 3:API Insecurities
Part 2: Lab Setup
Chapter 4: Setting up Vulnerable API Targets for Testing
Chapter 5: Analysis and Attribution
Part 3: Attacking APIs
Chapter 6: Discovering APIs
Chapter 7: Endpoint Analysis
Chapter 8: Authentication Attacks
Chapter 9: Fuzzing
Chapter 10: Exploiting API Authorization
Chapter 11: Exploiting Mass Assignment
Chapter 12: API Injection
Part 4: Real-world API Hacking
Chapter 13: Evasive Techniques and Rate Limit Testing
Chapter 14: Attacking GraphQL
Chapter 15: Breaches and Bounties
Conclusion
Appendix A: API Scoping Checklist
Appendix B: API Hacking Methodology

AUTHOR BIO

Corey Ball is a cybersecurity consulting manager at Moss Adams, where he leads its penetration testing services. He has over ten years of experience working in IT and cybersecurity across several industries, including aerospace, agribusiness, energy, financial tech, government services, and healthcare. In addition to a bachelor’s degree in English and philosophy from Sacramento State University, Corey holds the OSCP, CCISO, CEH, CISA, CISM, CRISC, and CGEIT industry certifications.

REVIEWS

“We all know that moment, it’s the one when we’ve been breaking into the target site and hit the motherload… the crown jewels, the beating heart that you now have mastery over… It’s a giddy feeling, one of relief, and of anticipation. THOSE same feelings course through the veins as you dig deeper and deeper into this book. From the outset it’s written in a manner that’s conversational, informative, engaging, and educational to a point where I’m sitting with the highlighter and page mark (something I’ve NOT done in a long time).

Corey Ball takes you on a journey through the lifecycle of APIs in such a manner that you’re wanting to not only know more, but also anticipating trying out your newfound knowledge on the next legitimate target. From concepts to examples, through to identifying tools and demonstrating them in fine detail, this book has it all. It IS the motherload for API hacking, and should be found next to the desk, well-read by ANYONE wanting to take this level of adversarial research, assessment, or DevSecOps seriously.”
—Chris Roberts, @Sidragon1, vCISO/Researcher/Hacker

“This book opens the doors to the field of API Hacking, a subject not very well understood. Using real-world examples that emphasize Access Control issues, this book will help you understand the ins and outs of securing APIs, hunt great bounties, and help organizations improve their API Security!”
—Inon Shkedy, @InonShkedy, Security Researcher

“Even though the internet is filled with information on any topic possible in cybersecurity, it is still hard to find solid insight on performing penetration tests on APIs. Corey’s book satisfies this demand—not only for the beginner cybersecurity practitioner, but also for the seasoned expert.”
—Cristi Vlad, @CristiVlad25, Cybersecurity Researcher

Hacking APIs is extremely helpful for anyone who wants to get into penetration testing. In particular, this book gives you the tools to start testing the security of APIs, which are becoming a weak point for many modern web applications. Experienced security folks can get something out of the book too, as it features automation tips and protection bypass techniques that will up any pentesters’ game.”
—Vickie Li, @vickieli7, Developer Evangelist, Author of Bug Bounty Bootcamp

“[Hacking APIs is] the best source of API info I’ve seen. If you’re curious about what APIs are and how they work, read it once. If you work with or create APIs, read it twice. If you break APIs, read it three times.”
—Graham Helton, @GrahamHelton3

You Might Also Like

Related products

Newsletter Subscription

We’ll send you sweet deals on upcoming books and let you know when new books are released. We’ll never sell, give away, or use your personal information for nefarious purposes. Choose the categories you’re interested in (check as many as you’d like):