Hacking APIs

Hacking APIs

Breaking Web Application Programming Interfaces
by Corey Ball
May 2022, 272

An Application Programming Interface (API) is a software connection that allows applications to communicate and share services. Hacking APIs will teach you how to test web APIs for security vulnerabilities. You’ll learn how the common API types, REST, SOAP, and GraphQL, work in the wild. Then you’ll set up a streamlined API testing lab and perform common attacks, like those targeting an API’s authentication mechanisms, and the injection vulnerabilities commonly found in web applications.

In the book’s guided labs, which target intentionally vulnerable APIs, you’ll learn:

  • Enumerating APIs users and endpoints using fuzzing techniques
  • Using Postman to discover an excessive data exposure vulnerability
  • Performing a JSON Web Token attack against an API authentication process
  • Combining multiple API attack techniques to perform a NoSQL injection
  • Attacking a GraphQL API to uncover a broken object level authorization vulnerability

By the end of the book, you’ll be prepared to uncover those high-payout API bugs that other hackers aren’t finding, and improve the security of applications on the web.

Author Bio 

Corey Ball is a cybersecurity consulting manager at Moss Adams, where he leads its penetration testing services. He has over ten years of experience working in IT and cybersecurity across several industries, including aerospace, agribusiness, energy, financial tech, government services, and healthcare. In addition to a bachelor’s degree in English and philosophy from Sacramento State University, Corey holds the OSCP, CCISO, CEH, CISA, CISM, CRISC, and CGEIT industry certifications.

Table of contents 

Part 1: The State of Web Security
Chapter 0: Preparing for API Security Testing
Chapter 1: How Web Applications Work
Chapter 2: The Anatomy of Web APIs
Chapter 3:API Insecurities
Part 2: Lab Setup
Chapter 4: Setting up Vulnerable API Targets for Testing
Chapter 5: Analysis and Attribution
Part 3: Attacking APIs
Chapter 6: Discovering APIs
Chapter 7: Endpoint Analysis
Chapter 8: Authentication Attacks
Chapter 9: Fuzzing
Chapter 10: Exploiting API Authorization
Chapter 11: Exploiting Mass Assignment
Chapter 12: API Injection
Part 4: Real-world API Hacking
Chapter 13: Evasive Techniques and Rate Limit Testing
Chapter 14: Hacking GraphQL
Chapter 15: Breaches and Bounties
Appendix A: API Scoping Checklist
Appendix B: API Hacking Methodology