"We all know that moment, it’s the one when we’ve been breaking into the target site and hit the motherload… the crown jewels, the beating heart that you now have mastery over… It’s a giddy feeling, one of relief, and of anticipation. THOSE same feelings course through the veins as you dig deeper and deeper into this book. From the outset it’s written in a manner that’s conversational, informative, engaging, and educational to a point where I’m sitting with the highlighter and page mark (something I’ve NOT done in a long time).
Corey Ball takes you on a journey through the lifecycle of APIs in such a manner that you’re wanting to not only know more, but also anticipating trying out your newfound knowledge on the next legitimate target. From concepts to examples, through to identifying tools and demonstrating them in fine detail, this book has it all. It IS the motherload for API hacking, and should be found next to the desk, well-read by ANYONE wanting to take this level of adversarial research, assessment, or DevSecOps seriously."
—Chris Roberts, @Sidragon1, vCISO/Researcher/Hacker
"This book opens the doors to the field of API Hacking, a subject not very well understood. Using real-world examples that emphasize Access Control issues, this book will help you understand the ins and outs of securing APIs, hunt great bounties, and help organizations improve their API Security!"
—Inon Shkedy, @InonShkedy, Security Researcher
"Even though the internet is filled with information on any topic possible in cybersecurity, it is still hard to find solid insight on performing penetration tests on APIs. Corey's book satisfies this demand—not only for the beginner cybersecurity practitioner, but also for the seasoned expert."
—Cristi Vlad, @CristiVlad25, Cybersecurity Researcher
"Hacking APIs is extremely helpful for anyone who wants to get into penetration testing. In particular, this book gives you the tools to start testing the security of APIs, which are becoming a weak point for many modern web applications. Experienced security folks can get something out of the book too, as it features automation tips and protection bypass techniques that will up any pentesters' game."
—Vickie Li, @vickieli7, Developer Evangelist, Author of Bug Bounty Bootcamp
"[Hacking APIs is] the best source of API info I've seen. If you're curious about what APIs are and how they work, read it once. If you work with or create APIs, read it twice. If you break APIs, read it three times."
—Graham Helton, @GrahamHelton3
"One of the few books that is actually dedicated to API hacking. . . . a great resource for anyone who wants to learn more about API security and how to hack into web applications. It provides in-depth information on how to break through various types of APIs, as well as tips on how to stay ahead of the curve in this rapidly changing field."
—Dana Epp, Security Boulevard
"This book has more to offer than hacking APIs but sets down a solid foundation of tools and techniques that would benefit any developer or QA Engineer that has to develop, test, or otherwise work with APIs."
—John Wenning, Cybersecurity Researcher, Fortra
"Well-written and expertly laid out. . . . I didn’t feel the need to reference other books while reading this one, and I don’t think anyone would, regardless of their experience in cybersecurity – the book is very self-contained. My favourite part of the book was Appendix A, the API Hacking Checklist. Not only did you get a laid out, step-by-step list of actions to take, the section headers referenced specific chapters and the individual items referenced specific pages. This is a handy tool for anyone starting out in this area. . . . 5/5."
—Tyler Reguly, Manager of Software Development, Tripwire
"A thorough guide to what APIs are, how they work, what technologies they use, the various common insecurities that APIs have, and, most importantly, how to exploit them. . . . I would recommend Hacking APIs as a great read for anyone interested in learning more about the vulnerable side of APIs. It would also be a fantastic reference to use when actively pentesting APIs."
—Darlene Hibbs, Senior Cybersecurity Researcher, Fortra