
Hacking APIs: Breaking Web Application Programming Interfaces
Author(s): Corey J Ball (Author)
- Publisher: No Starch Press
- Publication Date: 7 July 2022
- Language: English
- Print length: 308 pages
- ISBN-10: 1718502443
- ISBN-13: 9781718502444
Book Description
You’ll learn how REST and GraphQL APIs work in the wild and set up a streamlined API testing lab with Burp Suite and Postman. Then you’ll master tools useful for reconnaissance, endpoint analysis, and fuzzing, such as Kiterunner and OWASP Amass. Next, you’ll learn to perform common attacks, like those targeting an API’s authentication mechanisms and the injection vulnerabilities commonly found in web applications. You’ll also learn techniques for bypassing protections against these attacks. In the book’s nine guided labs, which target intentionally vulnerable APIs, you’ll practice: Enumerating APIs users and endpoints using fuzzing techniques; Using Postman to discover an excessive data exposure vulnerability; Performing a JSON Web Token attack against an API authentication process; Combining multiple API attack techniques to perform a NoSQL injection; Attacking a GraphQL API to uncover a broken object level authorization vulnerability. By the end of the book, you’ll be prepared to uncover those high-payout API bugs other hackers aren’t finding and improve the security of applications on the web.
Editorial Reviews
Review
Corey Ball takes you on a journey through the lifecycle of APIs in such a manner that you’re wanting to not only know more, but also anticipating trying out your newfound knowledge on the next legitimate target. From concepts to examples, through to identifying tools and demonstrating them in fine detail, this book has it all. It IS the motherload for API hacking, and should be found next to the desk, well-read by ANYONE wanting to take this level of adversarial research, assessment, or DevSecOps seriously.
–Chris Roberts, @Sidragon1, vCISO/Researcher/Hacker
–Chris Roberts, @Sidragon1, vCISO/Researcher/Hacker
This book opens the doors to the field of API Hacking, a subject not very well understood. Using real-world examples that emphasize Access Control issues, this book will help you understand the ins and outs of securing APIs, hunt great bounties, and help organizations improve their API Security!
–Inon Shkedy, @InonShkedy, Security Researcher
About the Author
Corey Ball is a cybersecurity consulting manager at Moss Adams, where he leads its penetration testing services. He has over ten years of experience working in IT and cybersecurity across several industries, including aerospace, agribusiness, energy, financial tech, government services, and healthcare. In addition to a bachelor’s degree in English and philosophy from Sacramento State University, Corey holds the OSCP, CCISO, CEH, CISA, CISM, CRISC, and CGEIT industry certifications.
Wow! eBook


