Book description
An Application Programming Interface (API) is a software connection that allows applications to communicate and share services. Hacking APIs will teach you how to test web APIs for security vulnerabilities. You’ll learn how the common API types, REST, SOAP, and GraphQL, work in the wild. Then you’ll set up a streamlined API testing lab and perform common attacks, like those targeting an API’s authentication mechanisms, and the injection vulnerabilities commonly found in web applications. In the book’s guided labs, which target intentionally vulnerable APIs, you’ll practice:
•Enumerating API users and endpoints using fuzzing techniques
•Using Postman to discover an excessive data exposure vulnerability
•Performing a JSON Web Token attack against an API authentication process
•Combining multiple API attack techniques to perform a NoSQL injection
•Attacking a GraphQL API to uncover a broken object level authorization vulnerability
By the end of the book, you’ll be prepared to uncover those high-payout API bugs that other hackers aren’t finding, and improve the security of applications on the web.
Table of contents
- Praise for Hacking APIs
- Title Page
- Copyright
- Dedication
- About the Author
- Foreword
- Acknowledgments
- Introduction
-
Part I: How Web API Security Works
- Chapter 0: Preparing for Your Security Tests
- Chapter 1: How Web Applications Work
- Chapter 2: The Anatomy of Web APIs
- Chapter 3: Common API Vulnerabilities
-
Part II: Building an API Testing Lab
- Chapter 4: Your API Hacking System
- Chapter 5: Setting Up Vulnerable API Targets
-
Part III: Attacking APIs
- Chapter 6: Discovery
-
Chapter 7: Endpoint Analysis
- Finding Request Information
- Adding API Authentication Requirements to Postman
- Analyzing Functionality
- Finding Information Disclosures
- Finding Security Misconfigurations
- Finding Excessive Data Exposures
- Finding Business Logic Flaws
- Summary
- Lab #4: Building a crAPI Collection and Discovering Excessive Data Exposure
- Chapter 8: Attacking Authentication
- Chapter 9: Fuzzing
- Chapter 10: Exploiting Authorization
- Chapter 11: Mass Assignment
- Chapter 12: Injection
-
Part IV: Real-World API Hacking
- Chapter 13: Applying Evasive Techniques and Rate Limit Testing
- Chapter 14: Attacking GraphQL
- Chapter 15: Data Breaches and Bug Bounties
- Conclusion
- Appendix A: API Hacking Checklist
-
Appendix B: Additional Resources
- Chapter 0: Preparing for Your Security Tests
- Chapter 1: How Web Applications Work
- Chapter 2: The Anatomy of Web APIs
- Chapter 3: Common API Vulnerabilities
- Chapter 4: Your API Hacking System
- Chapter 5: Setting Up Vulnerable API Targets
- Chapter 6: Discovery
- Chapter 7: Endpoint Analysis
- Chapter 8: Attacking Authentication
- Chapter 9: Fuzzing
- Chapter 10: Exploiting Authorization
- Chapter 11: Mass Assignment
- Chapter 12: Injection
- Chapter 13: Applying Evasive Techniques and Rate Limit Testing
- Chapter 14: Attacking GraphQL
- Chapter 15: Data Breaches and Bug Bounties
- Index
Product information
- Title: Hacking APIs
- Author(s):
- Release date: July 2022
- Publisher(s): No Starch Press
- ISBN: 9781718502444
You might also like
book
Linux Basics for Hackers
If you’re getting started along the exciting path of hacking, cybersecurity, and pentesting, Linux Basics for …
book
Ansible: Up and Running, 3rd Edition
Among the many configuration management tools available, Ansible has some distinct advantages: It's minimal in nature. …
book
API Security in Action
A web API is an efficient way to communicate with an application or service. However, this …
book
Kubernetes: Up and Running, 3rd Edition
In just five years, Kubernetes has radically changed the way developers and ops personnel build, deploy, …