Hacking Application Programming Interface (APIs)

Attacking APIs is not as challenging as you may think. Once you understand how they operate, hacking them is only a matter of issuing the right HTTP requests. That said, the tools and techniques typically leveraged to perform bug hunting and web application penetration testing do not translate well to APIs. You can’t, for instance, throw a generic vulnerability scan at an API and expect useful results. I’ve often run these scans against vulnerable APIs only to receive false negatives. When APIs are not tested properly, organizations are given a false sense of security that leaves them

with a risk of being compromised.

Each section of this book will build upon the previous one:

Part I: How Web API Security Works First, I will introduce you to the basic knowledge you need about web applications and the APIs that power them. You’ll learn about REST APIs, the main topic of this book, as well as the increasingly popular GraphQL API format. I will also cover the most common API-related vulnerabilities you can expect to find.

Part II: Building an API Testing Lab In this section, you’ll build your API hacking system and develop an understanding of the tools in play, including Burp Suite, Postman, and a variety of others. You’ll also set up a lab of vulnerable targets you’ll practice attacking throughout this book.

Part III: Attacking APIs In Part III, we’ll turn to the API hacking methodology, and I’ll walk you through performing common attacks against APIs. Here the fun begins: you’ll discover APIs through the use of open-source intelligence techniques, analyze them to understand their attack surface, and finally dive into various attacks against them, such as

injections. You’ll learn how to reverse engineer an API, bypass its authentication, and fuzz it for a variety of security issues.