book

Hacking APIs

Name: Hacking APIs
Author: Corey Ball
ISBN: 9781718502444

by Corey Ball

July 2022

Intermediate to advanced

368 pages

9h 41m

English

No Starch Press

Read now

Unlock full access

Praise for Hacking APIs
Title Page
Copyright
Dedication
About the Author
Foreword
Acknowledgments
Introduction
The Allure of Hacking Web APIsThis Book’s ApproachHacking the API Restaurant
Part I: How Web API Security Works
Chapter 0: Preparing for Your Security Tests
Receiving AuthorizationThreat Modeling an API TestWhich API Features You Should TestAPI Authenticated TestingWeb Application FirewallsMobile Application TestingAuditing API DocumentationRate Limit TestingRestrictions and ExclusionsSecurity Testing Cloud APIsDoS TestingReporting and Remediation TestingA Note on Bug Bounty ScopeSummary

Chapter 1: How Web Applications Work
Web App BasicsThe URLHTTP RequestsHTTP ResponsesHTTP Status CodesHTTP MethodsStateful and Stateless HTTPWeb Server DatabasesSQLNoSQLHow APIs Fit into the PictureSummary
Chapter 2: The Anatomy of Web APIs
How Web APIs WorkStandard Web API TypesRESTful APIsGraphQLREST API SpecificationsAPI Data Interchange FormatsJSONXMLYAMLAPI AuthenticationBasic AuthenticationAPI KeysJSON Web TokensHMACOAuth 2.0No AuthenticationAPIs in Action: Exploring Twitter’s APISummary
Chapter 3: Common API Vulnerabilities
Information DisclosureBroken Object Level AuthorizationBroken User AuthenticationExcessive Data ExposureLack of Resources and Rate LimitingBroken Function Level AuthorizationMass AssignmentSecurity MisconfigurationsInjectionsImproper Assets ManagementBusiness Logic VulnerabilitiesSummary
Part II: Building an API Testing Lab
Chapter 4: Your API Hacking System
Kali LinuxAnalyzing Web Apps with DevToolsCapturing and Modifying Requests with Burp SuiteSetting Up FoxyProxyAdding the Burp Suite CertificateNavigating Burp SuiteIntercepting TrafficAltering Requests with IntruderCrafting API Requests in Postman, an API BrowserThe Request BuilderEnvironmentsCollectionsThe Collection RunnerCode SnippetsThe Tests PanelConfiguring Postman to Work with Burp SuiteSupplemental ToolsPerforming Reconnaissance with OWASP AmassDiscovering API Endpoints with KiterunnerScanning for Vulnerabilities with NiktoScanning for Vulnerabilities with OWASP ZAPFuzzing with WfuzzDiscovering HTTP Parameters with ArjunSummaryLab #1: Enumerating the User Accounts in a REST API
Chapter 5: Setting Up Vulnerable API Targets
Creating a Linux HostInstalling Docker and Docker ComposeInstalling Vulnerable ApplicationsThe completely ridiculous API (crAPI)OWASP DevSlop’s PixiOWASP Juice ShopDamn Vulnerable GraphQL ApplicationAdding Other Vulnerable AppsHacking APIs on TryHackMe and HackTheBoxSummaryLab #2: Finding Your Vulnerable APIs
Part III: Attacking APIs
Chapter 6: Discovery
Passive ReconThe Passive Recon ProcessGoogle HackingProgrammableWeb’s API Search DirectoryShodanOWASP AmassExposed Information on GitHubActive ReconThe Active Recon ProcessBaseline Scanning with NmapFinding Hidden Paths in Robots.txtFinding Sensitive Information with Chrome DevToolsValidating APIs with Burp SuiteCrawling URIs with OWASP ZAPBrute-Forcing URIs with GobusterDiscovering API Content with KiterunnerSummaryLab #3: Performing Active Recon for a Black Box Test
Chapter 7: Endpoint Analysis
Finding Request InformationFinding Information in DocumentationImporting API SpecificationsReverse Engineering APIsAdding API Authentication Requirements to PostmanAnalyzing FunctionalityTesting Intended UsePerforming Privileged ActionsAnalyzing API ResponsesFinding Information DisclosuresFinding Security MisconfigurationsVerbose ErrorsPoor Transit EncryptionProblematic ConfigurationsFinding Excessive Data ExposuresFinding Business Logic FlawsSummaryLab #4: Building a crAPI Collection and Discovering Excessive Data Exposure
Chapter 8: Attacking Authentication
Classic Authentication AttacksPassword Brute-Force AttacksPassword Reset and Multifactor Authentication Brute-Force AttacksPassword SprayingIncluding Base64 Authentication in Brute-Force AttacksForging TokensManual Load AnalysisLive Token Capture AnalysisBrute-Forcing Predictable TokensJSON Web Token AbuseRecognizing and Analyzing JWTsThe None AttackThe Algorithm Switch AttackThe JWT Crack AttackSummaryLab #5: Cracking a crAPI JWT Signature
Chapter 9: Fuzzing
Effective FuzzingChoosing Fuzzing PayloadsDetecting AnomaliesFuzzing Wide and DeepFuzzing Wide with PostmanFuzzing Deep with Burp SuiteFuzzing Deep with WfuzzFuzzing Wide for Improper Assets ManagementTesting Request Methods with WfuzzFuzzing “Deeper” to Bypass Input SanitizationFuzzing for Directory TraversalSummaryLab #6: Fuzzing for Improper Assets Management Vulnerabilities
Chapter 10: Exploiting Authorization
Finding BOLAsLocating Resource IDsA-B Testing for BOLASide-Channel BOLAFinding BFLAsA-B-A Testing for BFLATesting for BFLA in PostmanAuthorization Hacking TipsPostman’s Collection VariablesBurp Suite Match and ReplaceSummaryLab #7: Finding Another User’s Vehicle Location
Chapter 11: Mass Assignment
Finding Mass Assignment TargetsAccount RegistrationUnauthorized Access to OrganizationsFinding Mass Assignment VariablesFinding Variables in DocumentationFuzzing Unknown VariablesBlind Mass Assignment AttacksAutomating Mass Assignment Attacks with Arjun and Burp Suite IntruderCombining BFLA and Mass AssignmentSummaryLab #8: Changing the Price of Items in an Online Store
Chapter 12: Injection
Discovering Injection VulnerabilitiesCross-Site Scripting (XSS)Cross-API Scripting (XAS)SQL InjectionManually Submitting MetacharactersSQLmapNoSQL InjectionOperating System Command InjectionSummaryLab #9: Faking Coupons Using NoSQL Injection
Part IV: Real-World API Hacking
Chapter 13: Applying Evasive Techniques and Rate Limit Testing
Evading API Security ControlsHow Security Controls WorkAPI Security Control DetectionUsing Burner AccountsEvasive TechniquesAutomating Evasion with Burp SuiteAutomating Evasion with WfuzzTesting Rate LimitsA Note on Lax Rate LimitsPath BypassOrigin Header SpoofingRotating IP Addresses in Burp SuiteSummary
Chapter 14: Attacking GraphQL
GraphQL Requests and IDEsActive ReconnaissanceScanningViewing DVGA in a BrowserUsing DevToolsReverse Engineering the GraphQL APIDirectory Brute-Forcing for the GraphQL EndpointCookie Tampering to Enable the GraphiQL IDEReverse Engineering the GraphQL RequestsReverse Engineering a GraphQL Collection Using IntrospectionGraphQL API AnalysisCrafting Requests Using the GraphiQL Documentation ExplorerUsing the InQL Burp ExtensionFuzzing for Command InjectionSummary
Chapter 15: Data Breaches and Bug Bounties
The BreachesPelotonUSPS Informed Visibility APIT-Mobile API BreachThe BountiesThe Price of Good API KeysPrivate API Authorization IssuesStarbucks: The Breach That Never WasAn Instagram GraphQL BOLASummary
Conclusion
Appendix A: API Hacking Checklist
Appendix B: Additional Resources
Chapter 0: Preparing for Your Security TestsChapter 1: How Web Applications WorkChapter 2: The Anatomy of Web APIsChapter 3: Common API Vulnerabilities Chapter 4: Your API Hacking SystemChapter 5: Setting Up Vulnerable API TargetsChapter 6: DiscoveryChapter 7: Endpoint AnalysisChapter 8: Attacking AuthenticationChapter 9: FuzzingChapter 10: Exploiting AuthorizationChapter 11: Mass AssignmentChapter 12: InjectionChapter 13: Applying Evasive Techniques and Rate Limit TestingChapter 14: Attacking GraphQLChapter 15: Data Breaches and Bug Bounties
Index

Overview

An Application Programming Interface (API) is a software connection that allows applications to communicate and share services. Hacking APIs will teach you how to test web APIs for security vulnerabilities. You’ll learn how the common API types, REST, SOAP, and GraphQL, work in the wild. Then you’ll set up a streamlined API testing lab and perform common attacks, like those targeting an API’s authentication mechanisms, and the injection vulnerabilities commonly found in web applications. In the book’s guided labs, which target intentionally vulnerable APIs, you’ll practice:

•Enumerating API users and endpoints using fuzzing techniques
•Using Postman to discover an excessive data exposure vulnerability
•Performing a JSON Web Token attack against an API authentication process
•Combining multiple API attack techniques to perform a NoSQL injection
•Attacking a GraphQL API to uncover a broken object level authorization vulnerability

By the end of the book, you’ll be prepared to uncover those high-payout API bugs that other hackers aren’t finding, and improve the security of applications on the web.

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

Read now

Unlock full access

More than 5,000 organizations count on O’Reilly

O’Reilly covers everything we've got, with content to help us build a world-class technology community, upgrade the capabilities and competencies of our teams, and improve overall team performance as well as their engagement.

Julian F.

Head of Cybersecurity

I wanted to learn C and C++, but it didn't click for me until I picked up an O'Reilly book. When I went on the O’Reilly platform, I was astonished to find all the books there, plus live events and sandboxes so you could play around with the technology.

Addison B.

Field Engineer

I’ve been on the O’Reilly platform for more than eight years. I use a couple of learning platforms, but I'm on O'Reilly more than anybody else. When you're there, you start learning. I'm never disappointed.

Amir M.

Data Platform Tech Lead

I'm always learning. So when I got on to O'Reilly, I was like a kid in a candy store. There are playlists. There are answers. There's on-demand training. It's worth its weight in gold, in terms of what it allows me to do.

Mark W.

Embedded Software Engineer

Publisher Resources

ISBN: 9781098130244

Cloud Computing

Data Engineering

Data Science

AI & ML

Programming Languages

Software Architecture

IT/Ops

Security

Design

Business

Soft Skills