The real-world API breaches and bounties covered in this chapter should illustrate how actual hackers have exploited API vulnerabilities, how vulnerabilities can be combined, and the significance of the weaknesses you might discover.

Remember that an app’s security is only as strong as the weakest link. If you’re facing the best firewalled, multifactor-based, zero-trust app but the blue team hasn’t dedicated resources to securing their APIs, there is a security gap equivalent to the Death Star’s thermal exhaust port. Moreover, these insecure APIs and exhaust ports are often intentionally exposed to the outside ...