Book Review - Hacking APIs by Corey Ball
- Title : Hacking APIs - Breaking Web Application Programming Interfaces
- Author : Corey Ball
- Date : April 2022
- ISBN-13: 9781718502444
- Link: https://nostarch.com/hacking-apis
Our penetration testing engagements web applications increasingly involve URLs
with /api/
in their path. Of course these can be tested just like any other
URL but it became obvious that there are subtleties to testing APIs that
required a new set of testing methods.
This book promises to provide a thorough grounding in API testing. I purchased this book for our pen test team bookshelf with the hope that it would fill in any knowledge gaps that our team may have.
It provides a good overview of the types of APIs and technologies like REST, JSON, XML and YAML. The important topic of the various types of authentication methods is covered. It then delves into the common types of vulnerability in API implementations such as information disclosure, broken authorization, broken authentication, data exposure, abusing API resource limits, accessing other users’ data, injection attacks and business logic vulnerabilities.
Chapter 4 goes into detail about tools used for API testing such as Chrome DevTools, Burp Suite, and Postman. Chapter 5 describes how to build a virtual lab environment with intentionally weak web applications that can be used for learning. Chapter 6 is concerned with methods to discover API services using OSINT and scanning tools. In particular, it recommends the use of the excellent Kiterunner tool, which I was not aware of before reading this book. Chapter 7 goes into detail of endpoint analysis and attack while Chapter 8 describes ways to attack authentication. Chapter 9 has details of fuzzing APIs and Chapter 10 shows how to test for authorization issues. Chapter 11 details how to attack APIs for mass assignment flaws and Chapter 12 details injection.
The final chapters go into detail about specific API attack techniques such as evading secruity controls, attacking GraphQL, data breaches and bug bounties.
In conclusion, this book is a useful guide for any penetration tester who wants to keep up with the latest techniques for testing APIs.