Premium Members Get 10% Off and Earn Rewards Find Out More

Hacking APIs: Breaking Web Application Programming Interfaces

Add to Wishlist

Hacking APIs: Breaking Web Application Programming Interfaces

Paperback

$59.99

View All Available Formats & Editions

Paperback
$59.99

View All Available Formats & Editions

SHIP THIS ITEM

Qualifies for Free Shipping
PICK UP IN STORE
Check Availability at Nearby Stores

Available within 2 business hours

Want it Today?
Check Store Availability

Related collections and offers

Want it Today?
Check Store Availability

Overview

Hacking APIs is a crash course in web API security testing that will prepare you to penetration-test APIs, reap high rewards on bug bounty programs, and make your own APIs more secure.

Hacking APIs is a crash course on web API security testing that will prepare you to penetration-test APIs, reap high rewards on bug bounty programs, and make your own APIs more secure.

You’ll learn how REST and GraphQL APIs work in the wild and set up a streamlined API testing lab with Burp Suite and Postman. Then you’ll master tools useful for reconnaissance, endpoint analysis, and fuzzing, such as Kiterunner and OWASP Amass. Next, you’ll learn to perform common attacks, like those targeting an API’s authentication mechanisms and the injection vulnerabilities commonly found in web applications. You’ll also learn techniques for bypassing protections against these attacks.

In the book’s nine guided labs, which target intentionally vulnerable APIs, you’ll practice:

Enumerating APIs users and endpoints using fuzzing techniques

Using Postman to discover an excessive data exposure vulnerability

Performing a JSON Web Token attack against an API authentication process

Combining multiple API attack techniques to perform a NoSQL injection

Attacking a GraphQL API to uncover a broken object level authorization vulnerability

By the end of the book, you’ll be prepared to uncover those high-payout API bugs other hackers aren’t finding and improve the security of applications on the web.

Product Details

ISBN-13:	9781718502444
Publisher:	No Starch Press
Publication date:	07/12/2022
Pages:	368
Sales rank:	625,304
Product dimensions:	6.90(w) x 9.10(h) x 1.10(d)

About the Author

Corey Ball is a cybersecurity consulting manager at Moss Adams, where he leads its penetration testing services. He has over ten years of experience working in IT and cybersecurity across several industries, including aerospace, agribusiness, energy, financial tech, government services, and healthcare. In addition to a bachelor’s degree in English and philosophy from Sacramento State University, Corey holds the OSCP, CCISO, CEH, CISA, CISM, CRISC, and CGEIT industry certifications.

Foreword xvii

Acknowledgments xxi

Introduction xxiii

The Allure of Hacking Web APIs xxiv

This Book's Approach xxiv

Hacking the API Restaurant xxv

Part I How Web API Security Works 1

0 Preparing for Your Security Tests 3

Receiving Authorization 4

Threat Modeling an API Test 4

Which API Features You Should Test 6

API Authenticated Testing 6

Web Application Firewalls 7

Mobile Application Testing 7

Auditing API Documentation 8

Rate Limit Testing 8

Restrictions and Exclusions 9

Security Testing Cloud APIs 10

DoS Testing 10

Reporting and Remediation Testing 11

A Note on Bug Bounty Scope 11

Summary 13

1 How Web Applications Work 15

Web App Basics 15

The URL 16

HTTP Requests 17

HTTP Responses 18

HTTP Status Codes 19

HTTP Methods 20

Stateful and Stateless HTTP 22

Web Server Databases 23

SQL 23

NoSQL 24

How APIs Fit into the Picture 25

Summary 26

2 The Anatomy of Web APIs 27

How Web APIs Work

Standard Web API Types 28

RESTful APIs 30

GraphQL 30

REST API Specifications 34

API Data Interchange Formats 38

JSON 39

XML 39

YAML 41

API Authentication 42

Basic Authentication 42

API Keys 43

JSON Web Tokens 44

HMAC 45

OAuth2.0 46

No Authentication 47

APIs in Action: Exploring Twitter's API 48

Summary 48

3 Common API Vulnerabilities 53

Information Disclosure 54

Broken Object Level Authorization 55

Broken User Authentication 56

Excessive Data Exposure 58

Lack of Resources and Rate Limiting 59

Broken Function Level Authorization 59

Mass Assignment 61

Security Misconfigurations 62

Injections 64

Improper Assets Management 65

Business Logic Vulnerabilities 66

Summary 67

Part II Building an API Testing Lab 69

4 Your API Hacking System 71

Kali Linux 72

Analyzing Web Apps with DevTools 72

Capturing and Modifying Requests with Burp Suited 75

Setting Up FoxyProxy 76

Adding the Burp Suite Certificate 76

Navigating Burp Suite 77

Intercepting Traffic 79

Altering Requests with Intruder 81

Crafting API Requests in Postman, an API Browser 84

The Request Builder 86

Environments 89

Collections 90

The Collection Runner 93

Code Snippets 94

The Tests Panel 94

Configuring Postman to Work with Burp Suite 95

Supplemental Tools 96

Performing Reconnaissance with OWASP Amass 97

Discovering API Endpoints with Kiterunner 98

Scanning for Vulnerabilities with Nikto 99

Scanning for Vulnerabilities with OWASP ZAP 100

Fuzzing with Wfuzz 100

Discovering HTTP Parameters with Arjun 102

Summary 103

Lab #1 Enumerating the User Accounts in a REST API 103

5 Setting Up Vulnerable API Targets 109

Creating a Linux Host 110

Installing Docker and Docker Compose 110

Installing Vulnerable Applications 111

The completely ridiculous API (crAPI) 111

OWASP DevSlop's Pixi 112

OWASP Juice Shop 112

Damn Vulnerable GraphQL Application 113

Adding Other Vulnerable Apps 114

Hacking APIs on TryHackMe and HackTheBox 115

Summary 116

Lab #2 Finding Your Vulnerable APIs 116

Part III Attacking APIs 121

6 Discovery 123

Passive Recon 124

The Passive Recon Process 124

Google Hacking 125

Programmable Web's API Search Directory 127

Shodan 129

OWASP Amass 131

Exposed Information on GitHub 133

Active Recon 136

The Active Recon Process 136

Baseline Scanning with Nmap 138

Finding Hidden Paths in Robots.txt 139

Finding Sensitive information with Chrome DevTools 139

Validating APIs with Burp Suite 142

Crawling URIs with OWASP ZAP 143

Brute-Forcing URIs with Gobuster 145

Discovering API Content with Kiterunner 146

Summary 148

Lab #3 Performing Active Recon for a Black Box Test 148

7 Endpoint Analysis 155

Finding Request Information 156

Finding Information in Documentation 156

Importing API Specifications 159

Reverse Engineering APIs 161

Adding API Authentication Requirements to Postman 164

Analyzing Functionality 166

Testing Intended Use 167

Performing Privileged Actions 168

Analyzing API Responses 169

Finding Information Disclosures 169

Finding Security Misconfigurations 170

Verbose Errors 170

Poor Transit Encryption 171

Problematic Configurations 171

Finding Excessive Data Exposures 172

Finding Business Logic Flaws 173

Summary 174

Lab #4 Building a crAPI Collection and Discovering Excessive Data Exposure 174

8 Attacking Authentication 179

Classic Authentication Attacks 180

Password Brute-Force Attacks 180

Password Reset and Multifactor Authentication Brute-Force Attacks 181

Password Spraying 183

Including Base64 Authentication in Brute-Force Attacks 185

Forging Tokens 187

Manual Load Analysis 187

Live Token Capture Analysis 189

Brute-Forcing Predictable Tokens 190

JSON Web Token Abuse 192

Recognizing and Analyzing JWTs 193

The None Attack 195

The Algorithm Switch Attack 195

The JWT Crack Attack 197

Summary 197

Lab #5 Cracking a crAPI JWT Signature 197

9 Fuzzing 201

Effective Fuzzing 202

Choosing Fuzzing Payloads 203

Detecting Anomalies 204

Fuzzing Wide and Deep 207

Fuzzing Wide with Postman 207

Fuzzing Deep with Burp Suite 210

Fuzzing Deep with Wfuzz 212

Fuzzing Wide for Improper Assets Management 214

Testing Request Methods with Wfuzz 216

Fuzzing "Deeper" to Bypass Input Sanitization 217

Fuzzing for Directory Traversal 218

Summary 218

Lab #6 Fuzzing for Improper Assets Management Vulnerabilities 219

10 Exploiting Authorization 223

Finding BOLAs 223

Locating Resource IDs 224

A-B Testing for BOLA 225

Side-Channel BOLA 226

Finding BFLAs 227

A-B-A Testing for BFLA 227

Testing for BFLA in Postman 228

Authorization Hacking Tips 230

Postman's Collection Variables 230

Burp Suite Match and Replace 231

Summary 231

Lab #7 Finding Another User's Vehicle Location 232

11 Mass Assignment 237

Finding Mass Assignment Targets 238

Account Registration 238

Unauthorized Access to Organizations 238

Finding Mass Assignment Variables 239

Finding Variables in Documentation 239

Fuzzing Unknown Variables 240

Blind Mass Assignment Attacks 241

Automating Mass Assignment Attacks with Arjun and Burp Suite Intruder 241

Combining BFLA and Mass Assignment 242

Summary 243

Lab #8 Changing the Price of Items in an Online Store 243

12 Injection 249

Discovering Injection Vulnerabilities 250

Cross-Site Scripting (XSS) 251

Cross-API Scripting (XAS) 252

SQL Injection 253

Manually Submitting Metacharacters 255

SQLmap 256

NoSQL Injection 257

Operating System Command Injection 259

Summary 261

Lab #9 Faking Coupons Using NoSQL Injection 261

Part IV Real-World API Hacking 265

13 Applying Evasive Techniques and Rate Limit Testing 267

Evading API Security Controls 267

How Security Controls Work 268

API Security Control Detection 269

Using Burner Accounts 270

Evasive Techniques 270

Automating Evasion with Burp Suite 273

Automating Evasion with Wfuzz 274

Testing Rate Limits 276

A Note on Lax Rate Limits 276

Path Bypass 278

Origin Header Spoofing 279

Rotating IP Addresses in Burp Suite 280

Summary 284

14 Attacking GraphQL 285

GraphQL Requests and IDEs 286

Active Reconnaissance 287

Scanning 287

Viewing DVGA in a Browser 288

Using DevTools 289

Reverse Engineering the GraphQL API 290

Directory Brute-Forcing for the GraphQL Endpoint 290

Cookie Tampering to Enable the GraphiQL IDE 292

Reverse Engineering the GraphQL Requests 294

Reverse Engineering a GraphQL Collection Using Introspection 296

GraphQL API Analysis 297

Crafting Requests Using the GraphiQL Documentation Explorer 297

Using the InQL Burp Extension 298

Fuzzing for Command Injection 301

Summary 305

15 Data Breaches and Bug Bounties 307

The Breaches 308

Peloton 308

USPS Informed Visibility API 309

T-Mobile API Breach 311

The Bounties 312

The Price of Good API Keys 312

Private API Authorization Issues 313

Starbucks: The Breach That Never Was 315

An Instagram GraphQL BOLA 317

Summary 318

Conclusion 319

A API Hacking Checklist 321

B Additional Resources 323

Index 327

From the B&N Reads Blog

Page 1 of

Editorial Reviews

"Corey Ball takes you on a journey through the lifecycle of APIs in such a manner that you’re wanting to not only know more, but also anticipating trying out your newfound knowledge on the next legitimate target. From concepts to examples, through to identifying tools and demonstrating them in fine detail, this book has it all. It IS the motherload for API hacking, and should be found next to the desk, well-read by ANYONE wanting to take this level of adversarial research, assessment, or DevSecOps seriously."
—Chris Roberts, @Sidragon1, vCISO/Researcher/Hacker

"This book opens the doors to the field of API Hacking, a subject not very well understood. Using real-world examples that emphasize Access Control issues, this book will help you understand the ins and outs of securing APIs, hunt great bounties, and help organizations improve their API Security!"
—Inon Shkedy, @InonShkedy, Security Researcher

"Even though the internet is filled with information on any topic possible in cybersecurity, it is still hard to find solid insight on performing penetration tests on APIs. Corey's book satisfies this demand—not only for the beginner cybersecurity practitioner, but also for the seasoned expert."
—Cristi Vlad, @CristiVlad25, Cybersecurity Researcher

"Hacking APIs is extremely helpful for anyone who wants to get into penetration testing. In particular, this book gives you the tools to start testing the security of APIs, which are becoming a weak point for many modern web applications. Experienced security folks can get something out of the book too, as it features automation tips and protection bypass techniques that will up any pentesters' game."
—Vickie Li, @vickieli7, Developer Evangelist, Author of Bug Bounty Bootcamp

"[Hacking APIs is] the best source of API info I've seen. If you're curious about what APIs are and how they work, read it once. If you work with or create APIs, read it twice. If you break APIs, read it three times."
—Graham Helton, @GrahamHelton3

"One of the few books that is actually dedicated to API hacking. . . . a great resource for anyone who wants to learn more about API security and how to hack into web applications. It provides in-depth information on how to break through various types of APIs, as well as tips on how to stay ahead of the curve in this rapidly changing field."
—Dana Epp, Security Boulevard

"This book has more to offer than hacking APIs but sets down a solid foundation of tools and techniques that would benefit any developer or QA Engineer that has to develop, test, or otherwise work with APIs."
—John Wenning, Cybersecurity Researcher, Fortra

"A thorough guide to what APIs are, how they work, what technologies they use, the various common insecurities that APIs have, and, most importantly, how to exploit them. . . . I would recommend Hacking APIs as a great read for anyone interested in learning more about the vulnerable side of APIs."
—Darlene Hibbs, Senior Cybersecurity Researcher, Fortra

From the Publisher

Hacking APIs: Breaking Web Application Programming Interfaces

Hacking APIs: Breaking Web Application Programming Interfaces

Paperback

Paperback

Related collections and offers

Overview

Product Details

About the Author

Table of Contents

Customer Reviews

Related Searches

Explore More Items

Related collections and offers

Overview

Product Details

About the Author

Table of Contents

Related Subjects

Customer Reviews