Yaksas Security

Cyber Security Research

  • Yaksas Security Home
  • Home
  • Yaksas Security Classroom
  • Learn Adversary Emulation
  • Contact Yaksas
Book Review: Hacking API

Uday Mittal April 23, 2022

Book Review: Hacking API

After taking some time to finish my eLearnSecurity Certified Reverse Engineer certification, I decided to pick up another book. This time I chose API security as the topic and went for Hacking APIs: Breaking Web Application Programming Interfaces by Corey Ball. It was published in April 2022 by No Starch Press.

Content Overview

This book is divided into four parts, covering fundamentals of web applications and APIs to real-world API hacking. It focuses on pentesting REST APIs and GraphQL APIs.  The first few chapters provide a birds-eye view of how web applications and APIs work and most common vulnerabilities that plague APIs (aka OWASP Top 10 API 2019). If you want to dive deep into inner workings of modern web applications and REST APIs, check out these books The Tangled Web by Michal Zalewski and The Design of Web APIs by Arnaud Lauret, respectively.

The next set of chapters describe the process of setting up the lab to follow along with rest of the book. This includes setting up a Kali Linux machine, installing required tools and extensions (Burp Suite, Postman, WFuzz, Arjun, Kiterunner, Nikto, OWASP ZAP, FoxyProxy and OWASP Amass) and setting up vulnerable endpoints or web applications. The author has demonstrated most attacks on crAPI and Damn Vulnerable GraphQL Application (DVGA). Other vulnerable web applications mentioned in the book include, OWASP DevSlop’s Pixi and OWASP Juice Shop.

In the next part (and this is where this book gets really interesting), it delves into penetration testing API endpoints from discovery, fuzzing and endpoint analysis to performing various attacks (it’s really hands-on so better get your lab setup as described in earlier chapters). Each chapter in this part covers the relevant theory followed by a demonstration of the attack technique. You can easily replicate the techniques shown in your own lab.

In the last part, there is a chapter on evasion techniques (it’s pretty basic but a good starting point) and  a chapter on pentesting DVGA,  a GraphQL based web application.

Salient Features

Here are a few things I liked about this book:

  • The hands-on labs made it fun to go through this book.
  • It covers various features of BurpSuite, Postman and Wfuzz throughout chapters. I learnt a lot about Postman through this book.
  • The author has provided API Hacking Checklist as an additional resource.
  • It provides a good starting point for understanding OWASP API Top 10 and practicing various attacks.
  • It is good for beginners, penetration testers, red teamers and bug bounty hunters.
  • The author has created a Discord server and a free course associated with this book.

Not so salient Features

  • It covers only the black-box approach of attacking APIs. It would have been good if the author included vulnerable code samples and explained the root cause of vulnerabilities.

My rating 4.5 / 5.0

Join our book club on Discord and share your views on this book (or any other security book of your choice).

Other book reviews

  • Pentesting Azure Applications by Matt Burrough
  • Penetration Testing Azure for Ethical Hackers by David Okeyode, Karl Fosaaen
  • Red Team Development and Operations by Joe Vest and James Tubberville
  • Container Security by Liz Rice
  • Web Application Security by Andrew Hoffman

Related Posts

  • Social-Engineer Toolkit: An IntroductionSocial-Engineer Toolkit: An Introduction
  • The Three Command and Control TiersThe Three Command and Control Tiers
mm
Uday Mittal

Uday Mittal is a cybersecurity professional with rich working experience working with various industries including telecom, publishing, consulting and finance. He holds internationally recognized certifications such as CRTP, OSCE, OSCP, CISSP, CISA, CISM, CRISC among others. He speaks on cybersecurity awareness, offensive security research etc. and has authored various articles on topics related to cyber security and software development for a leading magazine on open source software.

Filed Under: Book Reviews Tagged With: API, API Security, Burp, crAPI, GraphQL, OWASP Top 10, Postman, REST API

Optin Form

Search

Follow us on Twitter

My Tweets

Categories

Tags

(ISC)2 Active directory adsecurity adsi adsisearcher adversary emulation Android attack active directory awareness blue whale challenge Certification CISSP Cloud security crte crtp cyber-warfare cybersecurity Cyber Security Cybersecurity books domain enumeration ethical hacking forest enumeration hacker Information Security ISACA Kali Linux Mobile Security Narendra Modi NSA offensive security Online Safety opsec Password Penetration Testing pentest powersploit Powerview privacy red team red teaming Risk Management Social Engineering user enumeration Wifi Windows

Top Posts

  • ADSISearcher (Part 2)
    ADSISearcher (Part 2)
  • Social-Engineer Toolkit: An Introduction
    Social-Engineer Toolkit: An Introduction
  • Let there be no more MMS Scandals
    Let there be no more MMS Scandals
  • Make Remote Access Your Ally
    Make Remote Access Your Ally
  • 7 Ways to Cover Your Device's Camera
    7 Ways to Cover Your Device's Camera
  • Mona.py for exploit devs: 6 must know commands
    Mona.py for exploit devs: 6 must know commands

© Copyright 2020 ElliteDevs · All Rights Reserved · Powered by WordPress