After taking some time to finish my eLearnSecurity Certified Reverse Engineer certification, I decided to pick up another book. This time I chose API security as the topic and went for Hacking APIs: Breaking Web Application Programming Interfaces by Corey Ball. It was published in April 2022 by No Starch Press.
This book is divided into four parts, covering fundamentals of web applications and APIs to real-world API hacking. It focuses on pentesting REST APIs and GraphQL APIs. The first few chapters provide a birds-eye view of how web applications and APIs work and most common vulnerabilities that plague APIs (aka OWASP Top 10 API 2019). If you want to dive deep into inner workings of modern web applications and REST APIs, check out these books The Tangled Web by Michal Zalewski and The Design of Web APIs by Arnaud Lauret, respectively.
The next set of chapters describe the process of setting up the lab to follow along with rest of the book. This includes setting up a Kali Linux machine, installing required tools and extensions (Burp Suite, Postman, WFuzz, Arjun, Kiterunner, Nikto, OWASP ZAP, FoxyProxy and OWASP Amass) and setting up vulnerable endpoints or web applications. The author has demonstrated most attacks on crAPI and Damn Vulnerable GraphQL Application (DVGA). Other vulnerable web applications mentioned in the book include, OWASP DevSlop’s Pixi and OWASP Juice Shop.
In the next part (and this is where this book gets really interesting), it delves into penetration testing API endpoints from discovery, fuzzing and endpoint analysis to performing various attacks (it’s really hands-on so better get your lab setup as described in earlier chapters). Each chapter in this part covers the relevant theory followed by a demonstration of the attack technique. You can easily replicate the techniques shown in your own lab.
In the last part, there is a chapter on evasion techniques (it’s pretty basic but a good starting point) and a chapter on pentesting DVGA, a GraphQL based web application.
Here are a few things I liked about this book:
- The hands-on labs made it fun to go through this book.
- It covers various features of BurpSuite, Postman and Wfuzz throughout chapters. I learnt a lot about Postman through this book.
- The author has provided API Hacking Checklist as an additional resource.
- It provides a good starting point for understanding OWASP API Top 10 and practicing various attacks.
- It is good for beginners, penetration testers, red teamers and bug bounty hunters.
- The author has created a Discord server and a free course associated with this book.
Not so salient Features
- It covers only the black-box approach of attacking APIs. It would have been good if the author included vulnerable code samples and explained the root cause of vulnerabilities.
My rating 4.5 / 5.0
Join our book club on Discord and share your views on this book (or any other security book of your choice).
Other book reviews
- Pentesting Azure Applications by Matt Burrough
- Penetration Testing Azure for Ethical Hackers by David Okeyode, Karl Fosaaen
- Red Team Development and Operations by Joe Vest and James Tubberville
- Container Security by Liz Rice
- Web Application Security by Andrew Hoffman
Uday Mittal is a cybersecurity professional with rich working experience working with various industries including telecom, publishing, consulting and finance. He holds internationally recognized certifications such as CRTP, OSCE, OSCP, CISSP, CISA, CISM, CRISC among others. He speaks on cybersecurity awareness, offensive security research etc. and has authored various articles on topics related to cyber security and software development for a leading magazine on open source software.