Corey Ball - Hacking APIs

Corey Balls Hacking APIs delivers exactly what it promises. From basic definitions, through the theory behind common API weaknesses and hacking best practices, the reader is encouraged to take a truly adversarial mindset. This highly effective, hands-on journey starts with tool introduction and reconnaissance, then covers everything from API fuzzing to complex access-control exploitation. With detailed labs, tips and tricks, and real-life examples, Hacking APIs is a complete workshop rolled into one book.

Erez Yalon, VP of security research at Checkmarx and OWASP API security project leader

Author Corey Ball takes you on a lively guided tour through the life cycle of APIs in such a manner that youre wanting to not only know more, but also anticipating trying out your newfound knowledge on the next legitimate target. From concepts to examples, through to identifying tools and demonstrating them in fine detail, this book has it all. It is the mother lode for API hacking, and should be found next to the desk of ANYONE wanting to take this level of adversarial research, assessment, or DevSecOps seriously.

Chris Roberts, strategic adviser at Ethopass, international vCISO

Hacking APIs is extremely helpful for anyone who wants to get into penetration testing. In particular, this book gives you the tools to start testing the security of APIs, which have become a weak point for many modern web applications. Experienced security folks can get something out of the book, too, as it features lots of helpful automation tips and protection-bypass techniques that will surely up any pentesters game.

Vickie Li, author of Bug Bounty Bootcamp

This book opens the doors to the field of API hacking, a subject not very well understood. Using real-world examples that emphasize vital access-control issues, this hands-on tutorial will help you understand the ins and outs of securing APIs, how to hunt great bounties, and will help organizations of all sizes improve their overall API security.

Inon Shkedy, security researcher at Traceable AI and OWASP API security project leader

Even though the internet is filled with information on any topic possible in cybersecurity, it is still hard to find solid insight into successfully performing penetration tests on APIs. Hacking APIs fully satisfies this demandnot only for the beginner cybersecurity practitioner, but also for the seasoned expert.

Cristi Vlad, cybersecurity analyst and penetration tester

Hacking APIs

Breaking Web Application Programming Interfaces

by Corey J. Ball

HACKING APIs. Copyright 2022 by Corey Ball.

All rights reserved. No part of this work may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying, recording, or by any information storage or retrieval system, without the prior written permission of the copyright owner and the publisher.

First printing

26 25 24 23 22 1 2 3 4 5

ISBN-13: 978-1-7185-0244-4 (print)
ISBN-13: 978-1-7185-0245-1 (ebook)

Publisher: William Pollock
Managing Editor: Jill Franklin
Production Manager: Rachel Monaghan
Production Editor: Jennifer Kepler
Developmental Editor: Frances Saux
Cover Illustrator: Gina Redman
Interior Design: Octopod Studios
Technical Reviewer: Alex Rifman
Copyeditor: Bart Reed
Compositor: Maureen Forys, Happenstance Type-O-Rama
Proofreader: Paula L. Fleming

For information on distribution, bulk sales, corporate sales, or translations, please contact No Starch Press, Inc. directly at info@nostarch.com or:
No Starch Press, Inc.
245 8th Street, San Francisco, CA 94103
phone: 1.415.863.9900
www.nostarch.com

Library of Congress Cataloging-in-Publication Data

Names: Ball, Corey (Cybersecurity manager), author.
Title: Hacking APIs : breaking web application programming interfaces / by
Corey Ball.
Description: San Francisco : No Starch Press, [2022] | Includes index.
Identifiers: LCCN 2021061101 (print) | LCCN 2021061102 (ebook) | ISBN
9781718502444 (paperback) | ISBN 9781718502451 (ebook)
Subjects: LCSH: Application program interfaces (Computer software) |
Application software--Development.
Classification: LCC QA76.76.A63 B35 2022 (print) | LCC QA76.76.A63
(ebook) | DDC 005.8--dc23/eng/20220112
LC record available at https://lccn.loc.gov/2021061101
LC ebook record available at https://lccn.loc.gov/2021061102

No Starch Press and the No Starch Press logo are registered trademarks of No Starch Press, Inc. Other product and company names mentioned herein may be the trademarks of their respective owners. Rather than use a trademark symbol with every occurrence of a trademarked name, we are using the names only in an editorial fashion and to the benefit of the trademark owner, with no intention of infringement of the trademark.

The information in this book is distributed on an As Is basis, without warranty. While every precaution has been taken in the preparation of this work, neither the author nor No Starch Press, Inc. shall have any liability to any person or entity with respect to any loss or damage caused or alleged to be caused directly or indirectly by the information contained in it.

To my incredible wife, Kristin, and our three amazing daughters, Vivian, Charlise, and Ruby.

Your distractions were almost always a delight, and they probably only cost the world a data breach or two.

You are the light of my life, and I love you.