Have been reading through this beauty of a book from Corey Ball.
Who is the Author Corey Ball?
“Corey Ball is a cybersecurity consulting manager at Moss Adams, where he leads penetration testing services. He has over 10 years of experience working in IT and cybersecurity across several industries, including aerospace, agribusiness, energy, fintech, government services, and health care. In addition to bachelor’s degrees in both English and philosophy from Sacramento State University, he holds the OSCP, CCISO, CEH, CISA, CISM, CRISC, and CGEIT industry certifications.”
Before getting into it I must start by saying I LOVE the publisher No Starch Press and when a book I like the look of is coming out from them it does get me happier than any other publisher.
The book itself is split into four sections with each section having a sub section of chapters on section subject matters.
We have:-
PART I: HOW WEB API SECURITY WORKS
- Chapter 0: Preparing for Your Security Tests
- Chapter 1: How Web Applications Work
- Chapter 2: The Anatomy of Web APIs
- Chapter 3: Common API Vulnerabilities
PART II: BUILDING AN API TESTING LAB
- Chapter 4: Your API Hacking System
- Chapter 5: Setting Up Vulnerable API Targets
PART III: ATTACKING APIS
- Chapter 6: Discovery
- Chapter 7: Endpoint Analysis
- Chapter 8: Attacking Authentication
- Chapter 9: Fuzzing
- Chapter 10: Exploiting Authorization
- Chapter 11: Mass Assignment
- Chapter 12: Injection
PART IV: REAL-WORLD API HACKING
- Chapter 13: Applying Evasive Techniques and Rate Limit Testing
- Chapter 14: Attacking GraphQL
- Chapter 15: Data Breaches and Bug Bounties
For some reason I wasn’t expecting a section on building a lab for API testing or actual labs to work through and I really should have known better given it was a No Starch Press Book but all in all there are NINE LABS to work through which was such a bonus.
The labs cover such subjects starting from Lab #1 ‘Enumerating the User Accounts in a REST API’ up to Lab #9 ‘Faking Coupons Using NoSQL Injection’ with seven more in between.
With a mixture of theory and practical with labs it really is a well put together book, it flows well from the first page to the last and has been thoroughly planned out for the reader’s benefit.
This book showed me I do not know nearly as much as I thought I did regarding API’s in general let alone hacking them with some great chapters like ‘Common API Vulnerabilities’ that explains to you and gives you an understanding of common vulnerabilities and helps you to identify weaknesses when you are testing API’s.
My favourite Lab was Lab #5 ‘Cracking a crAPI JWT Signature’, in this we try attacking the authentication process, the authentication process has three parts: account registration, password reset functionality, and the login operation and In the lab, we focus on attacking the token provided after a successful authentication attempt which is great fun and such a great lesson.
Overall, a highly recommended book and another hit I am sure for No Starch Press, if you are interested in ANY kind of hacking then pick this book up not just if interested in API hacking.
- Buy the book here = https://nostarch.com/hacking-apis
- Corey Ball = https://www.hackingapis.com/
- No Starch Press = https://nostarch.com/
Regards
Alex