Hacking APIs Book Review
I wanted to get a book specifically about API security for a while now. While reading another APIsecurity.io newsleter issue, I browsed Amazon for API security books. There weren't too many, but I saw an upcoming (at that time) release from No Starch Press, Hacking APIs: Breaking Web Application Programming Interfaces by Corey J. Ball, which I've decided to pick up.
APIs, APIs Everywhere
Undoubtedly, APIs are an important part of the whole security picture, yet they somehow feel underrated. I remember some years ago, when the Payment Services Directive (PSD2) was being rolled out in the EU and the financial institutions needed to test their implementations. All I got for a 2 week pentest was a Swagger documentation and maybe a bunch of endpoints. Didn't seem like the most exciting pentest in the world at the beginning, but that changed after realizing how significant this functionality was. Although OWASP resources were the main companion during that engagement, this book would have been a perfect prelude back then.
If you test a mobile app, chances are that a signficant amount of time will be spent testing the backend API. If you landed on a Pod, chances are you will send requests to the Kubernetes API. APIs are really almost everywhere.
Contents
The book starts with an intro about how APIs and web applications work in general and spends a significant amount of pages explaining how to set up a testing lab with Postman, Burp Suite, Kiterunner and similar tools. Once it gets recon out of the way, then comes the good stuff - JWT attacks, forging authentication tokens, BOLA, BFLA, (blind) mass assignment. Author demonstrates that even though GraphQL is a different beast, it's still an API so same attacking principles apply.
I found the XAS (Cross-API Scripting) part and the chapter on evasive techniques & tools (such as IProtate) particularly interesting. One thing I would have loved to see is least some source code examples - explaining how specific bugs are actually born. That being said, I realize that it's just the style of this book - it's mostly written from blackbox (or bug bounty) testing perspective.
A Welcomed Addition to the Library
For season pentesters with >5 years of experience, I don't think there's going to be a whole lot of new information. Some might argue that all the information found on the book you can find on Medium articles or YouTube, however the way it is presented and structured is of a very high quality. Tutorial on how to ingest API documentation and setup Postman in general is an important topic in API testing and this book also does a good job covering it.
In addition to being a beginner-friendly hands-on testing guide, this book is a good field manual too. I'll be definitely keeping it in my shelf and reach my hand to it when I will find myself testing APIs.
Distrust & verify!