Hacking APIs: Breaking Web Application Programming Interfaces

by: Corey J. Ball (0)

Hacking APIs is a crash course in web API security testing that will prepare you to penetration-test APIs, reap high rewards on bug bounty programs, and make your own APIs more secure.

Hacking APIs is a crash course on web API security testing that will prepare you to penetration-test APIs, reap high rewards on bug bounty programs, and make your own APIs more secure.
  You’ll learn how REST and GraphQL APIs work in the wild and set up a streamlined API testing lab with Burp Suite and Postman. Then you’ll master tools useful for reconnaissance, endpoint analysis, and fuzzing, such as Kiterunner and OWASP Amass. Next, you’ll learn to perform common attacks, like those targeting an API’s authentication mechanisms and the injection vulnerabilities commonly found in web applications. You’ll also learn techniques for bypassing protections against these attacks.
  In the book’s nine guided labs, which target intentionally vulnerable APIs, you’ll practice:
  • Enumerating APIs users and endpoints using fuzzing techniques
  • Using Postman to discover an excessive data exposure vulnerability
  • Performing a JSON Web Token attack against an API authentication process
  • Combining multiple API attack techniques to perform a NoSQL injection
  • Attacking a GraphQL API to uncover a broken object level authorization vulnerability
  By the end of the book, you’ll be prepared to uncover those high-payout API bugs other hackers aren’t finding and improve the security of applications on the web.

The Reviews

The author has done a perfect job of structuring and explaining this book. Not only does he explain in great detail for the beginner how APIs work, he shows in depth how to exploit them and walks you through the latest tools used to enumerate and dissect them and understand what's going on behind the scenes. On top of it all there are labs where you can practice and the book is very well written so that you can follow along throughout and "learn as you go" so to speak.I have been looking for a resource on APIs as I begin bug bounty hunting, and this, by far has been the most valuable by itself. Definitely buy this book if like me, you want to learn about the intricacies of APIs and how to find and exploit the vulnerabilities for bug bounty.

Not finished with it, yet, but at about 40% though it, it’s been really good. Stay tuned!

Hacking APIs is very well written and easy to follow. The author communicates to you throughout the book and uses plenty of examples to illustrate their point. After researching the API market, there is really nothing out there like this book. Must purchase!

This is a great book. The author is in a class of his own. I read a lot of books in this area because of my work and this one stands out. I highly recommend.

A very current overview of how web applications and APIs work; configuring and using enumeration and attack tools such as Postman, Burp, OWASP ZAP, etc.; how to build a lab environment for hands-on experimenting.As the chapters progress, concepts covered are applied to enumerating services, finding vulnerabilities, and attacking endpoints in the OWASP crAPI project. (which is awesome)For red team, blue team, or developers trying to build secure API and web applications, this book will be an essential reference.

This is a really great book that does a great job of balancing theory and strategy with the tactical approaches to testing APIs and using the most popular tools to get the job done. As with most No Starch Press books, this was well organized and thorough. A HIGHLY recommended read!

Hacking APIs is such a clear, organized method of teaching API hacking. The labs are really helpful. I’m very new in the journey and found this book to be priceless. API hacking is the way of the future and this book is the key to the castle.

This book is filled with tons of good info, but stick with the Kindle version. Otherwise you'll be spending your time typing long, complicated URLs on almost every page. Because of this, the paper version of book is not useful and I regret not purchasing the Kindle version.


This is an enjoyable read on hacking APIs.

These are super cute fall signs. I wish they were weather-proof so that I could put them outside because they'd be adorable in fall-themed porch pots. Each sign arrives as three separate pieces that have to be assembled. This is very easy - they are held together with a toggle on the back of the sign. Since they are not weather-proof, I'm considering attaching a hanging hook and hanging one of them up on my front door without the 3rd piece/bottom stake attached. I was surprised they had to be assembled, but this does give you more options about how you want to use them. Overall, these are charming seasonal signs to welcome fall.

These were adorable little stakes that I was hoping to use outdoors. They are not weather resistant as stated on the sticker on the back of them, meaning they won't last long outdoors. They came in three pieces that were easy to put together but are still a little wobbly when together. They are larger than expected.

I really like the look of these signs, they were a really nice addition to our front garden. However, within the first day the adhesive holding the sign together failed and it fell apart. I ordered a replacement which showed up quickly. I went through the description from the company, making sure it didn’t say they can’t be outside. It doesn’t, in fact it says they’re an excellent addition to your fall garden. So I put it back outside, and the same thing happened. These should be used only indoors.

Loved it

Hacking APIs: Breaking Web Application Programming Interfaces
⭐ 4.8 💛 83
Buy the Book