Have you ever picked up a book, thinking that you’ll put everything else aside and dive in, but a month later, the book is still sitting unread on your shelf? That’s what happened to me this year. Back in June, our research team started reading Hacking APIs: Breaking Web Application Programing Interfaces by Corey Ball together and it turns out the summer kept us all pretty busy, then the fall kept me pretty busy and there was just no time to finish the book. It took a Canadian winter for me to finally sit down and read Hacking APIs. My first thought? Why didn’t someone tell me to read this book sooner.
I rather enjoyed reading Hacking APIs, the book is well-written and expertly laid out. I actually really enjoyed the flow from chapter to chapter, section to section. Sometimes tech books have hard stops and disconnects between topics, but this book felt like it was layered really well. It also felt complete. I didn’t feel the need to reference other books while reading this one, and I don’t think anyone would, regardless of their experience in cybersecurity – the book is very self-contained. My favourite part of the book was Appendix A, the API Hacking Checklist. Not only did you get a laid out, step-by-step list of actions to take, the section headers referenced specific chapters and the individual items referenced specific pages. This is a handy tool for anyone starting out in this area.
That’s enough of my opinion, let’s see what others on the team thought.
Hacking APIs: Breaking Web Application Programming Interfaces by Corey Ball is a thorough guide to what APIs are, how they work, what technologies they use, the various common insecurities that APIs have, and, most importantly, how to exploit them. Also included is lots of helpful advice for getting started and gaining experience with pentesting APIs, a guide to set up a vulnerable API lab to practice on, and a helpful checklist to use when attempting to hack an API that helps reference back to particular sections of the book. My only complaint is that I wish that the book included more hands-on examples that made use of the included lab. There are many examples of how to use the skills being taught in practice, but only occasionally are the examples designed to be completed using the lab. I would recommend Hacking APIs as a great read for anyone interested in learning more about the vulnerable side of APIs. It would also be a fantastic reference to use when actively pentesting APIs. As a resource for getting hands-on practice exploiting APIs I found it a little disappointing, but only in that it wasn't quite what I expected. There are still some sections that you can follow along with using the included lab setup, and much of the lab wasn't touched on in the book either making it a good resource for practicing skills unguided.
Darlene Hibbs, Senior Cybersecurity Researcher, Fortra
Corey Ball shares their knowledge on the common ways to hack APIs in Hacking APIs. Corey provides brief explanations on HTTP and web requests. These explanations allow readers to follow along with the provided examples and understand the material. Corey then explains how APIs can leak information and how authentication mechanisms can be broken. This leads into an explanation of some of the common methods to find vulnerabilities in APIs. This demonstrates the necessity to test APIs and to ensure they are only exposed to networks or people that require access to them. Restricting access to APIs would limit the ability to exploit potentially vulnerable endpoints because they are not publicly exposed. Overall, Hacking APIs was a good read.
Andrew Swoboda, Senior Cybersecurity Researcher, Fortra
This book has more to offer than hacking APIs but sets down a solid foundation of tools and techniques that would benefit any developer or QA Engineer that has to develop, test, or otherwise work with APIs. APIs have many of the same vulnerabilities as traditional websites. Still, it takes a more nuanced approach and more focused tools to be effective, even if the general strategy is the same. It covers REST APIs and GraphQL. I was familiar with tools like Postman and Burpsuite but I was introduced to new tools such as Kiterunner and also learned that Postman, just like Burpsuite, could be used as a proxy to intercept API requests. Each chapter ended with labs that were always concise and relevant and required little to no setup time making it far better than countless other tech books with cumbersome lab exercises.
John Wenning, Cybersecurity Researcher, Fortra
I think that I’m torn on how to rate this, but I really enjoyed the read so I’m going with a 5/5.
Overall Rating: 4/5
We’re not sure if we’re reading any more books together, but if you have any suggestions, let us know on social media.