Book Review: Hacking APIs by Corey Ball August 21st, 2022
A few months ago I was looking for a new tech topic to learn about, and this book caught my attention. Being in an on-call rotation at work, I sometimes experience the defensive side of bad actors scanning/attacking our systems. So I thought it might be fun to learn a bit about the tools and strategies that attackers are employing on the offensive side of things.
What's Covered
This book teaches you about the tools that aid with performing passive recon on a target, how to scan an address for running services, how to run word-list attacks to discover endpoints, how to capture network traffic via proxy, techniques for discovering vulnerabilities, and the terminology for different classifications of defects. It’s mainly focused on hacking REST APIs with an additional section on GraphQL.
Tools, Tools, Tools
The main tool that the book covers is Burp Suite. It has both free and paid versions, the main drawback of the free version is that you can’t save your proxy session. Once you close the free Burp Suite, the captured traffic logs are gone. The author does a good job of introducing free/open source tools that approximate all of the functionality that Burp Suite provides. Postman is the other web proxy covered in the book which is completely free.
Hands-On Projects
In addition to explaining tools, this book contains projects that you are to follow along with. This involves setting up a few containerized web apps (mostly using docker-compose) that are specifically designed to contain security flaws that you will discover and exploit. Setting up these web apps will require some understanding of how to run containers and docker-compose as well as the ability to debug web apps. The author definitely does not do much hand-holding for this setup process.
Yeah, it's pretty good
I think I got a lot out of this book, especially as someone who is responsible for keeping applications up and running. It inspired me to conduct some of my own experiments to get a feel for what happens on the defensive side when running certain scans/attacks against a cloud instance with/without a firewall. Another experiment I’ve conducted is proxying my phone through postman to see if I can discover any interesting api tokens that native apps might be exposing. I did sign up on bugcrowd just to take a peek at the bug bounty programs, I’m not sure if I’ll get involved but it could be fun to try.