What do you think?
Rate this book
Hacking APIs: Breaking Web Application Programming Interfaces
Hacking APIs is a crash course in web API security testing that will prepare you to penetration-test APIs, reap high rewards on bug bounty programs, and make your own APIs more secure.
Hacking APIs is a crash course on web API security testing that will prepare you to penetration-test APIs, reap high rewards on bug bounty programs, and make your own APIs more secure.
You’ll learn how REST and GraphQL APIs work in the wild and set up a streamlined API testing lab with Burp Suite and Postman. Then you’ll master tools useful for reconnaissance, endpoint analysis, and fuzzing, such as Kiterunner and OWASP Amass. Next, you’ll learn to perform common attacks, like those targeting an API’s authentication mechanisms and the injection vulnerabilities commonly found in web applications. You’ll also learn techniques for bypassing protections against these attacks.
In the book’s nine guided labs, which target intentionally vulnerable APIs, you’ll
• Enumerating APIs users and endpoints using fuzzing techniques
• Using Postman to discover an excessive data exposure vulnerability
• Performing a JSON Web Token attack against an API authentication process
• Combining multiple API attack techniques to perform a NoSQL injection
• Attacking a GraphQL API to uncover a broken object level authorization vulnerability
By the end of the book, you’ll be prepared to uncover those high-payout API bugs other hackers aren’t finding and improve the security of applications on the web.
Hacking APIs is a crash course on web API security testing that will prepare you to penetration-test APIs, reap high rewards on bug bounty programs, and make your own APIs more secure.
You’ll learn how REST and GraphQL APIs work in the wild and set up a streamlined API testing lab with Burp Suite and Postman. Then you’ll master tools useful for reconnaissance, endpoint analysis, and fuzzing, such as Kiterunner and OWASP Amass. Next, you’ll learn to perform common attacks, like those targeting an API’s authentication mechanisms and the injection vulnerabilities commonly found in web applications. You’ll also learn techniques for bypassing protections against these attacks.
In the book’s nine guided labs, which target intentionally vulnerable APIs, you’ll
• Enumerating APIs users and endpoints using fuzzing techniques
• Using Postman to discover an excessive data exposure vulnerability
• Performing a JSON Web Token attack against an API authentication process
• Combining multiple API attack techniques to perform a NoSQL injection
• Attacking a GraphQL API to uncover a broken object level authorization vulnerability
By the end of the book, you’ll be prepared to uncover those high-payout API bugs other hackers aren’t finding and improve the security of applications on the web.
333 pages, Kindle Edition
Published July 5, 2022
109 people are currently reading
523 people want to read
Ratings & Reviews
Friends & Following
Create a free account to discover what your friends think of this book!
Community Reviews
Displaying 1 - 9 of 9 reviews
August 6, 2022
3★
Unfortunately not detailed or in depth. Most content could easily be learnt from some general YouTube video or a couple article on medium. A book about APIs should have at least more technical content rather than wasting the pages on lab setups.
Unfortunately not detailed or in depth. Most content could easily be learnt from some general YouTube video or a couple article on medium. A book about APIs should have at least more technical content rather than wasting the pages on lab setups.
May 17, 2022
I can confidently say that if I encountered this as a 13 year old Googling how to be a computer hacker, the book likely would have changed the course of my life. Even if you are not particularly interested in API security or building cross-API products, Hacking APIs scratches that primal itch to break in and break things.
There is immense value in some of the products and services built upon the exploitation of APIs. As a result, there is very little reciprocity between teachers and students. Shady characters hound experienced engineers and pen testers, carve out their little niches, and then disappear. Everyone seems to be in it for themselves aside from Corey Ball.
I've created some useful and profitable systems, including one powered by my own version of the AWS IP rotator described at the end of chapter 13. It's weird yet gratifying seeing nearly identical step-by-step instructions for something I built years ago appear in a book and be available to a wider audience (to be clear: IP-based rate limiting isn't a hard problem, just one that someone with no programming experience would have no idea how to solve). While I'm not truly an expert and have been a shadowy profiteer, the effort behind this book must have been immense. I have no doubt that the author has mastered this subject.
Hacking APIs receives a strong recommendation from this washed-up reviewer.
There is immense value in some of the products and services built upon the exploitation of APIs. As a result, there is very little reciprocity between teachers and students. Shady characters hound experienced engineers and pen testers, carve out their little niches, and then disappear. Everyone seems to be in it for themselves aside from Corey Ball.
I've created some useful and profitable systems, including one powered by my own version of the AWS IP rotator described at the end of chapter 13. It's weird yet gratifying seeing nearly identical step-by-step instructions for something I built years ago appear in a book and be available to a wider audience (to be clear: IP-based rate limiting isn't a hard problem, just one that someone with no programming experience would have no idea how to solve). While I'm not truly an expert and have been a shadowy profiteer, the effort behind this book must have been immense. I have no doubt that the author has mastered this subject.
Hacking APIs receives a strong recommendation from this washed-up reviewer.
September 10, 2025
Extremely fun to read. Highly recommended to both someone new to pentesting or for devs who want to learn what not to do when developing APIs.
October 30, 2024
Quite basic. I also didn't like the positivism inducing refrains from author, like "you will become a master API hacker", "great job [on following instructions to the T and performing the most basic attack]".
April 7, 2024
"Hacking APIs" by Corey Ball, published in 2022 by No Starch Press, is a comprehensive guide to web API security testing. APIs, or Application Programming Interfaces, serve as intermediaries between software programs, enabling seamless communication. This book uniquely delves into API fundamentals and security practices, offering clear explanations and practical examples. It covers enumeration tools, vulnerability discovery, and emphasizes the importance of API security in the context of modern cyber trends like microservices. Despite the negative connotations associated with hacking, the book aims to educate cybersecurity enthusiasts on protecting systems rather than causing harm. For beginners, it provides a solid introduction to APIs and their vulnerabilities, while experienced professionals can benefit from its insights into advanced tools and techniques. In a rapidly evolving tech landscape dominated by mobile apps, understanding API security is paramount. "Hacking APIs" reframes the term "hacker" in its original context of creative problem-solving and system improvement, highlighting the crucial role of API security in safeguarding against cyber threats.
September 1, 2025
Too basic. This is probably a good resource for a new bug bounty hunter/learner who has limited experience with web apps, and wants to expand past the graphical web UI. There is a lot of hand-holding through HTTP basics, installation and setup, etc. For someone with existing application security knowledge who's looking for a deep-dive, this book leaves much to be desired. The sections on fuzzing and evasion were particularly brief/shallow compared to my expectations.
Also, while I understand that the nature of tech books is that they fall out of date quickly, this title instructs the reader to use several resources/tools that fell defunct not long after its 2022 publishing date, and so were already in decline at the time. I also don't recall a few of the introduced tools being popular with my peers when I was working in the pentesting field at the time. They likely reflect the author's own workflow, but he could've chosen other tools that are more widely used and have a longer shelf life.
And though it's not this book's fault, in the era of generative AI, many of the tools/techniques mentioned here are quickly becoming far out of date.
Also, while I understand that the nature of tech books is that they fall out of date quickly, this title instructs the reader to use several resources/tools that fell defunct not long after its 2022 publishing date, and so were already in decline at the time. I also don't recall a few of the introduced tools being popular with my peers when I was working in the pentesting field at the time. They likely reflect the author's own workflow, but he could've chosen other tools that are more widely used and have a longer shelf life.
And though it's not this book's fault, in the era of generative AI, many of the tools/techniques mentioned here are quickly becoming far out of date.
August 27, 2022
A great resource to get started with API security. The author starts by explaining core concepts, common vulnerabilities, how to setup your lab and continues by showing how to hack APIs (eg. crAPI) using those common vulnerabilities.
December 18, 2022
Highly recommended for anyone starting with API security and web development in general. I really liked the hands on approach which I believe will help future readers avoid some of these vulnerabilities in their projects.
February 26, 2023
Practical and useful information about API Hacking. It includes the top vulnerabilitiea you can encounter while testing APIs, as well as step-by-step examples and Bug bounty reports.
Displaying 1 - 9 of 9 reviews