Hacking APIs
Breaking Web Application Programming Interfaces
Corey Ball's structured approach to attacking REST and GraphQL APIs: enumeration, auth flaws, business logic, mass assignment, and the testing harness around them.
As an Amazon Associate we earn from qualifying purchases. The link above is sponsored.
- Authors
- Corey J. Ball
- Published
- 2022
- Publisher
- No Starch Press
- Pages
- 368
- Language
- English
Read this if
Pentesters and bug bounty hunters who realized that most production attack surface is now API, not HTML. Ball's structured approach covers REST, GraphQL discovery, BOLA, mass assignment, JWT abuses, and the operational tooling around them.
Skip this if
Readers who want generalist web security; the book is API-focused and assumes you already understand OWASP-class web bugs.
Key takeaways
- API attack surface is dramatically underexploited compared to HTML attack surface; for most public bug bounty programs, the API is where the bounties hide.
- BOLA (broken object-level authorization) is the dominant API bug class and the one that pays best; Ball's framing is the cleanest in print.
- Burp Suite Professional + Postman + a custom recon pipeline is the practical toolset; the book justifies the choice and shows you how to use them together.
Notes
Pair with Black Hat GraphQL (Aleks/Farhi) for the GraphQL-specific deep dive and with Real-World Bug Hunting (Yaworski) for the case studies. Ball's APIsec University course is the natural next step once you finish the book. Required reading for any bug hunter who hasn't yet noticed that the API has its own bugs that the HTML doesn't.
What to read before
What to read before Hacking APIs →Intermediate · 2023
Black Hat GraphQL
Aleks and Farhi on attacking GraphQL specifically: introspection abuse, batching, depth and complexity attacks, auth flaws, and the differences from REST that make GraphQL pentests their own discipline.
Intermediate · 2011
The Web Application Hacker's Handbook
The exhaustive reference for web app pentesting, comprehensive but increasingly a historical document.
Beginner · 2021
Bug Bounty Bootcamp
Vickie Li's pragmatic walk through the bug-bounty workflow, from picking a program and recon to reporting findings that actually pay out.
What to read next
What to read after Hacking APIs →Intermediate · 2023
Black Hat GraphQL
Aleks and Farhi on attacking GraphQL specifically: introspection abuse, batching, depth and complexity attacks, auth flaws, and the differences from REST that make GraphQL pentests their own discipline.
Intermediate · 2011
The Web Application Hacker's Handbook
The exhaustive reference for web app pentesting, comprehensive but increasingly a historical document.
Advanced · 2011
The Tangled Web
The deepest book ever written on the strange, accreted security model of the web browser.
Explore similar books
Alternatives to Hacking APIs →Intermediate · 2023
Black Hat GraphQL
Aleks and Farhi on attacking GraphQL specifically: introspection abuse, batching, depth and complexity attacks, auth flaws, and the differences from REST that make GraphQL pentests their own discipline.
Intermediate · 2011
The Web Application Hacker's Handbook
The exhaustive reference for web app pentesting, comprehensive but increasingly a historical document.
Intermediate · 2021
Real-World Cryptography
David Wong's hands-on tour of the cryptographic primitives, protocols and pitfalls that show up in actual production systems, with deliberate attention to TLS, Noise, modern AEAD, and post-quantum.