Search icon CANCEL
Arrow left icon
Explore Products
Best Sellers
New Releases
Books
Videos
Audiobooks
Learning Hub
Conferences
Free Learning
Arrow right icon
Arrow up icon
GO TO TOP
Pentesting APIs

You're reading from   Pentesting APIs A practical guide to discovering, fingerprinting, and exploiting APIs

Arrow left icon
Product type Paperback
Published in Sep 2024
Publisher Packt
ISBN-13 9781837633166
Length 290 pages
Edition 1st Edition
Arrow right icon
Author (1):
Arrow left icon
Maurício Harley Maurício Harley
Author Profile Icon Maurício Harley
Maurício Harley
Arrow right icon
View More author details
Toc

Table of Contents (18) Chapters Close

Preface 1. Part 1: Introduction to API Security
2. Chapter 1: Understanding APIs and their Security Landscape FREE CHAPTER 3. Chapter 2: Setting Up the Penetration Testing Environment 4. Part 2: API Information Gathering and AuthN/AuthZ Testing
5. Chapter 3: API Reconnaissance and Information Gathering 6. Chapter 4: Authentication and Authorization Testing 7. Part 3: API Basic Attacks
8. Chapter 5: Injection Attacks and Validation Testing 9. Chapter 6: Error Handling and Exception Testing 10. Chapter 7: Denial of Service and Rate-Limiting Testing 11. Part 4: API Advanced Topics
12. Chapter 8: Data Exposure and Sensitive Information Leakage 13. Chapter 9: API Abuse and Business Logic Testing 14. Part 5: API Security Best Practices
15. Chapter 10: Secure Coding Practices for APIs 16. Index 17. Other Books You May Enjoy

What this book covers

Chapter 1, Understanding APIs and their Security Landscape, introduces you to APIs, their components, the role they play in contemporary applications, and how users commonly interact with them. Understanding the landscape of APIs will enable you to envisage the potential attack vectors.

Chapter 2, Setting Up the Penetration Testing Environment, guides you toward the preparations and setup of the various pentest lab components. Some important decisions need to be made, such as the selection of tools and frameworks along with the development environment and some initial tests. If you are new to the pentesting arena, you will have the chance to get to know some relevant terminology and important software.

Chapter 3, API Reconnaissance and Information Gathering, is the first chapter where you will start to play with APIs. Before effectively attacking an API endpoint, it is paramount to enumerate and recognize what is available. Some penetration tests are completely black boxes, meaning you will have absolutely no knowledge about what is running on the API’s side.

Chapter 4, Authentication and Authorization Testing, covers aspects related to Authentication (AuthN) and Authorization (AuthZ) on applications, focusing on the ways APIs work with this. Then, after learning how apps control the access of their users, it is time for you to understand how they can be explored and eventually bypassed.

Chapter 5, Injection Attacks and Validation Testing, teaches you how to test APIs against both SQL and NoSQL injections, and how such types of attacks could be mostly avoided by correctly validating user input.

Chapter 6, Error Handling and Exception Testing, explains that applications do not always run as they were designed by their creators. Some unexpected behavior might occur either caused by the users themselves or by some internal error. You will learn how bad exception and error handling might bring to light valuable information as well as open exploitable breaches.

Chapter 7, Denial of Service and Rate-Limiting Testing, discusses pentesting by Denial of Service (DoS) and its “distributed” variation. These are some of the biggest attacks carried out on the internet. You will understand how to test targets with DoS and identify rate-limiting mechanisms, as well as how to circumvent them.

Chapter 8, Data Exposure and Sensitive Information Leakage, introduced you to one of the most dangerous threats to APIs, according to OWASP’s Top 10 API. You will learn how to identify data exposure and leakage and leverage them to take advantage of their penetration tests against APIs.

Chapter 9, API Abuse and Business Logic Testing, explains that knowing the logic behind API implementations can be quite useful for abusing them. You will learn that there are some strategies to leverage them for pentesting as well as approaches to avoid falling victim to such threats.

Chapter 10, Secure Coding Practices for APIs, discusses topics that every software developer, whether or not they are creating an API, should be aware of. You will learn about established secure coding approaches and standards, as well as some advice on how to avoid many of the attacks discussed in the book.

lock icon The rest of the chapter is locked
Register for a free Packt account to unlock a world of extra content!
A free Packt account unlocks extra newsletters, articles, discounted offers, and much more. Start advancing your knowledge today.
Unlock this book and the full library FREE for 7 days
Get unlimited access to 7000+ expert-authored eBooks and videos courses covering every tech area you can think of
Renews at $19.99/month. Cancel anytime