You're reading from Pentesting APIs A practical guide to discovering, fingerprinting, and exploiting APIs

Product type Paperback

Published in Sep 2024

Publisher Packt

ISBN-13 9781837633166

Length 290 pages

Edition 1st Edition

Concepts

Cybersecurity

Author (1):

Maurício Harley

View More author details

Table of Contents (18) Chapters

Preface

1. Part 1: Introduction to API Security

2. Chapter 1: Understanding APIs and their Security Landscape FREE CHAPTER

3. Chapter 2: Setting Up the Penetration Testing Environment

4. Part 2: API Information Gathering and AuthN/AuthZ Testing

5. Chapter 3: API Reconnaissance and Information Gathering

6. Chapter 4: Authentication and Authorization Testing

7. Part 3: API Basic Attacks

8. Chapter 5: Injection Attacks and Validation Testing

9. Chapter 6: Error Handling and Exception Testing

10. Chapter 7: Denial of Service and Rate-Limiting Testing

11. Part 4: API Advanced Topics

12. Chapter 8: Data Exposure and Sensitive Information Leakage

13. Chapter 9: API Abuse and Business Logic Testing

14. Part 5: API Security Best Practices

15. Chapter 10: Secure Coding Practices for APIs

16. Index

Why subscribe?

17. Other Books You May Enjoy

What this book covers

Chapter 1, Understanding APIs and their Security Landscape, introduces you to APIs, their components, the role they play in contemporary applications, and how users commonly interact with them. Understanding the landscape of APIs will enable you to envisage the potential attack vectors.

Chapter 2, Setting Up the Penetration Testing Environment, guides you toward the preparations and setup of the various pentest lab components. Some important decisions need to be made, such as the selection of tools and frameworks along with the development environment and some initial tests. If you are new to the pentesting arena, you will have the chance to get to know some relevant terminology and important software.

Chapter 3, API Reconnaissance and Information Gathering, is the first chapter where you will start to play with APIs. Before effectively attacking an API endpoint, it is paramount to enumerate and recognize what is available. Some penetration tests are completely black boxes, meaning you will have absolutely no knowledge about what is running on the API’s side.

Chapter 4, Authentication and Authorization Testing, covers aspects related to Authentication (AuthN) and Authorization (AuthZ) on applications, focusing on the ways APIs work with this. Then, after learning how apps control the access of their users, it is time for you to understand how they can be explored and eventually bypassed.

Chapter 5, Injection Attacks and Validation Testing, teaches you how to test APIs against both SQL and NoSQL injections, and how such types of attacks could be mostly avoided by correctly validating user input.

Chapter 6, Error Handling and Exception Testing, explains that applications do not always run as they were designed by their creators. Some unexpected behavior might occur either caused by the users themselves or by some internal error. You will learn how bad exception and error handling might bring to light valuable information as well as open exploitable breaches.

Chapter 7, Denial of Service and Rate-Limiting Testing, discusses pentesting by Denial of Service (DoS) and its “distributed” variation. These are some of the biggest attacks carried out on the internet. You will understand how to test targets with DoS and identify rate-limiting mechanisms, as well as how to circumvent them.

Chapter 8, Data Exposure and Sensitive Information Leakage, introduced you to one of the most dangerous threats to APIs, according to OWASP’s Top 10 API. You will learn how to identify data exposure and leakage and leverage them to take advantage of their penetration tests against APIs.

Chapter 9, API Abuse and Business Logic Testing, explains that knowing the logic behind API implementations can be quite useful for abusing them. You will learn that there are some strategies to leverage them for pentesting as well as approaches to avoid falling victim to such threats.

Chapter 10, Secure Coding Practices for APIs, discusses topics that every software developer, whether or not they are creating an API, should be aware of. You will learn about established secure coding approaches and standards, as well as some advice on how to avoid many of the attacks discussed in the book.