You're reading from Pentesting APIs A practical guide to discovering, fingerprinting, and exploiting APIs

Product type Paperback

Published in Sep 2024

Publisher Packt

ISBN-13 9781837633166

Length 290 pages

Edition 1st Edition

Concepts

Cybersecurity

Author (1):

Maurício Harley

View More author details

Table of Contents (18) Chapters

Preface

1. Part 1: Introduction to API Security

2. Chapter 1: Understanding APIs and their Security Landscape FREE CHAPTER

3. Chapter 2: Setting Up the Penetration Testing Environment

4. Part 2: API Information Gathering and AuthN/AuthZ Testing

5. Chapter 3: API Reconnaissance and Information Gathering

6. Chapter 4: Authentication and Authorization Testing

7. Part 3: API Basic Attacks

8. Chapter 5: Injection Attacks and Validation Testing

9. Chapter 6: Error Handling and Exception Testing

10. Chapter 7: Denial of Service and Rate-Limiting Testing

11. Part 4: API Advanced Topics

12. Chapter 8: Data Exposure and Sensitive Information Leakage

13. Chapter 9: API Abuse and Business Logic Testing

14. Part 5: API Security Best Practices

15. Chapter 10: Secure Coding Practices for APIs

16. Index

Why subscribe?

17. Other Books You May Enjoy

Examining authentication mechanisms

There are various APIs on the internet that work without a need for previous AuthN, mainly for read-only operations. A good example of such a use case is the Comprehensive Knowledge Archive Network (CKAN) framework (https://ckan.org/). It’s an open source project that makes it easier for companies and governments to publish data on the internet. Entirely written in Python, the framework has a RESTful API with both read and write operations. Since CKAN was designed to help open data initiatives, having read access to data served by portals supported by it is expected.

There is also a fair amount of API endpoints that work without AuthN. In the previous chapter, we mentioned the OSINT Framework, a website that curates a list of other Open Source Intelligence (OSINT) websites, tools, and blogs. You will find a couple of utilities, such as IP location and geo-location, that work on the internet completely for free and without previous AuthN...