Hacking APIs [Corey J Ball] (pdf) читать постранично

-  Hacking APIs  [Breaking Web Application Programming Interfaces] 23.6 Мб, 363с. скачать: (pdf) - (pdf+fbd)  читать: (полностью) - (постранично) - Corey J. Ball

Книга в формате pdf! Изображения и текст могут не отображаться!


 [Настройки текста]  [Cбросить фильтры]

PRAISE FOR
HACKING APIS
“Corey Ball’s Hacking APIs delivers exactly what it promises. From basic definitions, through the theory behind common API weaknesses and hacking best
practices, the reader is encouraged to take a truly adversarial mindset. This
highly effective, hands-on journey starts with tool introduction and reconnaissance, then covers everything from API fuzzing to complex access-control
exploitation. With detailed labs, tips and tricks, and real-life examples, Hacking
APIs is a complete workshop rolled into one book.”
—Erez Yalon, VP of security research
at Checkmarx and OWASP API
­security project leader
“Author Corey Ball takes you on a lively guided tour through the life cycle of
APIs in such a manner that you’re wanting to not only know more, but also
anticipating trying out your newfound knowledge on the next legitimate
target. From concepts to examples, through to identifying tools and demonstrating them in fine detail, this book has it all. It is the mother lode for API
hacking, and should be found next to the desk of ANYONE wanting to take
this level of adversarial research, assessment, or DevSecOps seriously.”
—Chris Roberts, strategic adviser at
Ethopass, international vCISO
“Hacking APIs is extremely helpful for anyone who wants to get into penetration
testing. In particular, this book gives you the tools to start testing the security
of APIs, which have become a weak point for many modern web applications.
Experienced security folks can get something out of the book, too, as it features lots of helpful automation tips and protection-bypass techniques that
will surely up any pentester’s game.”
—Vickie Li, author of Bug Bounty Bootcamp
“This book opens the doors to the field of API hacking, a subject not very well
understood. Using real-world examples that emphasize vital access-control
issues, this hands-on tutorial will help you understand the ins and outs of
securing APIs, how to hunt great bounties, and will help organizations of all
sizes improve their overall API security.”
—Inon Shkedy, security researcher at
Traceable AI and OWASP API security
project leader
“Even though the internet is filled with information on any topic possible in
cybersecurity, it is still hard to find solid insight into successfully performing
penetration tests on APIs. Hacking APIs fully satisfies this demand—not only
for the beginner cybersecurity practitioner, but also for the seasoned expert.”
—Cristi Vlad, cybersecurity analyst
and penetration tester

HACKING APIS
B r e a k i n g We b A p p l i c a t i o n
Programming Interfaces

b y Cor e y J . B a ll

San Francisco

HACKING APIS. Copyright © 2022 by Corey Ball.
All rights reserved. No part of this work may be reproduced or transmitted in any form or by any means,
electronic or mechanical, including photocopying, recording, or by any information storage or retrieval
system, without the prior written permission of the copyright owner and the publisher.
First printing
26 25 24 23 22

12345

ISBN-13: 978-1-7185-0244-4 (print)
ISBN-13: 978-1-7185-0245-1 (ebook)
Publisher: William Pollock
Managing Editor: Jill Franklin
Production Manager: Rachel Monaghan
Production Editor: Jennifer Kepler
Developmental Editor: Frances Saux
Cover Illustrator: Gina Redman
Interior Design: Octopod Studios
Technical Reviewer: Alex Rifman
Copyeditor: Bart Reed
Compositor: Maureen Forys, Happenstance Type-O-Rama
Proofreader: Paula L. Fleming
For information on distribution, bulk sales, corporate sales, or translations, please contact No Starch
Press, Inc. directly at info@nostarch.com or:
No Starch Press, Inc.
245 8th Street, San Francisco, CA 94103
phone: 1.415.863.9900
www.nostarch.com
Library of Congress Cataloging-in-Publication Data
Names: Ball, Corey (Cybersecurity manager), author.
Title: Hacking APIs : breaking web application programming interfaces / by
Corey Ball.
Description: San Francisco : No Starch Press, [2022] | Includes index.
Identifiers: LCCN 2021061101 (print) | LCCN 2021061102 (ebook) | ISBN
9781718502444 (paperback) | ISBN 9781718502451 (ebook)
Subjects: LCSH: Application program interfaces (Computer software) |
Application software--Development.
Classification: LCC QA76.76.A63 B35 2022 (print) | LCC QA76.76.A63
(ebook) | DDC 005.8--dc23/eng/20220112
LC record available at https://lccn.loc.gov/2021061101
LC ebook record available at https://lccn.loc.gov/2021061102

No Starch Press and the No Starch Press logo are registered trademarks of No Starch Press, Inc. Other
product and company names mentioned herein may be the trademarks of their respective owners. Rather
than use a trademark symbol with every occurrence of a trademarked name, we are using the names only
in an editorial fashion and to the benefit of the trademark owner, with no intention of infringement of
the trademark.
The information in this book is distributed on an “As Is” basis, without warranty. While every precaution
has been taken in the preparation of this work, neither the author nor No Starch Press, Inc. shall have any
liability to any person or entity with respect to any loss or damage caused or alleged to be caused directly
or indirectly by the information contained in it.

To my incredible wife, Kristin, and our three
amazing daughters, Vivian, Charlise, and Ruby.
Your distractions were almost always a delight, and
they probably only cost the world a data breach or two.
You are the light of my life, and I love you.

About the Author
Corey Ball is a cybersecurity consulting manager at Moss Adams, where he
leads penetration testing services. He has over 10 years of experience working in IT and cybersecurity across several industries, including aerospace,
agribusiness, energy, fintech, government services, and health care. In addition to bachelor’s degrees in both English and philosophy from Sacramento
State University, he holds the OSCP, CCISO, CEH, CISA, CISM, CRISC,
and CGEIT industry certifications.

About the Technical Reviewer
Alex Rifman is a security industry veteran with a background in defense
strategies, incident response and mitigation, threat intelligence, and risk
management. He currently serves as a head of customer success at APIsec,
an API security company, where he works with customers to ensure their
APIs are secure.

BRIEF CONTENTS

Foreword . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xvii
Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxi
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxiii

PART I: HOW WEB API SECURITY WORKS . . . . . . . . . . . . . . . . . . . . . . . . 1
Chapter 0: Preparing for Your Security Tests . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Chapter 1: How Web Applications Work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Chapter 2: The Anatomy of Web APIs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
Chapter 3: Common API Vulnerabilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53

PART II: BUILDING AN API TESTING LAB . . . . . . . . . . . . . . . . . . . . . . . . 69
Chapter 4: Your API Hacking System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71
Chapter 5: Setting Up Vulnerable API Targets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109

PART III: ATTACKING APIS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121
Chapter 6: Discovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123
Chapter 7: Endpoint Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155
Chapter 8: Attacking