Hacking APIs: Breaking Web Application Programming Interfaces (Paperback)

Ball, Corey J.

買這商品的人也買了...

商品描述

Hacking APIs is a crash course in web API security testing that will prepare you to penetration-test APIs, reap high rewards on bug bounty programs, and make your own APIs more secure.

Hacking APIs is a crash course on web API security testing that will prepare you to penetration-test APIs, reap high rewards on bug bounty programs, and make your own APIs more secure.

You'll learn how REST and GraphQL APIs work in the wild and set up a streamlined API testing lab with Burp Suite and Postman. Then you'll master tools useful for reconnaissance, endpoint analysis, and fuzzing, such as Kiterunner and OWASP Amass. Next, you'll learn to perform common attacks, like those targeting an API's authentication mechanisms and the injection vulnerabilities commonly found in web applications. You'll also learn techniques for bypassing protections against these attacks.

In the book's nine guided labs, which target intentionally vulnerable APIs, you'll practice:
- Enumerating APIs users and endpoints using fuzzing techniques
- Using Postman to discover an excessive data exposure vulnerability
- Performing a JSON Web Token attack against an API authentication process
- Combining multiple API attack techniques to perform a NoSQL injection
- Attacking a GraphQL API to uncover a broken object level authorization vulnerability

By the end of the book, you'll be prepared to uncover those high-payout API bugs other hackers aren't finding and improve the security of applications on the web.

商品描述(中文翻譯)

「Hacking APIs」是一本關於網路 API 安全測試的速成課程,將使您能夠進行 API 渗透測試、在漏洞獎金計劃中獲得高額獎勵,並提高自己的 API 安全性。

您將學習 REST 和 GraphQL API 在實際應用中的運作方式,並使用 Burp Suite 和 Postman 建立一個高效的 API 測試實驗室。然後,您將掌握一些有用的工具,用於偵察、端點分析和模糊測試,例如 Kiterunner 和 OWASP Amass。接下來,您將學習執行常見的攻擊,例如針對 API 認證機制的攻擊以及常見於網路應用程式中的注入漏洞。您還將學習繞過對這些攻擊的保護技術。

在本書的九個引導實驗中,您將練習針對有意設置的易受攻擊的 API,進行以下操作:
- 使用模糊測試技術列舉 API 使用者和端點
- 使用 Postman 發現過度數據暴露漏洞
- 對 API 認證過程進行 JSON Web Token 攻擊
- 結合多種 API 攻擊技術進行 NoSQL 注入攻擊
- 攻擊 GraphQL API,揭示破損的物件層級授權漏洞

通過閱讀本書,您將準備好發現那些其他駭客未能發現的高報酬 API 漏洞,並提高網路應用程式的安全性。

作者簡介

Corey Ball is a cybersecurity consulting manager at Moss Adams, where he leads its penetration testing services. He has over ten years of experience working in IT and cybersecurity across several industries, including aerospace, agribusiness, energy, financial tech, government services, and healthcare. In addition to a bachelor's degree in English and philosophy from Sacramento State University, Corey holds the OSCP, CCISO, CEH, CISA, CISM, CRISC, and CGEIT industry certifications.

作者簡介(中文翻譯)

Corey Ball是Moss Adams的資訊安全諮詢經理,負責領導其滲透測試服務。他在資訊科技和資訊安全領域擁有超過十年的工作經驗,涵蓋航空航天、農業、能源、金融科技、政府服務和醫療等多個行業。除了在Sacramento State University獲得英語和哲學學士學位外,Corey還擁有OSCP、CCISO、CEH、CISA、CISM、CRISC和CGEIT等行業認證。