web analytics

Is the latest book on “Pentesting APIs” any good? – Source: securityboulevard.com

is-the-latest-book-on-“pentesting-apis”-any-good?-–-source:-securityboulevard.com
Rate this post

Source: securityboulevard.com – Author: Dana Epp

The folks over at Packt Publishing sent me a gift recently. It was a copy of one of their latest books, Pentesting APIs: A practical guide to discovering, fingerprinting, and exploiting APIs.

Oh, how fun. I love seeing more books published on the topic of API security testing. While Packt Publishing gave me this book, they know that my opinions and any review are my own.

So let’s take a look at it, shall we?

Newsletter

AWS Hub

Author Background

I don’t know Maurício Harley. We’ve never crossed paths before, probably because he lives and breathes IT and appsec across the pond over in France. I know he works as a Senior Software Engineer for RedHat, focusing on their OpenStack Security, and contributes to OWASP over there.

You can read his bio on Amazon or check out his LinkedIn profile here.

I can say from reading past articles he has written along with this book, that he clearly has enough war wounds to be able to share his experiences.

Let’s look at his API pentesting book in more depth and see what he shares. 

Content Overview and Key Topics

We will start by reviewing the structure of the book. 

The book is about 260 pages long but includes a lot of screenshots that are hard to see in print form. I would imagine the Kindle or PDF versions look much better than print in this regard. 

It is organized into five parts. These include:

  1. Introduction to API Security
    1. Understanding APIs and their Security Landscape
    2. Setting up the Penetration Testing Environment
  2. API Information Gathering and AuthN/AuthZ Testing
    1. API Reconnaissance and Information Gathering
    2. Authentication and Authorization Testing
  3. API Basic Attacks
    1. Injection Attacks and Validation Testing
    2. Error Handling and Exception Testing
    3. Denial of Service and Rate-Limiting Testing
  4. API Advanced Topics
    1. Data Exposure and Sensitive Information Leakage
    2. API Abuse and Business Logic Testing
  5. API Security Best Practices
    1. Secure Coding Practices for APIs

It’s an interesting structure. From recon and information gathering to basic attack testing, with a smidge of secure coding guidance for good measure. 

The last bit didn’t really fit for me. It’s odd and out of place. While I respect Maurício’s position that we should be looking at how to prevent attacks as well, I don’t think that’s the place of an API pentester. This final part of the book could have been better focused on how to communicate the weaknesses in the code (like I talk about here) to developers, and provide guidance for remediation that way. 

With the structure articulated, let me tell you what I thought about the book.  

My thoughts on the book

I want to start by saying everyone has their own methodology based on learned experiences. So, that leaves me with the need to express the caveat that my lived experiences are different from Maurício. We choose different tools and ways to attack APIs. And our views on what it means to pentest an API differ.

I am not saying his approach is wrong. But it feels incomplete to me.

Honestly, I had mixed feelings about this book as I read it. It “felt” rushed, with some areas completely glanced over, while others went far too deep in setting something up that doesn’t materially teach us anything of value. 

We don’t need over a dozen pages to show how to set up Open Bullet for credential stuffing, only to miss spending any time discussing how to extract common API artifacts and OpenAPI documentation metadata to help map areas to attack.

I’ve discussed here in the past.   

Areas I think could be improved

The structure of what is in the book is there. But in almost all areas, I always felt like there was more to say.

For example, there is a section on capturing API traffic using Wireshark. Yet most APIs work over a TLS/SSL channel, leaving you with the need to decrypt that through some sort of AITM methodology. There isn’t a connection to explain why ZAP and Burp Suite are better tools for that. It just didn’t “flow” right.

In covering testing API access tokens like JWTs, he doesn’t go deep enough to cover all the common attack paths that can and should be tested against tokens. He talks about the fact you can’t crack the tokens for common vulnerable APIs used for practicing like OWASP crAPI. That’s just wrong. I actually showed you years ago how to leverage HashCat running on GPU-enabled VMs in Azure to crack the signing key for access tokens

The coverage of Injection Attacks and Validation Testing was a missed opportunity. Think about some of the articles I’ve written about in the past. Like how to attack an API by tainting data in weird places. Or how to exploit an API using Structured Format Injection (SFI). Or topple an API by using server-side prototype pollution. And don’t forget about abusing the API parsers to trigger logic flaws through JSON injection

There was so much more that could have been said. And that seemed like a theme throughout the book. The sections weren’t wrong. They just felt like they were incomplete.

Who is this book for?

This book was an easy read for me. I think the ideal audience would be someone brand new to API security testing. Core foundational knowledge is shared within these pages, and everyone new to the tradecraft will need to know it.

Even though there is a section for securing coding, I wouldn’t think of this book as something developers will find useful, unless they already have an attacker mindset. I usually find bug bounty hunters find it easier to have an adversarial mindset than developers, which I have talked about here.

Experienced API hackers won’t really benefit from any new knowledge within this book. However, it never hurts to get exposed to different methodologies and tools our peers use.  

Conclusion

So, is the latest book on “Pentesting APIs” any good? 

I’m a lifelong learner. Any knowledge gained is worth it, and we should regularly practice our tradecraft. 

If you are brand new to pentesting APIs, you may find it valuable and helpful in your hacking journey. If you aren’t, you might find new ways to do things.

However, I’d recommend you check out my list of recommended books every API hacker should have on their bookshelf first. Some books like Corey’s Hacking APIs cover everything this book does, but in far better depth and breadth.

HTH. 

One last thing…

API Hacker Inner Circle

Have you joined The API Hacker Inner Circle yet? It’s my FREE weekly newsletter where I share articles like this, along with pro tips, industry insights, and community news that I don’t tend to share publicly. 
If you haven’t, subscribe at https://apihacker.blog.

The post Is the latest book on “Pentesting APIs” any good? appeared first on Dana Epp’s Blog.

*** This is a Security Bloggers Network syndicated blog from Dana Epp's Blog authored by Dana Epp. Read the original post at: https://danaepp.com/is-the-latest-book-on-pentesting-apis-any-good

Original Post URL: https://securityboulevard.com/2024/11/is-the-latest-book-on-pentesting-apis-any-good/

Category & Tags: Security Bloggers Network,API Hacking Fundamentals – Security Bloggers Network,API Hacking Fundamentals

Views: 0

LinkedIn
Twitter
Facebook
WhatsApp
Email

advisor pick´S post

Codrut Andrei
Secure Software Development Lifecycle Fundamentals by Codrut Andrei
Secure Software Development Lifecycle Fundamentals...
BUTTERWORTH-HEINEMANN
Security Operations Center Guidebook – A Practical Guide for a Successful SOC
Security Operations Center Guidebook –...
CISO Forum
CISO’s – First 100 Days Roadmap – Your success as a security leader is determined largely by your first 100 days in the role.
CISO’s – First 100 Days...
RedHat
State of Kubernetes Security Report 2022 by RedHat
State of Kubernetes Security Report...
National Cyber Security
Cyber Security Toolkit for Boards – Helping board members to get to grips with cyber security by NCSC
Cyber Security Toolkit for Boards...
Harvard Business Review
Boards Are Having the Wrong Conversations About Cybersecurity – Board interactions with the CISO are lacking – by Lucia Millica and Keri Pearlson – Harvard Business Review
Boards Are Having the Wrong...
Vendict
The 2024 CISO Burnout Report by Vendict
The 2024 CISO Burnout Report...
Mohammad Alkhudari
Cybersecurity Strong Strategy step by step Guide collected by Mohammad Alkhudari 2024
Cybersecurity Strong Strategy step by...
Marcos Jaimovich
The Silent Spectre Haunting Your Network: QPhishing, the CISO’s Unspoken Nightmare.
The Silent Spectre Haunting Your...
Marcos Jaimovich
Goodbye to Traditional: Why Conventional Cybersecurity Tools are No Longer Sufficient for the Future of Digital Threats ?
Goodbye to Traditional: Why Conventional...
Marcos Jaimovich
Why do we compare a SOC (Security Operations Center) with the cockpit of a commercial airplane? by Marcos Jaimovich
Why do we compare a...
Joas Antonio
Security Operations Center (SOC) – Tools for Operations Development by Joas Antonio
Security Operations Center (SOC) –...

LASTEST PUBLISHED POSTS

Cyberint
Retail Threat Landscape Report Q1-Q3 – November 2024 Summary by Cyberint a Check Point Company
Retail Threat Landscape Report Q1-Q3...
NCSC
Protecting Critical Supply Chains – A Guide to Securing your Supply Chain Ecosystem
Protecting Critical Supply Chains –...
Culture AI
Time to Adapt – The State of Human Risk Management in 2024 by Culture AI.
Time to Adapt – The...
National Cyber Security Centre
Engaging with Boards to improve the management of cyber security risk.
Engaging with Boards to improve...
Microsoft Security
2024 State of Multicloud Security Report by Microsoft Security
2024 State of Multicloud Security...
bugcrowd
Inside the Mind of a CISO 2024 The Evolving Roles of Security Leaders 2024 by bugcrowd
Inside the Mind of a...
Mohammad Alkhudari
Cybersecurity Strong Strategy step by step Guide collected by Mohammad Alkhudari 2024
Cybersecurity Strong Strategy step by...
Lacework
CISO’s Playbookto Cloud Security by Lacework
CISO’s Playbookto Cloud Security by...
MITRE - Carson Zimmerman
Ten Strategies of a World-Class Cybersecurity Operations Center by MITRE
Ten Strategies of a World-Class...
SILVERFRONT - AIG
Identity Has Become the Prime Target of Threat Actors by Silverfort AIG.
Identity Has Become the Prime...
CYZEA.IO
Enterprise Information Security
Enterprise Information Security
IGNITE Technologies
ENCRYPTED REVERSE
ENCRYPTED REVERSE

More Latest Published Posts

WORLD BANK GROUP
Global Cybersecurity Capacity Program
Global Cybersecurity Capacity Program
Gary Hinson
Getting started withsecurity metrics
Getting started withsecurity metrics
EDPS
Generative AI and the EUDPR.
Generative AI and the EUDPR.
Bright
2024 Guide to Application Security Testing Tools
2024 Guide to Application Security Testing Tools
HADESS
Hacker Culture
Hacker Culture
Quuensland Govermment
RISK ASSESSMENT PROCESS HANDBOOK
RISK ASSESSMENT PROCESS HANDBOOK
Ministry of MOS Security
HIPAA SIMPLIFIED
HIPAA SIMPLIFIED
Hacker Combat
How Are Passwords Cracked?
How Are Passwords Cracked?
CIS - Center for Internet Security
How to Plan a Cybersecurity Roadmap in Four Steps
How to Plan a Cybersecurity Roadmap in Four Steps
ACSC Australia
Information Security Manual
Information Security Manual
Kaspersky
Incident Response Playbook: Dark Web Breaches
Incident Response Playbook: Dark Web Breaches
ninjaOne
Endpoint Hardening Checklist
Endpoint Hardening Checklist
HADESS
Important Active Directory Attribute
Important Active Directory Attribute
ISA GLOBAL CYBERSECURITY ALLIANCE
IIoT System Implementation and Certification Based on ISA/IEC 62443 Standards
IIoT System Implementation and Certification Based on ISA/IEC 62443 Standards
Rajneesh Gupta
IAM Security CHECKLIST
IAM Security CHECKLIST
sqrrl
Hunt Evil
Hunt Evil
Searchinform
How to protect personal data and comply with regulations
How to protect personal data and comply with regulations
Giuseppe Manco
Threat Intelligence Platforms
Threat Intelligence Platforms
CSA Cloud Security Alliance
Hardware Security Module(HSM) as a Service
Hardware Security Module(HSM) as a Service
IGNITE Technologies
CREDENTIAL DUMPING FAKE SERVICES
CREDENTIAL DUMPING FAKE SERVICES
IGNITE Technologies
A Detailed Guide on Covenant
A Detailed Guide on Covenant
NIST
Computer Security Incident Handling Guide
Computer Security Incident Handling Guide
IGNITE Technologies
DIGITAL FORENSIC FTK IMAGER
DIGITAL FORENSIC FTK IMAGER
Accedere
Cloud Security Assessment
Cloud Security Assessment
YL VENTURES
CISO Reporting Landscape 2024
CISO Reporting Landscape 2024
CISO Edition
Reporting Cyber Risk to Boards
Reporting Cyber Risk to Boards
CIOB
CIOB Artificial Intelligence (AI) Playbook 2024
CIOB Artificial Intelligence (AI) Playbook 2024
INCIBE & SPAIN GOVERNMENT
Nuevas normativas de 2024 de ciberseguridad para vehículos
Nuevas normativas de 2024 de ciberseguridad para vehículos