I regularly get asked how someone new to API hacking should start. It happens enough that I have a shortcut snippet in my email client.  The question also drove me to write my article on How to get started as an API hacker last year. But recently, someone from the API Hacker Inner Circle pushed back and asked to be more mindful that some people don’t even know which target to start with.  You know what? They’re right. So today, let’s tackle that problem head-on. Here are my five tips for picking your first target as an API hacker. Tip #1: Pick a target you know When starting your AP ..read more

Is Bruno any good for API hacking? That’s been a question on my mind lately. For a couple of reasons. First, looking deeper into Bruno has been on my to-do list for some time now. The community has been discussing it for a while, and I have only looked at it to get familiar with what it did. Second, I was recently asked on Twitter if I would write about Bruno. Sir, What about Bruno (Open Source) alternative for Postman. Can you write a blog about Bruno. — Ronin (@Vignesh_Paraman) March 30, 2024 It seems like a good time to try Bruno and see how well it works for API security testing. So joi ..read more

Did you know that Postman includes a sandbox that allows you to write API security tests in Javascript and execute them against your targets? This sandbox includes a runtime based on Node.js that enables you to build rich positive and negative tests to maximize the potential of your security testing. It also includes a post-request processing framework through the Chai.js library that allows you to use behavior-driven development (BDD) syntax to create readable test assertions. This becomes quite useful for security testing as you look to taint data to see how the API reacts and responds. In t ..read more

I don’t know about you, but I’ve been port scanning my targets for decades. While many tools come and go, I have always found Nmap to be my favorite for port scanning. It’s been a staple in my arsenal for so long that it would be fair to say I have blinders on when it comes to most competing tools. It’s even a key recommendation in my Beginner’s Guide to API Hacking. Hell, back in the Windows XP SP2 days, when Microsoft removed raw socket support, I sent in a few pull requests to Fyodor just to get Nmap working properly on Windows again so I could do my port scans. It’s hard to believe that w ..read more

What if I told you there is a simple way to find more API servers, secrets, and endpoints that you probably don’t currently do as part of your recon? Would you want to know about it? Of course you would. Who wouldn’t? Have you ever heard the saying, “There’s an app for that”? There has never been a more accurate statement when it comes to API hacking. Let me explain. “There’s an app for that.” We live in a world where mobile computing far outweighs the traditional desktop computing of yesteryears. Mobile apps are being built for everything from dating to data collection. Gaming to gambling. Yo ..read more

If you have spent any time hacking, you will have encountered vulnerability scanner tools like Nuclei. Nuclei is a cutting-edge, template-based vulnerability scanner designed to simplify finding vulnerabilities on a target. This formidable tool employs a host of customizable templates that target various security checks, making it adept at identifying security weak spots in your apps and infrastructure. The question is, is it any good to use for API hacking? Let’s find out. An Introduction to Nuclei Nuclei is a popular tool for vulnerability scanning. In fact, there is a common argument that u ..read more

App recon is the critical first phase in API security testing, embodying the meticulous art of intelligence gathering. Dubbed “walking the app,” this is a foundational step of reconnaissance. It allows you to map the terrain, revealing the intricate web of endpoints that form the lifeblood of any application. By methodically examining how an application works, you not only uncover the expected functionalities but also pry open potential crevices for vulnerabilities. These are the hidden doorways through which security breaches can erupt, sometimes with devastating consequences. With an ever-ex ..read more

At some point in your API hacking journey, you will probably have to write a proof of concept (PoC) API exploit. Your peers in the dev group or someone on the security triage team you are engaging with will want to see how the vulnerability you found can be exploited. It helps to demonstrate potential impact. I’ve talked about why writing API exploits is important when reporting vulnerabilities before. I’ve even shown you how to demonstrate vulnerabilities by exploiting APIs using cURL. Today, I want to show you how to do it using Python. Why? Because if you are doing any sort of serious API s ..read more

Endpoints vs Routes: What every API hacker needs to know I recently had an interesting conversation on Twitter/X that got me thinking about API endpoints vs routes. It all started with this tweet: Hi, there's an unauthorized way to retrieve info from users (vuln) in the endpoint /api/docs/v1?id=uuid_of_doc and I can do the same from /api/docs/alias/"name_of_doc"/v1 Do I need to fill two different reports?@InsiderPhD @DanaEpp @Masonhck3571 — manuel valdez (@saur1n) January 19, 2024 The conversation progressed into whether this was one vulnerability or two. It also started questioning my unde ..read more

What if I told you that many APIs leverage custom HTTP headers to drive business logic and behavior? Would you know which ones they are? This isn’t just about API requests but web apps in general. Anything that speaks over HTTP has the ability to drive behavior from the request and response headers. To get a good understanding of what is commonly used, Mozilla has some great documentation you can check out. In this article, I’ll show you how to leverage Burp Suite’s Bambda filters to parse HTTP headers and detect uncommon ones for you automatically. I’ll even show you a neat way to highlight i ..read more