Category: API hacking

As I was progressing along my API hacking learning path, OAuth 2.0 kept coming back as something I would have to get my head around at some point. Recently, I was testing an API in the scope of a Vulnerability Disclosure Program on Bugcrowd and OAuth was the authorization mechanism the API was using....

Broken Object Level Authorization vulnerabilities are known to be the most common flaws you will run into when testing APIs. BOLA held the top spot in the original 2019 edition of OWASP’s API Security Top 10 list. And it is still the number one vulnerability listed in the recently published OWASP API Security Top...

If you’ve been following this blog, you know my go-to fuzzing tool has long been FFUF. But if FFUF does a great job fuzzing GET parameters, user passwords or 2FA codes, I have found that Feroxbuster does a better job uncovering hidden API endpoints. To give a bit of context, what we are looking...

Here is a quick and easy tip on how to get the two most useful API hacking tools to work together: Postman and Burp Suite. Suppose you have a list of API endpoints stored in a collection in Postman. Each of these endpoints has an http method, a URL, a list of request headers...

Mobile apps are great targets for anyone interested in hacking APIs. Mobile apps will often connect to a supporting web application through an API. By intercepting and reviewing the traffic with a tool like Burp Suite, you can get a pretty good understanding of how the API works and, if you’re lucky, spot some...

This is the second article in a three part series on JSON Web Tokens. The first article outlined what a JWT is, what its components are and how you can read and edit its content (if you haven’t read this first article, I strongly suggest you take a moment to do it now before...

A JSON Web Token is an encoded string of characters that allows users to identify themselves when interacting with an API. Why do you need a token? Because APIs manage their connections in a different way than regular web applications do. A web app typically relies on stateful connections. This means that when a...

Some requests to API endpoints may generate a very large output in JSON format. As an example, the crAPI vulnerable web app that I have been practicing with lately has an endpoint that lists the details of all recent posts in the community section of the app. These details happen to include the e-mail...

This post is a follow up to my earlier Build an OpenAPI 3.0 documentation file post. In this previous post, I showed you how you can create your own API documentation, compliant with the OpenAPI 3.0 specifications, using Firefox and mitmproxy2swagger. The point is to have a documentation file that you can then import...