Category: API hacking

Some requests to API endpoints may generate a very large output in JSON format. As an example, the crAPI vulnerable web app that I have been practicing with lately has an endpoint that lists the details of all recent posts in the community section of the app. These details happen to include the e-mail...

This post is a follow up to my earlier Build an OpenAPI 3.0 documentation file post. In this previous post, I showed you how you can create your own API documentation, compliant with the OpenAPI 3.0 specifications, using Firefox and mitmproxy2swagger. The point is to have a documentation file that you can then import...

This post will help you if you are testing an API, you are at the recon stage and you want to generate your own OpenAPI 3.0 documentation for your target, which you can then open as a collection in Postman to start probing for vulnerabilities. Here, we are going to use Firefox’s developer tools...

So you’ve chosen Kiterunner as your preferred tool for fuzzing APIs ? Good for you (I’ll go into more detail about Kiterunner in a later post – stay tuned). But if you are using a virtual machine to host the linux system you use for your hacking (which I very much recommend) and installed...

Need to practice your API hacking skills? crAPI is for you. OWASP’s completely ridiculous API (crAPI) is one of several vulnerable apps you can set up as a target on your network. You’ll find installation instructions here. But there’s a catch. Once you have successfully run through the instructions, you will have a functioning...