This is a full walkthrough of the Vulnerable Adversely Programmed Interface (vAPI), a deliberately vulnerable web application that you can install locally to practice your API hacking skills. vAPI follows the OWASP API Security Top 10 2019 list of vulnerabilities and gives you one task for each of the 10 listed categories plus three...
DVGA walkthrough
This is a full walkthrough of the Damn Vulnerable GraphQL Application (DVGA), a deliberately vulnerable app that you can use to test your GraphQL API hacking skills. You will find a list of vulnerabilities in DVGA’s main interface, on the Solutions page. With every vulnerability, there is a button that displays a very short...
Getting started with regex
Regular expressions (or regex) offer a way to look into a text file, a form, or a command line output and locate strings that match a specific pattern. This allows you to extract emails, phone numbers, keys that match a given structure, etc. You can think of regex as a search function on steroids....
Basic or extended regex?
Regular expressions (regex) come in several flavours. The two main ones you will come across are: – Basic Regular Expressions (BRE) – Extended Regular Expressions (ERE) From a practical standpoint, the main difference between the two lies in the way they handle special characters. These characters perform a special task or give a certain...
Using an Android emulator for API hacking
Mobile apps are great targets for anyone interested in hacking APIs. Mobile apps will often connect to a supporting web application through an API. By intercepting and reviewing the traffic with a tool like Burp Suite, you can get a pretty good understanding of how the API works and, if you’re lucky, spot some...
Hacking a JWT – JSON Web Token (part 2)
This is the third article in a three part series on JSON Web Tokens, that breaks down as follows: What is a JWT – JSON Web Token? This article gives you all the basics to understand how JSON Web Tokens work. Hacking JWT – JSON Web Token (part 1) This article explains how to...
Hacking a JWT – JSON Web Token (part 1)
This is the second article in a three part series on JSON Web Tokens. The first article outlined what a JWT is, what its components are and how you can read and edit its content (if you haven’t read this first article, I strongly suggest you take a moment to do it now before...
What is a JWT – JSON Web Token?
A JSON Web Token is an encoded string of characters that allows users to identify themselves when interacting with an API. Why do you need a token? Because APIs manage their connections in a different way than regular web applications do. A web app typically relies on stateful connections. This means that when a...
Extract email addresses from a large JSON file
Some requests to API endpoints may generate a very large output in JSON format. As an example, the crAPI vulnerable web app that I have been practicing with lately has an endpoint that lists the details of all recent posts in the community section of the app. These details happen to include the e-mail...
Export a Postman collection to OpenAPI 3.0
This post is a follow up to my earlier Build an OpenAPI 3.0 documentation file post. In this previous post, I showed you how you can create your own API documentation, compliant with the OpenAPI 3.0 specifications, using Firefox and mitmproxy2swagger. The point is to have a documentation file that you can then import...