Akatama's Slice of the Internet

What I Learned from Hacking APIs: A Developer's Review

By Jimmy Lindsey

This year, I decided to get more serious about security testing. I primarily write API tests that check for correctness and stability, but the most significant bugs I find are security issues. Hacking APIs by Corey Bail kept coming up as a practical starting point for developers who want to understand how penetration testers think. So I decided to work through it, tools and all. Here’s what I learned, what worked, what didn’t, and why it’s still worth your time in 2025.

The Good

For newcomers, Hacking APIs does a great job of covering the fundamentals and setting up a safe environment to practice. In the first section of the book, you are introduced to all of the foundational concepts that you need to know in order to exploit APIs:

• Understanding the scope of your API penetration testing
• Making sure that you have received approval to test the APIs
• How to threat model for API tests
• Which API features you should test
• How to report and remediate security vulnerabilities
• A bit about bug bounties
• How web applications work
• The anatomy of web APIs
• Common API vulnerabilities

Even though I already knew most of the theory, walking through it again helped reinforce how these fundamentals connect to real-world vulnerabilities.

The next part of the book goes into how to set up the system we would be hacking from, as well as how to set up the hacking lab. In particular, Corey does a great job introducing us to various tools that will be useful in our quest to find security issues in APIs:

• DevTools (Chrome or FireFox)
• Burp Suite
• FoxyProxy (browser extension)
• Postman
• OWASP Amass
• Kiterunner
• Nikto
• OWASP ZAP
• Wfuzz
• Arjun

Of these tools, Burp Suite and Postman get the lion's share of the attention. That focus makes sense since both are essential for real-world API security testing. All the tools are explained well, and are used often enough that you can at least refer back to the examples in the labs.

The best part of the book are the labs themselves. They are open ended enough that you have plenty of opportunities to explore, but they are guided enough that if you get stuck you can look to the solution to figure out where you went wrong. The labs are where the bulk of learning in the book happens, and that is what is most important.

The Bad

For all its strengths, the book does show its age in a few key areas. The biggest criticism I have for the book is that it was published in 2022. Things change a lot in 3 years. Several tools work slightly differently and the setup of the hacking lab has changed significantly. For example, the crAPI setup instructions no longer work as written. If you were already an expert in hacking APIs, then none of that would stop you, but this book is written for people with only a basic understanding of how APIs work. Luckily, much of the actual content of the book is timeless, so even with those struggles I can still say it is worth your time.

Even more significantly for beginners, there are a lot of online articles that can bring you up to speed with how all of this works in 2025. It does mean you need to get your hands dirty and try out a few more commands than the book suggests. Sometimes, the results you get are just different, and some security vulnerabilities in the applications you spin up are simply gone. All I can say is keep at it.

Suggestions for Future Editions

This book is great, but it needs a 2nd edition. Other than bringing everything up to the present day, I think the book can go a bit further with the lessons it attempts to teach you:

• Most of the book spends time on crAPI, while several of the applications in your hacking lab barely get any mention at all.
• Use crAPI as the main application for describing what techniques to use.
• Then point to another application, give the reader a chance to find the vulnerabilities themselves with those same techniques.
• If the reader needs help, provide hints or solutions in the back of the book or on the internet.
• In general, more labs would be great. The labs are where the real learning is.

If a second edition added those improvements, this could easily become the go-to resource for new API testers and hackers.

What I Learned

Hacking APIs is not the kind of book you can just read in a weekend and then forget over the next week. You really do need to sit down and do the labs, which can take significant time.

I had not used most of the tools before, with the exception of Postman. Burp Suite, in particular, seems like a very valuable tool to know. A large chunk of the book is spent intercepting and modifying requests with it, or using it for a dictionary-style attack. Tools are only tools, but the right ones can make everything easier.

While I was very familiar with the background knowledge needed for this book, I was not aware of a lot of the specifics.

Reconnaissance

• Active and Passive Recon
• Ideas on how to find documentation
• Reverse engineering APIs with Postman (both with and without authentication)
• Utilizing information disclosures to further the reach of your attack

Specific Attacks

• How to attack authentication (brute force, password spraying, forging tokens, abusing JWTs)
• Fuzz wide and deep on API requests
• Find BOLAs (Broken Object Level Authorization) and BFLAs (Broken Function Level Authorization)
• I had heard of these vulnerabilities before, but to have examples and a lab where I can find them myself really helps!
• How to exploit APIs with a mass assignment vulnerability
• Discovering and exploiting injection vulnerabilities
• Cross-Site Scripting (XSS)
• Cross-API Scripting (XAS)
• SQL injection
• NoSQL injection
• Operating System command injection
• Attacking GraphQL

Avoiding Detection

• Evading API security controls
• Testing rate limits

It's quite a long list! I really did learn a lot from this book, and the hands-on approach made it stick.

Conclusion

In the end, Hacking APIs delivers exactly what it promises: a practical, hands-on introduction to API security testing. It’s not perfect, and parts of it are starting to show their age, but the fundamentals are solid and the labs are where the real value lies.

If you’re a developer who understands APIs but hasn’t looked at them through an attacker’s lens, this book is a great way to start. You’ll come away with a deeper understanding of how vulnerabilities happen, and a sharper sense of how to prevent them.