So what does make APIs special and different? #apisecurity #apihacking #apis #pentesting
1) Interconnectedness, even if you're sure you don't have APIs, I bet your suppliers do
2) Large attack surfaces that are poorly documented, they balloon into hundreds of endpoints quickly
The biggest mistake I see in API security will probably surprise you... Whether in offensive security or defending APIs, most teams make one fundamental mistake that leaves their APIs vulnerable, they forget that APIs are web applications.
#apisecurity #apihacking #apis
Let's explore the latest book by Packt Publishing on "Pentesting APIs" and see if it's worth putting on an API hacker's bookshelf.
https://danaepp.com/is-the-latest-book-on-pentesting-apis-any-good
Check out how to use upstream residential and mobile proxies in Burp Suite to evade IP blocking during your API security testing.
https://danaepp.com/evade-ip-blocking-by-using-residential-proxies
Let me show you how to use JSON injection to manipulate API payloads to control the flow of data and business logic within an API.
Let me show you how to gain a competitive edge over other security researchers by detecting changes to APIs before others even know about them by using oasdiff.
https://danaepp.com/detecting-new-api-endpoints-with-oasdiff
Let's look at Tracfone's $16 million settlement with the FCC to understand why API security testing matters.
https://danaepp.com/why-api-security-testing-matters-learning-from-tracfone
Let me show you how to conduct covert data exfiltration within JSON payloads of an API response.
https://danaepp.com/covert-data-exfiltration-via-json-in-an-api
Let me show you how to fuzz JSON to find security vulnerabilities in the APIs you are hacking with the help of a custom wordlist and Param Miner.
Let me show you how to use Param Miner to find hidden parameters that may help manipulate an API in unintended ways, revealing potential security flaws.
Let me show you how to weaponize API discovery metadata to improve your recon of the APIs you are hacking or conducting security testing on.
Learn why HTTPie is a great replacement for curl and how to use it when conducting your own API security testing.
Explore the misconceptions and anti-patterns of applying security testing to APIs, and how to address them.
Let me show you why Human Application Security Testing (HAST) is important to API hackers.
Finding sensitive data in an API isn't hard...
If you use the right tools.
Let me show you how to weaponize Microsoft's data protection tools like Presidio to find sensitive data hiding in API responses.
https://danaepp.com/sensitive-data-detection-using-ai-for-api-hackers
Let me show you how to reverse engineer an Electron app to find artifacts like source code and API endpoints, and capture live traffic with Burp Suite.
https://danaepp.com/reverse-engineering-electron-apps-to-discover-apis
Let me show you how to weaponize developer tools used for API linting to find attack vectors in the APIs you are hacking.
https://danaepp.com/finding-attack-vectors-using-api-linting
Register here: 
