If you’re into web API security testing, then you know that API hacking books are a valuable resource. They can teach you new things, introduce you to new concepts around breaking web application programming and help you stay up-to-date on the latest trends in your field. That’s why I’ve put together this list of 5 essential books for any API hacker!
API security and you
So before I go through the list of book recommendations, I want to preface that if you are a security researcher who wants to conduct web API security testing, the reality is it’s just as important to focus on the web applications themselves.
As such, a crash course in web hacking fundamentals never hurts. So some of my recommendations may seem more focused on that than on breaking web application programming interfaces.
You may also notice that I also recommend a few books that focus on bounty programs and make it possible to make a living as you break APIs.
The point is, regardless of where you are in your API hacking career, these books can help. I have organized them in such a way that if you can’t afford to buy them all just yet, start from the top and work your way down.
Book #1 : Hacking APIs: Breaking Web Application Programming Interfaces
This is one of the few books that is actually dedicated to API hacking.
This book is a great resource for anyone who wants to learn more about API security and how to hack into web applications. It provides in-depth information on how to break through various types of APIs, as well as tips on how to stay ahead of the curve in this rapidly changing field. Corey also shares his own personal experiences with API hacking, which makes the content even more valuable. If you’re interested in learning more about API security and want to start from the basics, then this is the perfect book for you!
Book #2 : The Web Application Hacker’s Handbook: Finding and Exploiting Security Flaws
This book is a tomb of information. It’s the oldest book on the list and by far the largest.
The Web Application Hacker’s Handbook is an essential read for anyone looking to understand how web application vulnerabilities are discovered and exploited. The book is filled with in-depth technical information and real-world examples that will help you understand the inner workings of web applications and how to protect them from potential attacks.
One of the best features of this book is the “Hands-On” sections, which provide you with step-by-step instructions on how to find and exploit various vulnerabilities. This makes it an ideal resource for both beginner and experienced hackers alike.
If you’re looking to beef up your skills in web application security, then The Web Application Hacker’s Handbook is a must-read!
Book #3 : Web Application Security: Exploitation and Countermeasures for Modern Web Applications
Sometimes before focusing on offense, we have to know defensive tactics.
This book provides in-depth coverage of all the major areas of web application security, from vulnerabilities and exploits to countermeasures and defense strategies. Written by security expert Andrew Hoffman, this book is packed with real-world examples and step-by-step instructions that will help you understand how developers protect their web applications from potential attacks.
If you’re serious about web application security, then this is the perfect book for you!
Book #4 : Bug Bounty Bootcamp: The Guide to Finding and Reporting Web Vulnerabilities
If you are looking at being an independent security researcher focused on web API security testing, finding high payout API bugs may be important.
Bug Bounty Bootcamp is a guide to becoming a bug bounty hunter. The book covers the basics of hunting for bugs, including how to find and report them. It also includes a number of case studies of successful bug bounty hunting, detailing methods and strategies.
In chapter 24 of the Expert Techniques section, Vicki goes deeper into discussing multiple API attack techniques.
Overall, Bug Bounty Bootcamp is an informative and well-written guide that should be of interest to anyone considering a career in API hacking through bug bounty hunting.
Book #5 : Real-World Bug Hunting: A Field Guide to Web Hacking
“Real-World Bug Hunting” is a brilliant resource for anyone who aspires to be a professional bug hunter. The book is written by Peter Yaworski, who is himself a professional bug hunter.
He begins by delving into the mindset of a bug hunter – what drives them to find vulnerabilities in software and systems? He then provides an overview of the bug hunting process, from identifying potential targets to writing up a report. The bulk of the book is devoted to teaching readers how to find and exploit common web application vulnerabilities.
Yaworski provides clear and concise explanations of each vulnerability, along with examples of real-world exploits. He also offers advice on how to avoid getting caught by security teams and how to maximize the value of your findings. “Real-World Bug Hunting” is an essential read for anyone who wants to make a career out of finding bugs.
Conclusion
These five books are essential readings for anyone interested in hacking APIs. They provide detailed information on how to find and exploit vulnerabilities, as well as defensive tactics and strategies. If you want to be a successful API bug bounty hunter, then these books will also give you the tools and techniques you need to get started.
Cybersecurity researchers warn of a now-patched critical remote code execution (RCE) vulnerability, tracked as CVE-2021-22205, in GitLab’s web interface that has been actively exploited in the wild.
The vulnerability is an improper validation issue of user-provided images the can lead to arbitrary code execution. The vulnerability affects all versions starting from 11.9.
“An issue has been discovered in GitLab CE/EE affecting all versions starting from 11.9. GitLab was not properly validating image files that is passed to a file parser which resulted in a remote command execution. This is a critical severity issue (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H, 9.9). It is now mitigated in the latest release and is assigned CVE-2021-22205.” reads the advisory published by GitLab.
GitLab addressed the vulnerability on April 14, 2021, with the release of 13.8.8, 13.9.6, and 13.10.3 versions.
The vulnerability was reported by the expert vakzz through the bug bounty program of the company operated through the HackerOne platform.
The vulnerability was actively exploited in the wild, researchers from HN Security described an attack one of its customers. Threat actors created two user accounts with admin privileges on a publicly-accessible GitLab server belonging to this organization. The attackers exploited the flaw to upload a malicious payload that leads to remote execution of arbitrary commands.
“Meanwhile, we noticed that a recently released exploit for CVE-2021-22205 abuses the upload functionality in order to remotely execute arbitrary OS commands. The vulnerability resides in ExifTool, an open source tool used to remove metadata from images, which fails in parsing certain metadata embedded in the uploaded image, resulting in code execution as described here.” reads the analysis published by HN Security.
The flaw was initially rated with a CVSS score of 9.9, but the score was later changed to 10.0 because the issue could be triggered by an unauthenticated attackers.
Researchers from Rapid7 reported that of the 60,000 internet-facing GitLab installations:
However, Espinosa’s hard-earned experience is not simply limited to the boardroom. In his latest book, ‘The Smartest Person in the Room: The Root Cause and New Solution for Cybersecurity’, Espinosa shares his decades of experience in the fast-paced world of IT Security. The decades of combined experience can practically be felt dripping through the pages as the chapters outline the essential steps to overcome the biggest adversary in cybersecurity. No, not the cybercriminals, but the toxic culture that many cybersecurity professionals find themselves in. The book takes a holistic approach to self-betterment, discussing the importance of so called ‘soft skills’ in the world of cybersecurity.
Any good attacker will tell you that expensive security monitoring and prevention tools aren’t enough to keep you secure. This practical book demonstrates a data-centric approach to distilling complex security monitoring, incident response, and threat analysis ideas into their most basic elements. You’ll learn how to develop your own threat intelligence and incident detection strategy, rather than depend on security tools alone.
Written by members of Cisco’s Computer Security Incident Response Team, this book shows IT and information security professionals how to create an InfoSec playbook by developing strategy, technique, and architecture.
Learn incident response fundamentals—and the importance of getting back to basics
Understand threats you face and what you should be protecting
Collect, mine, organize, and analyze as many relevant data sources as possible
Build your own playbook of repeatable methods for security monitoring and response
Learn how to put your plan into action and keep it running smoothly
Select the right monitoring and detection tools for your environment
Develop queries to help you sort through data and create valuable reports
Know what actions to take during the incident response phase
The mass transition to working from home clearly shows the best technologies for a secure and convenient remote environment.
Users receive the maximum security benefits by connecting to virtual desktops from thin clients.
A thin client is a terminal-mode device. It often doesn’t even have any internal storage, being just a box that connects to a server and lets users connect a monitor and peripheral devices (configuration may vary depending on the specific model). The thin client does not process or store any work data.
Of course, a thin client requires a good communications channel. In recent years, however, that’s not much of a hurdle.
Communication between a thin client and a server is usually conducted over an encrypted protocol, solving the problem of the unreliable network environment.
Source: Thin clients from a security perspective
2020 Security Playbook
1) Data discovery
2) Compartmented Data Access
3) Move to thin client
4) Increase focus on AAA