Here you can find a variaty of resources to help you out on the API security path.

Talks / Educational Videos / Recorded Webinars

• OWASP API Security Top 10 by Erez Yalon & Inon Shkedy
• Meetups at Checkmarx: An Introduction to API Security
• Meetups at Checkmarx: API Security Concerns (Part II)
• Don’t Worry, Be API: Addressing AppSec’s Newest Challenge
• Common API security pitfalls by Philippe De Ryck
• API (in)Security TOP 10: Guided tour
• Top 10 API Bugs (and Where to Find Them)
• How To Do Recon: API Enumeration
• Hunting for bugs in GraphQL APIs (Demo)
• Finding Your Next Bug: GraphQL
• REST in Peace: Abusing GraphQL to Attack Underlying Infrastructure
• Hidden in Plain Site: Disclosing Information via Your APIs
• Bad API, hAPI Hackers!
• API Security 101
• JWT Parkour
• Finding Your First Bug: Finding Bugs Using APIs
• Live API Hacking Demo
• OAuth, JWT, HMAC, oh my! API security for your enterprise
• API Recon with Kiterunner
• Offensive GraphQL API Exploitation
• Traversing My Way in the Internal Network
• API Hacking With ChatGPT!
• Web Apps: APIs’ Nightmare
• The Secret Life of APIs: Latest Attack Data Shows What Your APIs Are Doing
• I’m an API Hacker and Here’s How I Hack Everything from the Military to AI
• The Arazzo Specification: A Tapestry for API Workflows.
• OWASP API Security Project - Paulo Silva & Erez Yalon
• 2024 Guide: Hacking APIs

Must read

• OWASP API Security Project
• GraphQL Cheat Sheet
• API Security Checklist
• API Security Encyclopedia
• 31 days of API Security Tips
• REST-ler: Automatic Intelligent REST API Fuzzing
• How-To: Find IDOR (Insecure Direct Object Reference) Vulnerabilities for large bounty rewards
• Hacking JSON Web Tokens (JWTs)
• Methods to Bypass Rate Limit
• Regex For Finding Popular Keys
• Leveraging Exposed WADL XML in Burp Suite
• How Unsecure gRPC Implementations Can Compromise APIs
• Pentesting gRPC / Protobuf : Decoding First steps
• OAuth 2.0 authentication vulnerabilities
• Finding Broken Access Controls
• Contextual Content Discovery: You’ve forgotten about the API endpoints
• JWT Security Cheatsheet
• How to exploit GraphQL endpoint: introspection, query, mutations & tools
• OAuth 2.0 Threat Model Pentesting Checklist
• API Security 101: Broken User Authentication
• IDOR Techniques Mindmap
• Security Implications of AWS API Gateway Lambda Authorizers and IAM Wildcard Expansion
• SAML is insecure by design
• How to Hack APIs in 2021
• Exploiting GraphQL
• The complete GraphQL Security Guide: Fixing the 13 most common GraphQL Vulnerabilities to make your API production ready
• Exposed Payment Integration API Keys Imperil Millions of Users’ Transaction Details and PII
• Move Over Verbose Error Messages, GraphQL APIs are Here
• What’s Old Becomes New Again: CSRF Attacks on GraphQL APIs
• Exploiting GraphQL Query Depth
• Alias and Directive Overloading in GraphQL
• Didn’t Notice Your Rate Limiting: GraphQL Batching Attack
• Best Practices When Deploying Webhooks in Production
• The Arazzo Specification

Practice

• Damn Vulnerable GraphQL Application
• Websheep
• Pixi
• API Security in Action
• vAPI
• vulnerable OAuth 2.0 applications
• Vulnerable JWT lab
• Vulnerable GraphQL API
• KONTRAs OWASP Top 10 for API
• Vulnerable API with Laravel App
• c{api}tal
• ParaBank
• VAmPI
• Damn Vulnerable Restaurant
• Vulnerable REST API - OWASP 2023

Writeups

• Facebook Group Members Disclosure
• How we could have listened to anyone’s call recordings
• How I Might Have Hacked Any Microsoft Account
• How we could have tracked anyone’s live location using Truecaller’s “Guardians” app
• Enumerate internal cached URLs which lead to data exposure
• All That We Let In: Hacking mHealth Apps and APIs
• Tour de Peloton: Exposed user data
• Smart car chargers. Plug-n-play for hackers?
• XSS Vulnerability Patched in SEOPress Affects 100,000 sites
• Two account takeover bugs worth $4300
• Vulnerability in Bumble dating app reveals any user’s exact location
• This is how I was able to see Private, Archived Posts/Stories of users on Instagram without following them
• Free BrewDog beer with a side order of shareholder PII?
• Unauthenticated XSS Vulnerability Patched in HTML Email Template Designer Plugin
• DPD package sniffing
• IDOR vulnerability on invoice and weak password reset leads to account take over
• F5 BIG-IP and iControl REST Vulnerabilities and Exposures
• How Spoutible’s Leaky API Spurted out a Deluge of Personal Data
• Forging signed commits on GitHub
• crAPI walkthrough using AI
• ParaBank walkthrough
• c{api}tal walkthrough
• vAPI walkthrough
• DVGA walkthrough
• VAmPI walkthrough
• Zenly Fixes User Data Exposure and Account Takeover Risks

BOLA / IDOR

• Cracking Encrypted Credit Card Numbers Exposed By API
• What is BOLA? 3-digit bounty from Topcoder
• Attacking predictable GUIDs when hacking APIs

OAuth

• Chained Bugs to Leak Victim’s Uber’s FB Oauth Token
• Slack OAuth2 “redirect_uri” Bypass
• Steal OAuth Tokens
• OAuth redirect_uri bypass using IDN homograph attack resulting in user’s access token leakage
• Stealing Users OAUTH Tokens via redirect_uri
• Stealing Users OAuth Tokens through redirect_uri parameter

JWT

• Predictable JWT secret

Rate Limit

• OTP brute-force via rate limit bypass

SSRF

• Server-side Request Forgery on FinTech Platform Enabled Administrative Account Takeover

Testing

• Tavern API Testing
• REST-Attacker