Free Hacking API Courses (And How to Use AI to Help You Hack)
๐ฌ Introduction & Key Takeaways
This video, hosted by David Bombal with guest Corey Ball (author of a highly recommended API hacking book), is a comprehensive walkthrough of free API hacking courses and a hands-on demo of hacking APIsโwith a twist of AI! The content is packed with practical advice, real-world examples, and actionable steps for anyone interested in cybersecurity, API testing, and leveraging AI tools like ChatGPT for hacking.
1. Why API Security Matters
- APIs are everywhere:
"APIs represent close to 90 percent of all web traffic that's going across the Internet."
- APIs are a huge attack surface:
"When APIs are exposed to the Internet, they're meant for public consumption. Those often contain the most valuable resource that an organization is trying to keep safe. It also contains what the attackers are most interested in. And that's the data that's there."
- Common vulnerabilities:
"We see excessive data exposure. That's fairly common. In addition to that, authorization vulnerabilities plague APIs."
- Security often stops at authentication:
"There's something about being authenticated to an API where the security controls stop there and it's often forgotten about."
Key Point:
APIs are a massive, often under-protected target. If you want to be effective in cybersecurity, you must understand API security.
2. The Power of Coding in Cybersecurity
- Coding is a game changer:
"Those who can code excel in cybersecurity."
- It's almost a necessity:
"Enhancing your scripting and programming skills isn't just an asset. It's almost a necessity if you want to do really, really well."
- You don't need expensive courses:
"You don't have to enroll in expensive courses or spend countless hours on confusing tutorials to level up your coding skills."
Resource Highlight:
- Brilliant.org offers nine programming courses from fundamentals to advanced topics like neural networks and quantum computing.
- Hands-on, intuitive learning:
"What I really appreciate about Brilliant is their approach to teaching programming. It's very hands on. It's very intuitive. Perfect for those of us in cybersecurity who need to apply these skills practically."
Special Offer:
- First 200 signups get 20% off an annual plan at brilliant.org/davidbombal.
3. Meet Corey Ball & Free API Hacking Courses
- Corey Ball:
"Corey is the author of this book, probably from what I've read and from what a lot of people have said, this is the best API hacking book out there."
- Free courses:
"Corey has not only written this book, but he's also created a free course, which you can get below."
- APISec University:
"The first course on there was my API pen test course, which guides you through everything from using APIs, testing for vulnerabilities, the most common vulnerabilities that you'll find with APIs and then exploiting those vulnerabilities."
- Expanded content:
"Since then, we have so many more courses. I have another course out on the OWASP API Security Top 10, talking about the 2019 version and the recent 2023 version and all the vulnerabilities captured there."
- Other courses:
"We have a lot of great other courses like the API Fundamentals course. And we have courses on documentation, Gateway. We're launching an LLM course for APIs."
- All free:
"The courses are completely free. You sign up with your email. You can go through, complete the course, watch all the videos, read the content, take the quizzes and walk away with a free certificate of completion on those courses."
Certifications:
- CASA: Certified API Security Analyst (tests knowledge of OWASP API Security Top 10, vulnerabilities, remediation)
- ASCP: API Security Certified Professional (hands-on hacking lab, 12-hour limit, exploit and report vulnerabilities)
Quote:
"Go and grab the free content. Lots of courses. There's also like a car hacking course, I believe, as well."
4. Why Focus on API Hacking?
- APIs are the new frontier:
"Why do people bother about network pen testing and stuff because APIs are this huge problem out there?"
- APIs = 90% of web traffic:
"APIs represent close to 90 percent of all web traffic that's going across the Internet."
- Most valuable data:
"Those often contain the most valuable resource that an organization is trying to keep safe. It also contains what the attackers are most interested in. And that's the data that's there."
- Bypass firewalls:
"You get past all the firewalls and everything to the API. So if you don't secure your APIs, it's a massive risk."
5. Today's Demo: Hacking APIs with AI
- Demo focus:
"Today I'm going to be guiding you through testing crAPI, which is the OWASP completely ridiculous API free lab that you can launch."
- Tools used:
- crAPI (OWASP vulnerable API lab)
- Man in the Middle Web (proxy tool)
- Man in the Middle Proxy to Swagger (auto-generate API docs)
- Postman (API client)
- Burp Suite (deep testing)
- ChatGPT / Hacking APIs GPT (AI assistant for API analysis)
6. Step-by-Step: Hacking an API
A. Setting Up the Lab
- Run crAPI in a VM (Kali Linux in VMware)
- Proxy all traffic through Man in the Middle Web
- Capture all requests as you use the web app as intended
"Do everything that you can within the functionality of the app. So click on all of the buttons, create posts where you can post, update your profile where you can do that."
Why?
"You're getting an understanding of how the web app works, the functionality that's involved, and you're also capturing all of the requests."
B. Reverse Engineering the API
- Capture traffic, then use Man in the Middle Proxy to Swagger to generate OpenAPI (Swagger) documentation
- Edit the YAML file to clean up endpoints
- Import into Swagger Editor and Postman for easier analysis
Quote:
"All of this reverse engineering of an API is really for those instances when none of that is available. This is great for instances like crAPI where it's not clearly available, but also for private APIs or partner APIs."
C. Using AI (ChatGPT) for API Analysis
- Hacking APIs GPT:
"This is a GPT that I created. I worked on it for a while to get everything working in a pretty ideal way for API security testing and anyone with a premium membership can access this."
- How to use:
- Paste endpoints or JSON spec into the chatbot
- Ask: "Based on the following endpoints, which are the most concerning?"
- AI suggestions:
"It's just providing suggestions based on naming schemes and maybe other information scrapping out of the path, such as the version number."
- Example findings:
- Broken Object Level Authorization
- Business Logic Flaws
- Authentication vulnerabilities
- Insecure Direct Object Reference
Quote:
"The presence of this vehicle ID in the path, maybe it's improperly handled and you could find vehicles that don't belong to this user."
Caution:
"When you're testing private environments, you do want to be aware, you know, that data is going to ChatGPT or open AI servers. So you want to be careful with sensitive data, of course, but public facing API paths, those are fair game."
D. Interacting with the API in Postman
- Import the API documentation
- Set up authorization (JWT tokens)
- Test endpoints as an authenticated user
- Check for excessive data exposure and broken authorization
JWT Analysis:
-
Paste JWT into Hacking APIs GPT for decoding and risk analysis
"You can see anything that a developer puts in there. And so we've seen passwords, we've seen admin emails and other juicy information that could be leveraged in other attacks."
-
Try changing user roles in JWT (to 'admin') and see if the API accepts it (signature check!)
E. Finding Vulnerabilities
- Excessive Data Exposure:
"This is now known as broken object property level authorization in the 2019 version. This would be known as an excessive data exposure."
- Developers often rely on 'security by obscurity':
"We have a complex token, therefore, no one's going to be able to find that. So then our goal as attackers becomes how do we find that?"
- Real-world impact:
"All of these things could be exposed over a single request just like this."
F. Testing Wide vs. Deep (Postman vs. Burp Suite)
- Postman = Testing Wide:
"Postman is a great tool to test wide so we could see our whole API laid out over here on the side."
- Burp Suite = Testing Deep:
"When you want to test deep, you're going to want to transition over to burp suite."
- Collection Runner in Postman:
- Run all requests, check for errors (400, 500), fix parameters, ensure 200 OK responses
- Burp Suite:
- Proxy traffic from Postman to Burp
- Use Intruder for brute force/fuzzing
- Use Repeater for detailed request/response analysis
Quote:
"This is the excessive data exposure vulnerability. OK, and now we can see our response. This comes through a little clearer over here than in the proxy window or HTTP history."
7. Real-World Relevance
- These vulnerabilities are everywhere:
"This is real world stuff, right? You see this all the time. Yeah, that's right. We see excessive data exposure. That's fairly common. In addition to that, authorization vulnerabilities plague APIs."
- Security controls often missing:
"Oftentimes the tests that go from can user A interact with other resources that don't belong to them. The controls for that are missing and that can lead to pretty serious findings, passports, drivers' licenses, medical IDs. All of these things could be exposed over a single request just like this."
8. Final Thoughts & Call to Action
- Corey Ball's contributions:
"You've written this book, fantastic book that shares your knowledge. Lots and lots of hard work to write a book like this, I know. But you also created free training and, you know, doing the YouTube videos. I really want to thank you for sharing and giving back to the community."
- No excuses:
"Once again, you have no excuse now. You have free training. You know, it's all available to you. So go make the most of it."
Summary Table: Key Tools & Concepts
| Tool/Concept | Purpose/Use Case |
|---|---|
| crAPI | Vulnerable API lab for hands-on practice |
| Man in the Middle Web | Proxy to capture web/app traffic |
| Man in the Middle Proxy to Swagger | Auto-generate API documentation from captured traffic |
| Swagger Editor | Visualize and edit OpenAPI specs |
| Postman | Organize, test, and automate API requests (test wide) |
| Burp Suite | Deep-dive into individual requests, fuzzing, brute force (test deep) |
| ChatGPT / Hacking APIs GPT | AI-powered endpoint analysis, JWT decoding, payload suggestions |
| OWASP API Security Top 10 | Industry standard for API vulnerabilities |
Memorable Quotes (Translated to English)
- "APIs represent close to 90 percent of all web traffic that's going across the Internet."
- "Those often contain the most valuable resource that an organization is trying to keep safe. It also contains what the attackers are most interested in. And that's the data that's there."
- "We see excessive data exposure. That's fairly common. In addition to that, authorization vulnerabilities plague APIs."
- "Those who can code excel in cybersecurity."
- "You don't have to enroll in expensive courses or spend countless hours on confusing tutorials to level up your coding skills."
- "The courses are completely free. You sign up with your email. You can go through, complete the course, watch all the videos, read the content, take the quizzes and walk away with a free certificate of completion on those courses."
- "We have a complex token, therefore, no one's going to be able to find that. So then our goal as attackers becomes how do we find that?"
- "All of these things could be exposed over a single request just like this."
- "Once again, you have no excuse now. You have free training. You know, it's all available to you. So go make the most of it."
Conclusion
**If you want to level up your cybersecurity skills, especially in API hacking, you have everything you needโfree courses, hands-on labs, and even AI tools to help you analyze and exploit APIs.
Don't miss outโgo sign up, practice, and become a more skilled, confident, and versatile cybersecurity professional! ๐
What would you like Corey to demonstrate next? Drop your comments below and make the most of these amazing free resources!
Need a summary like this?
Get instant summaries with Harvest