3 training resources to improve your API hacking tradecraft

Training resources to improve your API hacking tradecraft

With the new year upon us, I thought it might be a good kick-off to provide some guidance on a few resources that might help you improve your API hacking tradecraft.

There are tons of resources online you can use. If you aren’t sure, you can always download my free ebook on The Ultimate Guide to API Hacking Resources.

In any case, here are three resources that I think every aspiring API hacker should complete to level up their skills.

Let’s go!

#1 – Corey Ball’s free “API Penetration Testing” course

Corey Ball’s “API Penetration Testing” course is an excellent resource for those starting out with learning the basics of attacking web APIs. The content in his course centers around understanding the differences between web and API attacks and understanding the fundamentals of attacking web APIs.

The course is modeled from his book on the topic, “Hacking APIs: Breaking Web Application Programming Interfaces.”.

Side note: If you want to see my review of his book, you can check it out here, along with several other books you should check out.

Course topics include:

  • Introduction
  • Lab Setup
  • API Recon
  • Endpoint Analysis
  • Scanning APIs
  • API Auth Attacks
  • Exploiting API Authorization
  • Testing for Improper Assets Management
  • Mass Assignment
  • Injection Attacks
  • Rate Limit Testing
  • Combining Tools & Techniques

This a great resource if you are just getting started and want to put your API hacking tradecraft to the test.

The course includes tons of videos. While I admit I’m not a fan of how Corey simply reads the course content on camera, he more than makes up for it when he gets into demonstrating how to do things during screen sharing.

You can’t complain about a great free resource like this. It allows you to go at your own pace and gain experience in many of the critical skills needed to hack APIs.

#2 – My free TryHackMe room on “OWASP API Security Top 10”

So last year Amiran Alavidze (aka airman) and I put together a hands-on workshop for OWASP to help API hackers learn about the OWASP API Security Top 10. We decided to leverage Tushar Kulkarni’s work on the vAPI project to deliver a private walkthrough room on TryHackMe that we worked through during a live event.

Our goal was to help people learn how to use tools like Postman and BurpSuite together to approach common API vulnerabilities. The walkthrough room covers the core objectives of the OWASP API Security Top 10, including:

  • How to setup Postman and BurpSuite to work together
  • Broken Object Level Authorization (BOLA)
  • Broken User Authentication
  • Excessive Data Exposure
  • Lack of Resource & Rate Limiting
  • Broken Function Level Authorization (BFLA)
  • Mass Assignment
  • Security Misconfiguration
  • Injection
  • Improper Assets Management
  • Insufficient Logging & Monitoring

The room leverages TryHackMe’s cloud infrastructure to spin up your own private instance in an isolated cyber range so you can hack against it and not fret about damaging anything, or other students sharing your resources.

The room itself includes screenshots and a full walkthrough of all the core aspects of each vulnerability. In many cases, it also includes a description of how to PREVENT the vulnerability, helping you to have a more meaningful dialog with software developers in the types of vulns you might find and how to go about fixing them.

All you need is a free TryHackMe account to access the private room. You can join the room here.

#3 – PentesterLab’s paid exercises toward the pro “API Badge”

Last but certainly not least are the exercises at PentesterLabs. They have a dedicated API Badge that covers a ton of different topics, including:

  • How to approach modern single-page applications (SPA) like Rails/Angular
  • How to look for unused endpoints in Javascript
  • How to leverage and manipulate access tokens
  • How to abuse shopping cart APIs and break application logic
  • How to abuse MongoDB through IDOR/BOLA

In all, there are almost 20 exercises and 18 videos you can go through, with more to come focused on API hacking on mobile. I wouldn’t approach this content first. You need to have some skills before tackling it. Those could be from the other resources I already mentioned or by completing some of the other badges on PentesterLabs first.

While they do provide some videos to help, I don’t find they offer as much helpful content as what Corey and I have provided. It’s more of a direct challenge to verify your current skills.

You can easily pay for just one month of PentesterLabs PRO ($20/month) and complete all the lab exercises in just a few sittings. I think I originally completed them in just two evenings. YMMV, of course.

If you can’t afford to subscribe to PentesterLab, then make sure you subscribe to my free newsletter called the API Hacker’s Inner Circle. From time to time, I give away 30 and 90-day vouchers to both PentesterLab and TryHackMe, as well as other resources like running contests to give away some of my favorite books.

#BONUS – Portswigger’s Web Security Academy

Let’s not forget about Portswigger’s Web Security Academy. While the focus is more on web application security, there is still some really great API hacking content here that I think is worth mentioning.

They offer tutorials on a wide range of topics, including:

  • Injection attacks (SQL, Command, XXE)
  • Authentication bypass
  • Business logic vulnerabilities
  • Access control violations
  • Directory traversal
  • File upload vulnerabilities
  • Server-Side Request Forgery (SSRF)
  • Cross-Site Request Forgery (CSRF)
  • Cross-Origin Resource Sharing (CORS)
  • Cross-Site Scripting (XSS)
  • Server Side Template Injection (SSTI)
  • HTTP Host Header attacks
  • JWT attacks
  • And much more

If you spend some time going through the content, I think you’ll find a lot of great information and resources here. It may even spark some ideas for your own research into API security flaws. So make sure to check it out!


In conclusion, there are many different training resources available to help you improve your API hacking tradecraft. Whether it’s free content such as Corey’s course, my TryHackMe walkthrough room, PortSwigger’s Web Security Academy, or paid exercises on PentesterLab, you can find something to suit your needs and budget.

Or better yet, DO THEM ALL! Knowledge is power. 🤣

And don’t forget, you can find tons of other useful online resources in my free ebook of the Ultimate Guide to API Hacking Resources.

So don’t wait any longer; start improving your skills today!

Happy Hacking! 🙂

Dana Epp