If you had told me a decade ago that you can make a good living hacking APIs, I would have thought you were daft. Sure, there has always been a field for this work, but it’s never been as easy to get involved in ethical hacking that is invited by companies as it is today.
There are so many people out there at various points in their API hacking careers. From hobbyists to hardcore hackers, there are just so many ways to make money… legally… and I want to share some of those with people new to the field.
Before I can do that though, I need to get something off my chest…
API Hacking and API Security Testing are the same bloody thing (sorta)
For over 30 years I have been building and breaking software. I have enough war wounds to know what NOT to do, and one of those scars comes from the poor attitudes I see from developers who think “lesser” of QA people.
Decades ago, someone thought software engineers should be put on pedestals, while those who tested the code were not.
It was idiotic.
I remember Gene Spafford once saying you can’t build secure systems unless you know the threats to which you are susceptible. I’d take that further and state you can’t build secure systems if you don’t actually know how to look for and defend against vulnerabilities in said systems.
Especially when modern web applications are calling API endpoints and pulling back sensitive data from the server all the time.
And this is EXACTLY what an API security tester does. They follow a well-defined test plan that looks for vulnerabilities in the API.
Now here is the funny thing. As of late, the “cool kids” all wanna be “hackers”. QA and dev alike. It’s like it’s some dark art that makes you more elite. Oh sorry… I should say 1337. (Does that make me ‘leet now? 🤣)
You aren’t an API security tester. You’re an API hacker. At least, that’s what people want you to believe.
Fine, it’s the same bloody thing. Call it whatever you like. If you are hacking at an API in an attempt to break it to demonstrate vulnerable code, you’re an API hacker. But guess what? You can just as easily call yourself a Security Tester. Or Application Penetration Tester.
I honestly don’t care about titles. It doesn’t define who YOU are. What really matters is that you can actually DO IT.
With that out of the way, let me show you a few ways you can make money hacking APIs. Depending on where you are in your career, different jobs may be more exciting, reliable, or interesting. No one way is better than the other. It all comes up to your goals in life, your interests, and the opportunities ahead of you. And of course your interest in finding vulnerabilities.
So let’s dive in.
API Bug Bounties
API bug bounty hunting is a great way to make money while hacking on an application programming interface. Companies and organizations will pay good money for people who can find and report bugs in their systems. That includes their REST APIs. The best part is that you don’t need any formal training to get started – just a willingness to learn and the ability to find vulnerabilities.
Let me unwrap that for ya. (Boo, hiss… bad pun … I know)
There are platforms like HackerOne and Bugcrowd that allow you to learn and earn. They offer practical training to improve your tradecraft to hack APIs and then offer you a directory of bug bounty programs that expose you to different companies, their applications, and their infrastructure.
But you don’t have to use these platforms. If you have a strong relationship and access with a company that builds software, and they have a reasonable vulnerability disclosure program (VDP) that clearly articulates what you can (and cannot) test so you stay within legal bounds, it might be just as good. This is sometimes called “scope”, as it helps to define what is in and out of scope when doing API security testing. These companies may even offer bug bounties themselves, which means you can still get paid.
If you don’t like working with the software vendors themselves, you can use a broker. Programs like the Zero Day Initiative (ZDI) and Zerodium come to mind. These platforms allow you to privately disclose vulnerabilities you find and get paid without having to deal with the hassle of working with the companies directly. ZDI uses the data to enrich the products Trend Micro builds as they disclose it to the vendors. Zerodium uses the data to resell exploits to government institutional clients who subscribe to their zero-day research feed.
It’s not up to me to tell you which way to go. While ZDI and Zerodium typically have much higher payouts and faster turnaround, you sometimes have to question who gets the exploits first, and how quickly vendors get to know about it.
Crowdsourced platforms like HackerOne and Bugcrowd have awesome communities to engage with. They make hacking fun. And it’s not uncommon to find a great Python script or trick with Burp Suite from other hackers in the community. But it’s tailored much more to the younger generation. Heck, they call me grandpa in the Discord channels at times, which is saying something.
One other thing to consider with crowdsourced platforms is that public programs are usually pretty saturated with beginner hackers. The good thing with API hacking is that you usually have to “go deeper” into logic bugs which weeds out a lot of the people who are too lazy, or too unskilled, to win big.
Speaking of “winning big”, I want to be clear about income potential here. While these platforms like to toot their horns about their “million dollar” hackers, make sure you look CLOSER at the numbers. The average hacker on HackerOne as an example only makes around $20,000/year. But they also only do it part-time.
Bug bounties are hard work. It’s hit-and-miss. Feast and famine. You could have a good go and earn ten’s of thousands in no time flat; you could just as easily keep getting responses that you have found another “dupe” (a duplicate bug already reported) and get paid nothing for the API vulnerabilities you report.
If becoming a full-time bug bounty hunter is something you might want to consider, I encourage you to go read Alex Chapman’s post on the topic. He goes into the benefits and risks to consider, speaks from his own experience, and offers some great advice. Well worth checking out.
Application Penetration Tester
So maybe the uncertainty of bug bounties isn’t your thing. Or maybe you don’t have the discipline to work without company structure. In that case, maybe becoming an Application Penetration Tester (pentester) is more up your alley.
Just to be clear, a web application pentester is an entirely different career than a normal pentester. The difference lies in the focus. A typical pentester focuses on the design, implementation, and maintenance of a network and devices connected to it for penetration testing. An application pentester focuses on the web applications and security surrounding it that may run on those devices, typically to find coding flaws (vulnerabilities) to exploit.
It’s not uncommon for application pentesters to work with their network pentester counterparts. As part of an engagement, you might be tasked to black-box test a modern web application that will include backend REST APIs to hack. Many use a single page application that makes penetration testing more interesting when you can more easily see the API requests.
Application pentesters typically work for a penetration testing firm. It is a much more stable living than bug bounty hunting, with average salaries higher than a lot of entry-level tech jobs. Experienced application pentesters typically get paid more than their network pentester counterparts, mostly because of the complexity of the work. Not in the detection of vulnerabilities, but the ability to reverse engineer and actually write the exploits.
Here is another benefit for application pentesting over bug bounty hunting. Scope. A typical bug bounty hunter is limited in the scope of the target. They can rattle the cages but aren’t normally permitted to pivot deeper into the app and infrastructure. That’s not normally the case for an application pentest engagement.
On the flip side, application penetration testing is usually time-boxed, whereas bug bounty hunting is not. That means you don’t always get the time you want (or need) to really get down and dirty in a weak area of an application or API that you are trying to break.
In any case, making money as an Application Penetration Tester can be quite good. In the US and Canada, the median salary is around $150,000/year for a web application pentester.
Software Developer in Test (SDET)
Maybe the complexities of black-box testing aren’t your thing. If you have the skills and understand how to read and write code, you might be able to get a job hacking an API from the inside. It is much more interesting to be able to track code changes from within the source control system and find areas of the application and API that may be easier to abuse.
Not only do you get a better look inside how the API works. You get to see “how the sausage is made”, so to speak. You get to learn about how developers responsible for building the APIs do their work, see the patterns, and in time, predict where weaker code may reside that may be vulnerable in the codebase.
This is also a great place to apprentice. When first starting in your career a role like this typically has stronger leadership that you can follow… mentors you can learn from as you improve your tradecraft.
This role is typically called something like Software Developer In Test, or SDET for short. But you have to be careful. You want a role with a clear application security focus. The skillset here warrants a higher pay scale than that of a normal SDET. Where a typical SDET has a median salary of around $75,000/year, a good appsec SDET has a median salary closer to $130,000/year.
Notice anything interesting about some of the things I just talked about?
Someone who reads and writes code (aka a developer) makes LESS than a web application pentester.
Screw the pedestal I say.
It’s not about the titles… it’s about abilities, capabilities, and curiosity.
A good API hacker is worth their weight in gold. Many companies who build software just don’t see that yet. While they invest heavily in their developers, few invest as much (or more) in the people that can play a critical part in observing application security. A bit of offense on the red team to find and fix the vulnerabilities before their adversaries do are a great investment… and the API hacker is primed to do the most good (or evil depending on how you look at it) to help with that.
Interested in making money as an API hacker? Check out my Ultimate Guide of API Hacking Resources. It contains tons of resources that can help you get started in your career.