2025-12-13 –, Track 2
APIs are everywhere. This talk gives a crash course in hacking APIs, aimed at pentesters and bug bounty hunters who want to understand what they are looking at and what they are looking for. This talk will cover practical skills, real-world examples, and a clear testing methodology.
First we’ll cover the essentials: mapping API endpoints, abusing common issues like broken object-level authorisation (BOLA) and mass assignment. Then move onto working at scale, automation and scripting attacks for long-term bug bounty targets.
If you’ve ever looked at an API and thought, “Where do I start?”—this talk is for you.
This talk will be a fast-paced introduction to hacking modern APIs. It’s designed for pentesters, bug bounty hunters, and security enthusiasts who want to improve their ability to find and exploit real-world API flaws. Attendees won't need to be API experts, but should be comfortable with basic web attacks.
We'll start off by understanding what makes APIs different (and often more vulnerable) than traditional web apps and then dive into a practical methodology for testing APIs, including:
- How to map API endpoints manually and automatically
- Common vulnerabilities like BOLA, mass assignment, IDOR, and rate-limit abuse
- Tricks to uncover hidden functionality or attack surface
- Using proxy tools and custom scripts effectively
The goal is to give attendees actionable takeaways and a structured approach they can use immediately in their testing.
I like to talk about everything and anything appsec related.
Socials: https://linktr.ee/appsecexplained