📅 8-Week API Hacking Study Plan

This roadmap takes you from beginner to advanced API hacking skills step by step, with weekly goals, labs, and practice.

🟢 Week 1: API Basics & Tools

• Learn what APIs are: REST, GraphQL, SOAP differences.
• Understand HTTP basics: methods (GET, POST, PUT, DELETE, PATCH), headers, status codes.
• Tools setup:
  • curl (command line)
  • Postman / Insomnia
  • Burp Suite (community edition is fine)
• Explore API documentation:
  • Swagger / OpenAPI
  • Postman collections
• ✅ Lab: PortSwigger "HTTP Basics", APIsecU API 101

🟢 Week 2: Authentication in APIs

• Study API Authentication methods:
  • API keys
  • Basic Auth
  • OAuth2
  • JWT (JSON Web Tokens)
• Learn JWT attacks:
  • none algorithm attack
  • Weak secret brute force
  • Token replay
• ✅ Labs:
  • PortSwigger "JWT vulnerabilities"
  • APIsecU Authentication labs

🟢 Week 3: Authorization Flaws (IDOR & BOLA)

• Learn about Broken Object Level Authorization (BOLA).
• Exploit IDOR vulnerabilities.
• Understand how API endpoints often leak data.
• Try parameter tampering (/api/v1/user/123 → /124).