June 9, 2026

API Hacking Sounds Scary Until You Realize It’s Just Changing Numbers

No complex setups. No secret tools. Just you and your browser.

Decline

2 min read

I used to avoid APIs like the plague.

Looked complicated. JSON everywhere. Authentication headers. Rate limiting. I stuck to normal web pages because at least I understood those.

Then someone told me something that changed everything.

APIs are just websites without the makeup. Same bugs. Same logic. Just less stuff in the way.

– -

What I Didn't Understand At First

A normal website has buttons, forms, and pages. An API has endpoints. That's the only difference.

Instead of clicking a button that says "View Profile," the API sends a request to /api/user/123. Same thing. Different format.

The bugs are the same too. IDOR still works. Broken auth still works. Injection still works.

The only difference is you're looking at raw JSON instead of a pretty HTML page.

– -

How I Started Testing APIs Without Panicking

First, I stopped trying to understand everything at once.

I just opened my browser's network tab. Clicked around a site that had an API. Looked at every request that went to /api/, /v1/, or /graphql.

Then I copied one request and pasted it into Burp Repeater. That's it. Nothing fancy.

From there, I did the same things I do on normal websites. Changed IDs. Added parameters. Removed headers.

It worked. I found my first API bug within an hour of trying.

– -

The Three API Tests That Actually Work

Test 1 – Change the ID in the URL or JSON body.

/api/user/123 to /api/user/124

{"user_id": 123} to {"user_id": 124}

Same as normal IDOR. Just in a different format.

Test 2 – Remove authentication headers.

If a request has Authorization: Bearer token123, remove it. Send it again. Does it still work? If yes, that's a bug. Anyone can access that endpoint without being logged in.

Test 3 – Check for old API versions.

Try /api/v1/user/123 and /api/v2/user/123. Sometimes v1 is forgotten and has fewer security checks. I found an IDOR on a v1 endpoint that was fixed in v2 but they never removed the old one.

– -

The Mistake That Cost Me Months

I thought I needed special tools to test APIs. Postman. Insomnia. Custom scripts.

I didn't. Burp and my browser were fine.

The tools are nice but they don't find bugs. Changing numbers and seeing what breaks finds bugs.

I wasted so much time learning tools I barely use now.

– -

A Real Example From Last Month

I was testing a shopping site. Normal web pages were locked down tight. Nothing.

Then I opened the network tab and saw requests to /api/orders/12345.

I changed 12345 to 12344. Got back someone else's order. Name, address, what they bought.

That was it. Took two minutes. Paid $800.

The main website had no IDOR because they built their own checks. The API was newer and they forgot to add them.

– -

What You Should Do Today

Pick any site with an API. Most do. Open your browser's network tab. Click around. Find a request to something that looks like /api/ or /v1/.

Copy it. Change a number. Send it. See what comes back.

You'll probably find nothing. That's fine. Try again tomorrow.

But eventually you'll find something. And you'll wonder why you were ever scared.

– -

Found an API bug recently? Drop how you found it in the comments. I'm always looking for new techniques.

If this made APIs less scary, clap and follow.

Want more daily bug hunting content? Connect with me on LinkedIn: https://www.linkedin.com/in/bughunter