Python › Python for Pentesters
Parsing JSON responses
JSON is how APIs talk, and here’s the good news: JSON maps perfectly onto Python. A JSON object becomes a dictionary; a JSON array becomes a list. That means API testing is just the dict-and-list navigation you already learned — there’s no separate skill to acquire.
You'll learn to
- Parse a JSON response into Python objects
- Navigate nested JSON to pull out fields
- See why this is the core of API testing
From response to data
import requests
r = requests.get("https://api.example.com/users/1")
data = r.json() # parse the JSON body into a dict/list
data["email"] # access a field by key
data["roles"][0] # first item of a nested list
data.get("isAdmin", False) # safe access with a default if missing
r.json() parses the response body into Python objects. A JSON object like {"email": "...", "roles": [...]} becomes a dictionary, so you navigate it with the key access from the fundamentals. Use .get(key, default) when a field might be missing — [key] crashes on absence, .get() returns a default.
Building and reading JSON directly
import json
text = json.dumps(data, indent=2) # dict → pretty JSON string (great for logging)
obj = json.loads('{"a": 1}') # JSON string → dict
The json module converts between strings and Python objects when you need to read or build raw JSON yourself — for example, pretty-printing a response while you explore it.
Why this is the core of API testing
# Sweep object IDs looking for ones you shouldn't access (IDOR):
for uid in range(1, 100):
r = requests.get(f"https://api.example.com/users/{uid}", headers=auth)
if r.status_code == 200:
data = r.json()
print(uid, data.get("email")) # got someone else's data?
Checkpoint
A response nests a user object that has an id of 5 and a roles list holding editor then admin. How do you read the second role?
data['user']['roles'][1] — step into the user object, then its roles list, then index [1] for the second item. JSON objects are dicts and JSON arrays are lists, so you chain key and index access.
Try it yourself
Request https://httpbin.org/json (it returns sample JSON), call .json() on it, and pretty-print the result with json.dumps(data, indent=2). Then navigate into the structure to pull out one nested value.
Summary
r.json() parses a JSON response into Python dicts and lists, so you navigate it with the key and index access you already know. Use .get() for fields that might be missing, and the json module (dumps/loads) to pretty-print or build JSON yourself. Because JSON is dicts and lists, API testing — sweeping IDs, spotting privilege fields, finding hidden keys — uses exactly the skills from the fundamentals.
Key takeaways
r.json()turns a JSON body into a dict/list you navigate normally..get(key, default)is safer than[key]for optional fields.json.dumps(data, indent=2)pretty-prints a response for exploration.- API hacking is JSON navigation — the dict/list skills you already have.
Quick quiz
Next, staying logged in: sessions, cookies, and authentication — the key to testing everything behind a login.