Requested resource is not accessible

The access to this course is restricted to Hakin9 Premium or IT Pack Premium Subscription


API is now being used by every web/mobile/desktop application to communicate with each other. But, as any other technology, it has its strengths and weaknesses. In this course we will focus on REST API and we will go through ​ the techniques used to find weaknesses and exploit them, also the countermeasures​ ​ used​ ​ by​ ​ developers.


Certificate of completion, 18 CPE credits (course duration: 18 hours)

Course is self-paced


What will you learn?

  • API​ ​ Standards​ ​ (e.g.,​ Authentication​, Data​ ​ Exchange​,​ etc.)
  • API​ ​ Attacks​ ​ and​ ​ Countermeasures

What skills will you gain?

  • Practical experience in pentesting​ ​REST API
  • How to implement​ ​ Secure​ ​ API

What will you need?

  • PC with a preferred operating system (Mac OSX 10.5+, Windows 7+, Linux)
  • API​ ​ testing​ ​ tool​ ​ (e.g.,​ ​ PostMan)
  • Proxy​ ​ tool​ ​ (e.g.,​ ​ Burp​ ​ Suite, Fiddler)

What should students know before they join?

  • Previous​ ​ knowledge​ ​ of​ ​ how​ ​ web​ ​ works​ ​ (e.g.,​ ​ HTTP​ ​ Protocol​, HTTP​ ​ Methods​, etc.)
  • ​Understanding​ ​ of basic​ ​ web​ ​ vulnerabilities (e.g., XSS, CSRF, Open Redirect, IDOR, etc.)

DEMO:



Your Instructor: Eslam​ ​ Salem​ ​ Mahmoud

 

CEO​ ​ & ​ ​ Founder​ ​ of​ ​ Shieldfy.​ ​ Web​ ​ developer​ ​ since 2004​ ​ and​ ​ web​ ​ security​ ​ advisor​ ​ since​ ​ 2012.

Former​ ​ speaker​ ​ at​ ​ Cairo​ ​ Security​ ​ Camp.

Security​ ​ lover​ ​ & ​ ​ open​ ​ source​ ​ evangelist.

Read an interview with Eslam at Hakin9 Blog here >>

 

 

 


Syllabus


Module 1: Introduction​ ​ to​ ​ API
Module 1 covered topics:

  • What​ ​ is​ ​ API​/API​ ​ Centric​ ​ Applications​?
  • Intro​ ​ to​ ​ REST.
  • REST API Fingerprinting​ ​/ Fuzzing.
  • Intro to ​ API Authentication​​ ​ (Basic, JWT, OAuth).

Module 1 exercises:

  • Fingerprinting​ ​ API.
  • REST​ ​ Methods​ ​ Manipulations.

Module 2: Authentication​ ​ part​ ​ 1
This​ ​ module​ ​ covers​ ​ authentication​ ​ in​ ​ depth​​ (Basic​​ Auth,​​ JWT​). Covered topics:

  • Basic​ ​ Authentication.
  • Basic​ ​ Digest​ ​ Authentication.
  • Session​ ​ based​ ​ vs​ ​ Token​ ​ based.
  • JWT​ ​ (Json​ ​ Web​ ​ Tokens)​ ​ - ​ ​ Implementation​ ​ & ​ ​ Attacks.

Module 2 exercises:

  • Crack​ ​ JWT​ ​ Secret​ ​ Key.
  • Bypass​ ​ JWT​ ​ Hash​ ​ Check.

Module 3:​ Authentication​ ​ part​ ​ 2 ​ ​ (Authorization)
This​ ​ module​ ​ cover​s ​ authentication​ ​ in​ ​ depth​ ​ (OAuth​). Covered topics:

  • OAuth​ ​ 1, ​ ​ 1.0a​, 2 ​ ​ - ​ ​ Standards​ ​ & ​ ​ Implementation.
  • Stealing​ ​ OAuth​ ​ Access​ ​ tokens.
  • CSRF​ ​ Attack​ ​ on​ ​ OAuth.
  • Attacking​ ​ authorization​ ​ code​ ​ grant​ ​ flow.
  • Open​ ​ Redirect​ ​ in​ ​ OAuth.

Module 3 exercises:

  • Steal​ ​ OAuth​ ​ tokens.
  • Attack​ ​ Authorization​ ​ Flow.
  • CSRF​ ​ Attack​ ​ on​ ​ OAuth.

Module 4: Other​ ​ Attacks​​ ​ On​ ​ API
This​ ​ module​ ​ covers​ ​ other​ ​ attacks​ ​ performed​ ​ against​ ​ API. Covered topics:

  • DoS​ ​ attacks​ ​ on​ ​ API.
  • Bruteforcing​ ​ Attacks.
  • Attack​ ​ Development/Staging​ ​ API’s.
  • Traditional​ ​ attacks​ ​ (XSS, SQLI, IDOR,​ etc.).

Module 4 exercises:

  • Basic​ ​ sqli/xss​ ​ attack​ ​ on​ ​ API.
  • Finding​ ​ Dev​ ​ API​ ​ and​ ​ use​ ​ it​ ​ to​ ​ bypass​ ​ protection​ ​ on​ ​ production​ ​ API.

Course format: 

  • The course is self-paced – you can visit the training whenever you want and your content will be there.
  • Once you’re in, you keep access forever, even when you finish the course.
  • There are no deadlines, except for the ones you set for yourself.
  • We designed the course so that a diligent student will need about 18 hours of work to complete the training.
  • Your time will be filled with reading, videos, and exercises. 


QUESTIONS? 

If you have any questions, please contact our eLearning Manager at [email protected].

Course Reviews

N.A

ratings
  • 5 stars0
  • 4 stars0
  • 3 stars0
  • 2 stars0
  • 1 stars0

No Reviews found for this course.

© HAKIN9 MEDIA SP. Z O.O. SP. K. 2023
What certifications or qualifications do you hold?
Max. file size: 150 MB.
What level of experience should the ideal candidate have?
What certifications or qualifications are preferred?

Download Free eBook

Step 1 of 4

Name(Required)

We’re committed to your privacy. Hakin9 uses the information you provide to us to contact you about our relevant content, products, and services. You may unsubscribe from these communications at any time. For more information, check out our Privacy Policy.