API Security: Offence and Defence 2nd Edition (W35)

$269.00

1 in stock


Get the access to all our courses via Subscription

Subscribe

Category: Tags: , , ,

API is now being used by every web/mobile/desktop application to communicate with each other. But, as any other technology, it has its strengths and weaknesses. In this course we will focus on REST API and we will go through ​ the techniques used to find weaknesses and exploit them, also the countermeasures​ ​ used​ ​ by​ ​ developers.


API Security: Offence and Defence 2nd Edition is here!

Course length: 18 hours

18 CPE points

On-demand, self-paced



What will you learn?

  • API​ ​ Standards​ ​ (e.g.,​ Authentication​, Data​ ​ Exchange​,​ etc.)
  • API​ ​ Attacks​ ​ and​ ​ Countermeasures

What skills will you gain?

  • Practical experience in pentesting​ ​REST API
  • How to implement​ ​ Secure​ ​ API

What will you need?

  • PC with a preferred operating system (Mac OSX 10.5+, Windows 7+, Linux)
  • API​ ​ testing​ ​ tool​ ​ (e.g.,​ ​ PostMan)
  • Proxy​ ​ tool​ ​ (e.g.,​ ​ Burp​ ​ Suite, Fiddler)

What should you know before you join?

  • Previous​ ​ knowledge​ ​ of​ ​ how​ ​ web​ ​ works​ ​ (e.g.,​ ​ HTTP​ ​ Protocol​, HTTP​ ​ Methods​, etc.)
  • ​Understanding​ ​ of basic​ ​ web​ ​ vulnerabilities (e.g., XSS, CSRF, Open Redirect, IDOR, etc.)

Your Instructor: Eslam​ ​ Salem​ ​ Mahmoud

eslam-photo-apiCEO​ ​ & ​ ​ Founder​ ​ of​ ​ Shieldfy.​ ​ Web​ ​ developer​ ​ since 2004​ ​ and​ ​ web​ ​ security​ ​ advisor​ ​ since​ ​ 2012.

Former​ ​ speaker​ ​ at​ ​ Cairo​ ​ Security​ ​ Camp.

Security​ ​ lover​ ​ & ​ ​ open​ ​ source​ ​ evangelist.

 

 

 

 


Syllabus


Module 1: Introduction​ ​to​ API
Module 1 covered topics:

  • What​ ​ is​ ​ API​/API​ ​ Centric​ ​ Applications​?
  • Intro​ ​ to​ ​ REST.
  • REST API Fingerprinting​ ​/ Fuzzing.
  • Intro to ​ API Authentication​​ ​ (Basic, JWT, OAuth).

Module 1 exercises:

  • Fingerprinting​ ​ API.
  • REST​ ​ Methods​ ​ Manipulations.

Module 2: Authentication​ ​ part​ ​ 1
This​ ​ module​ ​ covers​ ​ authentication​ ​ in​ ​ depth​​ (Basic​​ Auth,​​ JWT​). Covered topics:

  • Basic​ ​ Authentication.
  • Basic​ ​ Digest​ ​ Authentication.
  • Session​ ​ based​ ​ vs​ ​ Token​ ​ based.
  • JWT​ ​ (Json​ ​ Web​ ​ Tokens)​ ​ - ​ ​ Implementation​ ​ & ​ ​ Attacks.

Module 2 exercises:

  • Crack​ ​ JWT​ ​ Secret​ ​ Key.
  • Bypass​ ​ JWT​ ​ Hash​ ​ Check.

Module 3:​ Authentication​ ​ part​ ​ 2 ​ ​ (Authorization)
This​ ​ module​ ​ cover​s ​ authentication​ ​ in​ ​ depth​ ​ (OAuth​). Covered topics:

  • OAuth​ ​ 1, ​ ​ 1.0a​, 2 ​ ​ - ​ ​ Standards​ ​ & ​ ​ Implementation.
  • Stealing​ ​ OAuth​ ​ Access​ ​ tokens.
  • CSRF​ ​ Attack​ ​ on​ ​ OAuth.
  • Attacking​ ​ authorization​ ​ code​ ​ grant​ ​ flow.
  • Open​ ​ Redirect​ ​ in​ ​ OAuth.

Module 3 exercises:

  • Steal​ ​ OAuth​ ​ tokens.
  • Attack​ ​ Authorization​ ​ Flow.
  • CSRF​ ​ Attack​ ​ on​ ​ OAuth.

Module 4: Other​ ​ Attacks​​ On​ API
This​ ​ module​ ​ covers​ ​ other​ ​ attacks​ ​ performed​ ​ against​ ​ API. Covered topics:

  • DoS​ ​ attacks​ ​ on​ ​ API.
  • Bruteforcing​ ​ Attacks.
  • Attack​ ​ Development/Staging​ ​ API’s.
  • Traditional​ ​ attacks​ ​ (XSS, SQLI, IDOR,​ etc.).

Module 4 exercises:

  • Basic​ ​ sqli/xss​ ​ attack​ ​ on​ ​ API.
  • Finding​ ​ Dev​ ​ API​ ​ and​ ​ use​ ​ it​ ​ to​ ​ bypass​ ​ protection​ ​ on​ ​ production​ ​ API.

Course format: 

  • The course is self-paced – you can visit the training whenever you want and your content will be there.
  • Once you’re in, you keep access forever, even when you finish the course.
  • There are no deadlines, except for the ones you set for yourself.
  • We designed the course so that a diligent student will need about 18 hours of work to complete the training.
  • Your time will be filled with reading, videos, and exercises. 

Contact: 

If you have any questions about the course, get in touch with us at [email protected] or[email protected]

Reviews

There are no reviews yet.

Be the first to review “API Security: Offence and Defence 2nd Edition (W35)”

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.

© HAKIN9 MEDIA SP. Z O.O. SP. K. 2013