API is now being used by every web/mobile/desktop application to communicate with each other. But, as any other technology, it has its strengths and weaknesses. In this course we will focus on REST API and we will go through the techniques used to find weaknesses and exploit them, also the countermeasures used by developers.
API Security: Offence and Defence 2nd Edition is here!
Course length: 18 hours
18 CPE points
What will you learn?
- API Standards (e.g., Authentication, Data Exchange, etc.)
- API Attacks and Countermeasures
What skills will you gain?
- Practical experience in pentesting REST API
- How to implement Secure API
What will you need?
- PC with a preferred operating system (Mac OSX 10.5+, Windows 7+, Linux)
- API testing tool (e.g., PostMan)
- Proxy tool (e.g., Burp Suite, Fiddler)
What should you know before you join?
- Previous knowledge of how web works (e.g., HTTP Protocol, HTTP Methods, etc.)
- Understanding of basic web vulnerabilities (e.g., XSS, CSRF, Open Redirect, IDOR, etc.)
Your Instructor: Eslam Salem Mahmoud
Former speaker at Cairo Security Camp.
Security lover & open source evangelist.
Module 1: Introduction to API
Module 1 covered topics:
- What is API/API Centric Applications?
- Intro to REST.
- REST API Fingerprinting / Fuzzing.
- Intro to API Authentication (Basic, JWT, OAuth).
Module 1 exercises:
- Fingerprinting API.
- REST Methods Manipulations.
Module 2: Authentication part 1
This module covers authentication in depth (Basic Auth, JWT). Covered topics:
- Basic Authentication.
- Basic Digest Authentication.
- Session based vs Token based.
- JWT (Json Web Tokens) - Implementation & Attacks.
Module 2 exercises:
- Crack JWT Secret Key.
- Bypass JWT Hash Check.
Module 3: Authentication part 2 (Authorization)
This module covers authentication in depth (OAuth). Covered topics:
- OAuth 1, 1.0a, 2 - Standards & Implementation.
- Stealing OAuth Access tokens.
- CSRF Attack on OAuth.
- Attacking authorization code grant flow.
- Open Redirect in OAuth.
Module 3 exercises:
- Steal OAuth tokens.
- Attack Authorization Flow.
- CSRF Attack on OAuth.
Module 4: Other Attacks On API
This module covers other attacks performed against API. Covered topics:
- DoS attacks on API.
- Bruteforcing Attacks.
- Attack Development/Staging API’s.
- Traditional attacks (XSS, SQLI, IDOR, etc.).
Module 4 exercises:
- Basic sqli/xss attack on API.
- Finding Dev API and use it to bypass protection on production API.
- The course is self-paced – you can visit the training whenever you want and your content will be there.
- Once you’re in, you keep access forever, even when you finish the course.
- There are no deadlines, except for the ones you set for yourself.
- We designed the course so that a diligent student will need about 18 hours of work to complete the training.
- Your time will be filled with reading, videos, and exercises.