Contact US : +919999508202 [email protected]
Select Page

api exploitation and security

The API Exploitation and security training is designed to understand the modern API development & integration issues . The course is heavily focused on building the hybrid approach to analyze the attacks in API integrated web applications and  standalone modern APIs .

APIs widely used by many corporate sectors including financial institutions, retail giants, automotive industry, streaming , modern web authentication services and many other industries to make fast operations.
API are treated more like products than code. They are designed for consumption for specific audiences, Mostly modern APIs are documented, and they are versioned in a way that users can have certain expectations of its maintenance and lifecycle.
Like any other productised software, the modern API development has its own development lifecycle of designing, testing, building, managing, and versioning. 
The improper design, poor configuration & implementation open the doors for attackers. During the training, we will address multiple critical issues associated with the modern web applications and standalone APIs with various case studies .
This API exploitation and security training is designed for security professionals who focus on securing the design, implementation and overall security of API endpoints and communications.

Api exploitation and security

DETAILED syllabus

introduction to api security

  • Understanding SOAP ,Rest and Graph APIs  
  • Different Approach to API Security Testing
  • Challenges in API Security Testing
  • Traditional API testing v/s API Security testing
  • Standards in API development
  • OWASP Top 10 API attacks
  • Building the API pentesting Lab

automation in api pentesting

  • Role of automation in API pentesting
  • Deep dive with postman for API pentesting
  • Configuring SoapUI / ReadyApi for API security testing
  • Automation in API fuzzing with Open Source tools 
  • API pentesting Governance and role of documentation

discovering api insecurities

  • Building API Security Testing Checklists
  • Building the self-documentation for API enumeration
  • Discovering WSDL and WADL 
  • Discovering the API hidden endpoints
  • Common API endpoints for quick wins
  • Testing for unhandled HTTP methods
  • Sensitive data disclosed with API OSINT

API Pentesting Module - 1

  • Cookie based test cases 
  • OAuth Authorization Bypass
  • JWT token attacks
  • Account takeover vulnerabilities
  • API privacy settings issues  
  • Exploring Improper Restriction of Unprotected APIs Endpoint
  • Password reset attacks
  • Cross-Origin Resource Sharing issues
  • CSRF attacks
  • Rate limiting attacks in misconfigured API
  • Authentication Tokens leakage attacks
  • Improper functional level authorisation attacks
  • Broken object level authorisation based attacks

API Pentesting Module - 2

  • Exploiting XML External Entity and parsers
  • HTTP Parameter Pollution Attacks
  • OS command Injection Attacks
  • SQL Injection attacks in APIs
  • Access control attacks
  • Exploiting Open Redirections
  • Mass assignment attacks
  • Testing Local File Inclusion attacks 
  • Testing Remote File Inclusion attacks
  • Security misconfiguration attacks in API
  • Improper restriction on unprotected API endpoints
  • API Request and Response Tampering for bypassing restrictions
  • Building an hybrid approach to test API centric web applications

ATTACKING GRAPHQL

  • Discovering GraphQL
  • Batch Query Attack
  • Deep Recursion Query Attack
  • Resource Intensive Query Attack
  • Field Duplication Attack
  • Aliases based Attack
  • GraphQL Information disclosures
  • Server Side Request Forgery
  • Code Execution in GraphQL
  • Stored Cross Site Scripting
  • Log spoofing / Log Injection
  • GraphQL Interface Protection Bypass
  • GraphQL Query Deny List Bypass
  • Arbitrary File Write Path Traversal
  • GraphQL Query Weak Password
  • GraphQL Defense in Depth 
who should attend this training?
  • Security analyst

  • Web Developers

  • Bug bounty hunters 

  • Security engineers

  • Project Lead and managers
why should i take this training?

API pentesting is often overlooked in traditional assessments. IT Industry is slowly shifting its focus on API utilisation nowadays. Modern business uses lots of API-centric environments to make decisions. Learning API pentesting will not only increase the existing knowledge but also it will prepare you to take the new challenges in future assessments.

prerequisite of the training ?

Basics of web application penetration testing knowledge required to join this training

what is the total duration of this training ?

Its an Instructor-led online training and the total duration of the training is 30 hours.

TESTIMONIALS

What People Are Saying

Today I've completed my one 2 one online training by Mr Naresh sir from Certcube Labs .
This is the first time I have attended a class in this format and wondered how effective it would be. It was very effective and therefore I would definitely be interested in attending other classes in the same format. The instructor was very knowlegeable and provided a wealth of information about the current version, especially since the last version I used was several releases ago.

Satyam Singh

BCA, Delhi University

Positive: Professionalism, Quality, Responsiveness, Value

5 start training. Naresh is the best. He made me Zero to Hero in 3 months time. Little bit expensive compare to others ,but totally worth it .

Ravi S

Cyber Security Consultant , Red Hawk

We're Here To Help!

Office

3500 , 1st Floor , Raja Park , New Delhi -110034

Hours

M-S: 10am - 11pm