For direct assistance contact us! +91-9999508202 [email protected]

API Exploitation and Security

The API Exploitation and security training enhance the regular pentesters knowledge to the next level. API is widely used by many corporate sectors, including financial institutions, retail giants, the automotive industry, the streaming industry, modern web authentication services and many other industries that use API’s to make fast operations.
Modern APIs adhere to standards (typically HTTP and REST) that are developer-friendly, easily accessible and understood broadly.API are treated more like products than code. They are designed for consumption for specific audiences, Mostly modern API is documented, and they are versioned in a way that users can have certain expectations of its maintenance and lifecycle.
Like any other productized software, the modern API has its software development lifecycle (SDLC) of designing, testing, building, managing, and versioning. Also, modern APIs are well documented for consumption and versioning.
The improper design, poor configuration & implementation open the doors for attackers. During the training, we will address multiple critical issues associated with the APIs with various case studies and live examples.
This API exploitation and security training is designed for security professionals who focus on securing the design, implementation and overall security of API endpoints and communications.

API hacking and Security

REAL LIFE CASE STUDIES

INSTRUCTOR-LED SESSIONS

INDUSTRY DRIVEN CERTIFICATION

DAILY ASSIGNMENTS

STUDENT LEARNING KIT

 

syllabus

syllabus

API Exploitation and Security - APIES-912 1
module 1 : Introduction to API Security
  • Understanding SOAP and REST APIs  
  • Different Approach to API Security Testing
  • Challenges in API Security Testing
  • Tools and Frameworks for API Security Testing
  • Traditional API testing v/s API Security testing
  • OWASP Top 10 API attacks
API Exploitation and Security - APIES-912 2
module 2 : GRC & Code quality in API security
  • Primary Goal of API GRC
  • The need for API GRC
  • API development vs Web Apps
  • API GRC throughout design, implementation & runtime operation
  • Security Review of APIs Documentations
  • Understanding API-Based Platforms
API Exploitation and Security - APIES-912 3
module 3 : API Security Testing Essentials
  • Setup API Live Test Case Environment
  • API Penetration Testing Methodologies
  • API Security Testing Checklists
  • API Audit control checklists
API Exploitation and Security - APIES-912 4
module 4 : Discovering API insecurities
  • Configure Fiddler to find Sensitive APIs
  • Configure Burpsuite to Security test of Hidden APIs
  • Discovering WSDL 
  • Discovering APi hidden endpoints
  • Common API endpoints for quick wins
  • Testing for unhandled http methods
  • Sensitive data disclose with API OSINT
API Exploitation and Security - APIES-912 5
module 5 : API Authentication and Authorization attacks
  • Use Cases : Various OAuth Misconfiguration
  • Use Cases : OAuth Authorization Bypass
  • Use Case –  JWT token attacks
  • User Case – SAML issues
  • Use Cases : Account takeover
  • Exploring Improper Restriction of Unprotected APIs Endpoint
  • API Auth tokens as Cleartext Allowed
  • Rate limiting attacks in misconfigured API
  • Finding Insufficient Entropy For Random Values
  • Authentication Tokens leakage attacks
  • Improper functional level authorization attacks
  • Broken object level authorization attacks

 

API Exploitation and Security - APIES-912 5
module 6 : Practical API Attacks
  • Exploiting XML External Entity and parsers
  • HTTP Parameter Pollution Attacks
  • OS command Injection Attacks
  • SQL injection in APIs
  • ORM injection attack
  • NoSQL injection attack
  • Insecure Direct Object Reference attacks
  • Cross-Origin Resource Sharing  issues
  • Exploiting Open Redirections
  • Mass assignment attacks
  • Testing Local File Inclusion attacks 
  • Testing Remote File Inclusion attacks
  • Security misconfiguration attacks in API
  • Improper restriction on unprotected API endpoints
  • API Request and Response Tampering for bypassing restrictions 

 

API Exploitation and Security - APIES-912 5
module 7 : Attacking graphql API
  • Discovering GraphQL
  • Fingerprinting GraphQL
  • Batch Query Attack
  • Deep Recursion Query Attack
  • Resource Intensive Query Attack
  • Field Duplication Attack
  • Aliases based Attack
  • GraphQL Information disclousres
  • Server Side Request Forgery
  • Code Execution
  • Stored Cross Site Scripting
  • Log spoofing / Log Injection
  • HTML Injection
  • GraphQL Interface Protection Bypass
  • GraphQL Query Deny List Bypass
  • Arbitrary File Write Path Traversal
  • GraphQL Query Weak Password Protection
who should attend this training?
  • Security analyst

  • Web Developers

  • Bug bounty hunters 

  • Security enginners

  • Project Lead and managers
why should i take this training?

API pentesting is often overlooked in traditional assessments . Industry is slowly shifting the focus on API’s now a days . Modern business uses lots of API centric enviournments to make decisions . Hence learning the API pentesting will not only increase the existing knowledege but also it will prepare you to take the new challeges in the future assessments.

prerequisite of the training ?

Basics of web application penetration testing knowledge required to join this training

what is the total duration of this training ?

Its an Instructor-led online training and the total duration of the training is 30 hours.

APi Exploitation and

Security training enquiry

2 + 4 =

Our clients

Testimonials

Today I’ve completed my one 2 one online training by Mr Naresh sir from Certcube Labs .
This is the first time I have attended a class in this format and wondered how effective it would be. It was very effective and therefore I would definitely be interested in attending other classes in the same format. The instructor was very knowlegeable and provided a wealth of information about the current version, especially since the last version I used was several releases ago.
Satyam Singh

BCA, Delhi University

A good place to learn every small detail in cybersecurity.Really nice and helpful teacher.
subhum

Btech, BITS Mesra

API EXPLOITATION AND SECURITY ENQUIRY

10 + 1 =