API Exploitation and Security
The Api Exploitation and security training enhance the regular pentester’s knowledge to next level . API are widely used by many corporate sectors including financial institutions , retail giants , modern web authentication services like auth with google , Facebook , twitter etc, automative industry , streaming industry and many other industries uses API’s to make fast operations .
Modern APIs adhere to standards (typically HTTP and REST), that are developer-friendly, easily accessible and understood broadly .API are treated more like products than code. They are designed for consumption for specific audiences , Mostly modern APi are documented, and they are versioned in a way that users can have certain expectations of its maintenance and lifecycle.
As any other piece of productized software, the modern API has its own software development lifecycle (SDLC) of designing, testing, building, managing, and versioning. Also, modern APIs are well documented for consumption and versioning.
The improper design , poor configuration & implementation opens the doors for attackers. During the training we will address multiple critical issues assosicated with the APIs with various case studies and live examples .
This API exploitation and security course is designed for security professionals who focus on securing the design ,implementation and overall security of API endpoints and communications .
REAL LIFE CASE STUDIES
INDUSTRY DRIVEN CERTIFICATION
STUDENT LEARNING KIT
- Introduction to API
- Different Approach to API Security Testing
- Challenges in API Security Testing
- Tools and Frameworks for API Security Testing
- Traditional API testing v/s API Security testing
- Primary Goal of API GRC
- The need for API GRC
- API development vs Web Apps
- API GRC throughout design, implementation & runtime operation
- Security Review of APIs Documentations
- Understanding API-Based Platforms
- Setup API Live Test Case Environment
- API Penetration Testing Methodologies
- API Security Testing Checklists
- API Audit control checklists
- Security Audit of MobileApp API and WebApp API
- Configure Fiddler to find Sensitive and leaky APIs
- Configure Burpsuite to Security test of Hidden APIs
- Proxying Device Traffic Through Fiddler | Burpsuite
- Discovering More About Mobile Apps via Fiddler Discovering Hidden APIs via Documentation Pages
- Discovering Hidden APIs via Search Engine
- Discovering Hidden APIs via robots.txt
- Discovering Leaky APIs – UserID Endpoint
- Discovering Leaky APIs – User Input Endpoint
- Discovering Leaky APIs – User Interaction Endpoint
- Personally Identifiable Information (PII) Disclosure
- Use Cases : Various OAuth Misconfiguration
- Use Cases : OAuth Authorization Bypass
- Use Cases : Account takeover Issues
- Improper Restriction of Unprotected APIs Endpoint
- Transporting API Auth tokens as Cleartext Allowed
- Improper Restriction of Misconfigured API
- Insufficient Entropy For Random Values
- Leakage of API Authentication Tokens
- Improper Access Control
- Use Cases : XML External Entity (XXE) Processing
- Use Cases : HTTP Parameter Pollution Attacks
- Use Cases : Cross-site Scripting (XSS)
- Use Cases : Common Injection Attacks
- Use Cases : Command Injection
- Use Cases : SQL injection
- Use Cases : Insecure Direct Object Reference(IDOR)
- Use Cases : Cross-Origin Resource Sharing (CORS)
- Use Cases : Cross-Site Request Forgery (CSRF)
- Use Cases : Open Redirection Vulnerability
- Use Cases : Privilege escalation Issues
- Use Cases : Local File Inclusion (LFI)
- Use Cases : Remote File Inclusion(RFI)
- Use Cases : Input validation Issues
- Manipulating App Logic by Request Tampering
- Response Tampering
- OWASP API Security Vulnerabilities – Hands on lab
- Testing for Broken Function Level Authorization
- Testing for Broken Object Level Authorization
- Testing for Lack of Resources & Rate Limiting
- Testing for Broken User Authentication
- Testing for Improper Assets Management
- Testing for Security Misconfiguration
- Testing for Excessive Data Exposure
- Testing for Mass Assignment
who should attend this training?
Bug bounty hunters
- Project Lead and managers
why should i take this training?
API pentesting is often overlooked in traditional assessments . Industry is slowly shifting the focus on API’s now a days . Modern business uses lots of API centric enviournments to make decisions . Hence learning the API pentesting will not only increase the existing knowledege but also it will prepare you to take the new challeges in the future assessments.
prerequisite of the training ?
Basics of web application penetration testing knowledge required to join this training
what is the total duration of this training ?
Its an Instructor-led online training and the total duration of the training is 30 hours.