API Exploitation and Security
The modern application uses the API for the calling micro-services or performing the actions or monitoring the user’s behaviors. The design or the structure of the API is exposed to the customers or application user. Due to this nature of the API, the attacker can understand the structure of the API and use this information attack API further.The REST API uses the different processing requests such as GET, POST, PUT, DELETE, HEAD, and PATCH actions. The attacker can modify the request headers for understanding the API and use this understanding to craft entirely working weaponized exploit. The processing request can be altered, and as a best practice of the processing request must be not be tampered or modified .
This API exploitation and security course is designed for core professionals and learns who focus more on implementation and security of API endpoints and communications . This practical training is designed with hands on practical use cases .
REAL LIFE CASE STUDIES
INSTRUCTOR-LED SESSIONS
INDUSTRY DRIVEN CERTIFICATION
DAILY ASSIGNMENTS
STUDENT LEARNING KIT
syllabus
syllabus
module 1 : Introduction to API Security
- Introduction to API
- Different Approach of API Security Testing
- Real-time Challenges of API Security Testing
- Tools and Frameworks for API Security Testing
- Difference between Traditional API testing and API Security testing
module 2 : GRC in APplication programming interface
- Primary Goal of API Governance
- Why business need to Implement API Governance?
- Implementing an API Governance Approach
- Modern APIs Approach
- API development vs Web Apps
- Best practices to help organizations scale their API program
- API governance : A key element for security and scaling API programs
- How to execute API governance throughout design, implementation & runtime operations
module 2 :Testing API Code Quality
- APIs Documentations
- API Documentation Made Easy Security Testing
- Security Review of APIs Documentations
- Understanding API-Based Platforms
module 3 : Getting Started with API Security Testing
- Setup API Live Test Case Environment
- API Penetration Testing Methodologies
- API Security testing Checklists for Pentesters
- API Security testing Checklists for Developers
- API Security testing Checklists for Bug Hunters
- API Security testing according to API governance
- Complete Security testing of Web API Applications
- Complete Security testing of Mobile API Applications
- Covering Security Audit of MobileApp API and WebApp API
module 4 : Discovering Leaky APIs | Hidden APIs - Reconnaissance
- Configure Fiddler to find Sensitive and leaky APIs
- Configure Burpsuite to Security test of Hidden APIs
- Proxying Device Traffic Through Fiddler | Burpsuite
- Discovering More About Mobile Apps via Fiddler Discovering Hidden APIs via Documentation Pages
- Discovering Hidden APIs via Search Engine
- Discovering Hidden APIs via robots.txt
- Discovering Leaky APIs – UserID Endpoint
- Discovering Leaky APIs – User Input Endpoint
- Discovering Leaky APIs – User Interaction Endpoint
- Personally Identifiable Information (PII) Disclosure
module 5 : API Authentication and Authorization Vulnerabilities
- Use Cases : Various OAuth Misconfiguration
- Use Cases : OAuth Authorization Bypass
- Use Cases : Account takeover Issues
- Improper Restriction of Unprotected APIs Endpoint
- Transporting API Auth tokens as Cleartext Allowed
- Improper Restriction of Misconfigured API
- Insufficient Entropy For Random Values
- Leakage of API Authentication Tokens
- Improper Access Control
module 6 : API attack kung-gu
- Use Cases : XML External Entity (XXE) Processing
- Use Cases : HTTP Parameter Pollution Attacks
- Use Cases : Cross-site Scripting (XSS)
- Use Cases : Common Injection Attacks
- Use Cases : Command Injection
- Use Cases : SQL injection
- Use Cases : Insecure Direct Object Reference(IDOR)
- Use Cases : Cross-Origin Resource Sharing (CORS)
- Use Cases : Cross-Site Request Forgery (CSRF)
- Use Cases : Open Redirection Vulnerability
- Use Cases : Privilege escalation Issues
- Use Cases : Local File Inclusion (LFI)
- Use Cases : Remote File Inclusion(RFI)
- Use Cases : Input validation Issues
- Manipulating App Logic by Request Tampering
- Response Tampering
module 7 : API Security Top 10 OWASP
- OWASP API Security Vulnerabilities – Practicals
- Testing for Broken Function Level Authorization
- Testing for Broken Object Level Authorization
- Testing for Lack of Resources & Rate Limiting
- Testing for Broken User Authentication
- Testing for Improper Assets Management
- Testing for Security Misconfiguration
- Testing for Excessive Data Exposure
- Testing for Mass Assignment
module 7 : production report writing
- Executive summery
- Manual report writing methodologies
who should attend this training?
- Freshers
-
Ethical hackers
-
System Administrators
-
Network Administrators
-
Engineers
-
Web Developers
-
Bug bounty hunters
-
Security Professionals
why should i take this training?
learn detailed concepts of API exploitation & security concepts with practical use cases
prerequisite of the training ?
The person should familiar with basic computer operations and programming.
what is the total duration of this training ?
Its an Instructor-led online training and the total duration of the training is 45 hours.
APi Exploitation and Security Details
Whats Next ?
Checkout the advanced training modules with the given below link.
Our clients
Testimonials
Today I’ve completed my one 2 one online training by Mr Naresh sir from Certcube Labs .
This is the first time I have attended a class in this format and wondered how effective it would be. It was very effective and therefore I would definitely be interested in attending other classes in the same format. The instructor was very knowlegeable and provided a wealth of information about the current version, especially since the last version I used was several releases ago.
This is the first time I have attended a class in this format and wondered how effective it would be. It was very effective and therefore I would definitely be interested in attending other classes in the same format. The instructor was very knowlegeable and provided a wealth of information about the current version, especially since the last version I used was several releases ago.
A good place to learn every small detail in cybersecurity.Really nice and helpful teacher.