ABSTRACT
Embark on a learning journey to explore the art of attacking and securing Application Programming Interfaces (APIs) with our comprehensive API course. As API usage grows, so does the threat landscape for organisations. This practical-driven training will equip you to conduct impactful penetration tests on API implementations and further your understanding on how to mitigate the majority of vulnerabilities.
Explore modules covering API fundamentals, engagement strategies, attack surface enumeration, and demystifying the OWASP Top 10 for APIs. Delve into additional focus areas such as logging, monitoring, injection attacks, and securing Azure API implementations. Gain practical experience in exploiting vulnerabilities on RESTful APIs and GraphQL, culminating in a thrilling Capture the Flag challenge. This training is ideal for developers seeking to enhance their skills in mitigating flaws while also offering a growth in the attack skills for penetration testers aiming to elevate their API testing skills. Join us in this immersive experience, where each day ends with a capture-the-flag style challenge, empowering you to 'hack hard' in the world of APIs.
More Details:
• 2-day course
• 60% practical and 40% theoretical
• Real-world attacks and methodologies
• Delivered by active penetration testers and red team members
Main modules:
- Introduction to APIs
- Engaging and exploring APIs
- Enumerate the API Attack Surface
- Demystifying the OWASP Top 10 for APIs
- Additional content covering logging and monitoring, PCI-DSS 4.0 and Securing an Azure API Implementation
- Exploring GraphQL
- Capture The Flag Exercise
Our training is delivered via SensePost, the specialist ethical hacking team of Orange Cyberdefense. As one of Black Hat’s longest standing training partners, we have trained thousands of students for the past two decades about the art of offensive and defensive approaches. It’s safe to say we enjoy teaching others how to pwn networks and applications. Our courses are developed from the work we perform for clients, so that you get a better understanding of how to exploit real-world scenarios and defend against real world attacks.
Join us, hack hard and make APIs safe!
INTENDED AUDIENCE
This course is ideal for any developer looking to further their understanding of security in practice and to widen their understanding of vulnerabilities in APIs.
This course is also ideal for penetration testers looking to advance their API testing skills or those starting out in penetration testing of Web and APIs.
KEY LEARNING OBJECTIVES
• Practical experience to attack APIs using industry leading methodologies.
• Understanding of the typical vulnerabilities associated with APIs.
• Strategies to reduce the attack surface of APIs.
COURSE DETAILS
This course consists of 7 High level Modules, +-37 Key concepts and +-24 Practicals.
Below is the course module outline:
Module 1: Introduction To API
- What is an API?
- The API ecosystem
- Threat model of an API
- Review of code representing an API endpoint
Module 2: Engaging with the Target API:
- Setup of a testing environment
- Demonstrate the various HTTP headers
- Interacting with Swagger
- Discuss the use of JWT for authentication
- Conduct and Review of a Zabbix Challenge
Module 3: Enumerate API Attack Surface:
- Describe methodology to assess the security posture of a target API
- Strategies to enumerate endpoints
- Fuzzing endpoints to identify hidden endpoints
- Enumerate parameters
- Use of tools to create wordlists
- Source Code Review
- Conduct host header attacks, identify and abuse business logic vulnerabilities, GUID vulnerabilities, bypass profiling controls
- Mitigation of replay attacks
- Securing API endpoint against attacks
- Conduct and Review of API Pentest Simulation
- Conduct Challenge for Day 1
Module 4: Demystify the OWASP Top 10 for API:
- Candidates would be exposed to the most common vulnerabilities targeting APIs.
- These vulnerabilities would be put into context through the use cases and allow candidates to perform the attack to get a better understanding.
- The focus would also be on identifying mitigation strategies to address the risk.
- Describe and analyze the OWASP Top 10 for APIs
- Practicals to demonstrate the vulnerability: Broken Object Level Authorization (BOLA)
- Practicals to demonstrate the vulnerability: Broken Authentication
- Practicals to demonstrate the vulnerability: Broken Object Property Level Authorization
- Practicals to demonstrate the vulnerability: Unrestricted Resource Consumption
- Practicals to demonstrate the vulnerability: Broken Function Level Authorization
- Practicals to demonstrate the vulnerability: Unrestricted Access to Sensitive Business Flows
- Practicals to demonstrate the vulnerability: Server Side Request Forgery
- Practicals to demonstrate the vulnerability: Security Misconfiguration
- Practicals to demonstrate the vulnerability: Improper Inventory Management
- Practicals to demonstrate the vulnerability: Unsafe Consumption of APIs
Module 5: Additional Focus Points
- Discuss and review of Insufficient Logging & Monitoring (Includes practicals)
- Discuss and review of injection attacks (Includes practicals)
- Overview of PCI DSS V4 with in the context of APIs
- Securing an Azure API Implementation
Module 6: Exploring GraphQL from a security perspective:
- Introduction to GraphQL
- Describing the various vulnerabilities associated with GraphQL
- Discuss various techniques to secure GraphQL
Module 7: Capture the Flag:
The course concludes with candidates participating in a capture the flag where secret documents of a target company needs to be found. The candidates would use knowledge acquired during the course to apply this and exploit vulnerabilities within the exposed API.
Knowledge Prequisites
This is an beginner course in penetration testing of APIs. No security related experience is required but a technical understanding of computers, networks, Linux and Windows are a must.
Please ensure you are comfortable with the Linux command line before enrolling for this course. You will be executing some commands from the command line when executing cURL to interact with the APIs.
System Requirements
You only need your laptop with a general browser.
YOUR INSTRUCTOR: Aubrey Labuschagne
Aubrey Labuschagne - Aubrey is a security analyst at SensePost. Over the years he has had many roles which included project management, product management, development, training and being a security analyst. Interest for security grew from emergence into information warfare. His hobbies include the development of sensor centric platforms. He has a passion for training and has completed his masters on how to improve the effectiveness of security awareness programs. Favorite quote: "Nothing is real until experienced". He currently holds several certifications which include OSCP, ECSA and ISO 27032 certifications.