API Penetration Testing

This intensive 2-day workshop offers participants a thorough grasp of Application Programming Interface (API) security, highlighting the critical importance of comprehensively understanding and rigorously testing API implementations using cutting-edge techniques and state-of-the-art tools to effectively identify vulnerabilities.

$1,399.00

Duration

2 days

Delivery Method

in-person

Level

beginner

Seats Available

20

Duration

2 days

Delivery Method

in-person

Level

beginner

ATTEND IN-PERSON: Onsite in Bangkok, Thailand

DATE: 27-28 August 2024

TIME: 09:00 to 17:00 ICT/GMT+7

Date Day Time Duration
27 Aug Tuesday 0900-17:00 ICT/GMT+7 8 Hours
28 Aug Wednesday 0900-17:00 ICT/GMT+7 8 Hours

This comprehensive two-day workshop goes deeply into the realm of API security. Participants will embark on a journey starting with a foundational understanding of APIs, throughout a discussion on various API architectures and protocols such as REST, SOAP, and GraphQL, with examples and focus on the different tools like Burp Suite, Swagger and SoapUI, which are a must to know for further dive into API security testing concepts.

Armed with this knowledge, attendees will continue their journey by learning key aspects of common API security testing methodologies & frameworks, such as the OWASP API Security Top 10 and the OWASP Web Security Testing Guide. The workshop includes multiple practical exercises and lab sessions covering a wide spectrum of topics including API reconnaissance, API authentication, API injection, and more, offering hands-on experience to reinforce theoretical understanding and foster practical skill development.

 

What will the students get
  • Battle-tested and future-proof API testing techniques.
  • Fully configured Virtual Machine (VM) with a selection of pre-configured testing tools including proprietary fuzzing dictionaries ready to be used for delivering effective testing activities.

 

 

Agenda/ Topics Covered

Overview on Application Programming Interfaces (APIs) Security

  • What is an API and why securing APIs is crucial for modern organizations.
  • API architectural pattern security: REST, SOAP and GraphQL.

 

Intercepting and Understanding the HTTP Protocol

  • What is HTTP and its different versions.
  • Intercepting HTTP(s) protocol and API requests using Burp Suite Pro
  • Tools of the trade for API security testing: Swagger, SoapUI, and beyond.

 

API Security Testing Methodology

  • Overview on the OWASP Web Security Testing Guide (WSTG) v4.2
  • The OWASP API Security Top 10 (2023)

 

API Reconnaissance & Attack Surface Analysis

  • What is an Attack Surface?
  • How to identify known & unknown API endpoints.
  • How to identify known & unknown API parameters.

 

API Authentication Security

  • Authentication Tokens
    • JWT, SAML, OAuth and API key security
    • XML encryption and signing
  • Authentication vs. Authorization
    • {Role/Resource/Fields} Level Access Control

 

API Injection Vulnerabilities

  • SQL Injection
  • NoSQL Injection
  • Command Injection

Why You Should Take This Course

This intensive 2-day workshop offers participants a thorough grasp of Application Programming Interface (API) security, highlighting the critical importance of comprehensively understanding and rigorously testing API implementations using cutting-edge techniques and state-of-the-art tools to effectively identify vulnerabilities.

Who Should Attend

This workshop is designed for anyone interested in learning how to effectively test the security of modern API implementations, including:
  • Security professional new to web and/or API security.
  • Software Developers, Software Security Engineers, and DevSecOps Engineers who wants to be exposed to common and more unconventional security topics.
  • Students willing to start maturing competences required to fulfill the role of application penetration tester or to start their journey as security engineers.

Key Learning Objectives

  • Participants will acquire a thorough comprehension of API security principles.

  • Attendees will gain practical proficiency in utilizing professional tools such as Burp Suite, Swagger, and SoapUI, essential for intercepting, analyzing, and securing API traffic, enhancing their capability to conduct effective security testing.

  • Thanks to a set of guided instruction and practical exercises, participants will be leveraging security testing methodologies & frameworks such as the OWASP API Security Top 10 and the OWASP Web Security Testing Guide to assess the security of modern API implementations.
  • Prerequisite Knowledge

    • Basic knolwedge about HTTP and Web protocols.
    • Basic proficiency in API concepts and architecture is preferred.

    Hardware / Software Requirements

    • Laptop running a Microsoft Windows 10+ or Apple macOS platform
    • CPU: 64-bit Intel i5/i7 with 4th generation + (2.0 GHz)
    • 8 GB of RAM or higher
    • 100 GB free space
    • Wi-Fi 802.11 capability (no wired connection available in the classroom)
    • Installed VMware Workstation / Player for Windows or VMWare Fusion for macOS
    • Local administrative access to the host OS is required

    Your Instructor

    Luca De Fulgentis is an offensive cybersecurity professional with 15+ years of experience in breaking complex software, building offensive teams, managing large-scale security programs, delivering full-spectrum red teaming operations, and researching advanced tactics & techniques to infiltrate modern enterprise infrastructure.

    Luca holds a Master of Science (MSc) in Computer Engineering from the Polytechnic of Milan, where he graduated with a thesis on evolutionary fuzz testing techniques based on Island Model Genetic Algorithm (IMGA).

    During his career, he has been securing technologies and critical infrastructure operated by private and government entities based in Europe, UK, North America, South Korea, UAE, and Saudi Arabia.

    Since 2006, Luca has been involved in the professional execution of dynamic testing and manual secure code review of 500+ high-profile web applications. He also attended as speaker at prestigious conferences such as Black Hat Mobile Security Summit, Hack in the Box Amsterdam, and AppSec Europe.

    In 2024, Luca co-founded Adverse Theory, where he manages large-scale cybersecurity programs and drives the designing of unconventional cyber defense technologies.

    Before co-founding Adverse Theory, he served as Executive Director of the xen1thLabs at Digital14 UAE, and lately as Vice President of Cybersecurity Technology Innovation & Product Security for a hi-tech startup based in Dubai.

    Adverse Theory is a disruptive startup focused on delivering “unconventional” cybersecurity advisory services to support organizations in establishing security teams, managing large-scare security programs, and developing innovative security technologies.