Attacking and Securing APIs

This is a fully hands-on practical concentrated course on securing and attacking web and cloud APIs. This training aims to engage you in creating secure modern APIs, while showing you both modern and contemporary attack vectors.

USD $2,299.00

Duration

2 days

Delivery Method

in-person

Level

intermediate

Seats Available

20

ATTEND IN-PERSON: Onsite in Dubai

DATE: 15-16 March 2023

TIME: 10:00 to 18:00 GST/GMT+4

Date Day Time Duration
15 Mar Wednesday 10:00 to 18:00 GST/GMT+4 8 Hours
16 Mar Thursday 10:00 to 18:00 GST/GMT+4 8 Hours

This is a fully hands-on practical concentrated course on securing and attacking web and cloud APIs. APIs are everywhere nowadays: In web apps, embedded systems, enterprise apps, cloud environments and even IoT, and it is becoming increasingly necessary to learn how to defend, secure and attack API implementation and infrastructure. This training aims to engage you in creating secure modern APIs, while showing you both modern and contemporary attack vectors.

You will learn:

  • Attacking and defending web APIs. (REST, GraphQL):
  • Learn REST and GraphQL security best practices.
  • Create APIs that are easy to use securely and hard to use insecurely.
  • Techniques and tools to design, test and attack APIs and microservices.
  • Mitigate and defend against security weaknesses in APIs.
  • Implement secure web socket channels and defend against Cross-Site WebSocket Hijacking.
  • Attacking and securing Amazon cloud (AWS) APIs and infrastructure.
  • Attack and defend against injection vulnerabilities such as Template Injection, SQL injection, NoSQL injection, pickle and YAML deserialization, object injections… etc
  • Perform post exploitation and pivot attacks against AWS environments.
  • Performing modern injection attacks:
  • Attack and defend against injection vulnerabilities such as Template Injection, SQL injection, NoSQL injection, pickle and YAML deserialization, object injections… etc
  • Securing passwords and secrets in APIs:
  • Learn how to effectively manage the problem of credential storage.
  • Attack insecure password protection schemes and export credentials.
  • Utilize open-source and platform-independent credential management solutions.
  • Implement secure password storage and handling.
  • API authentication and authorization techniques.
  • Understanding the intricate and minute details of authentication and authorization frameworks and technologies.
  • Obtain actionable knowledge and experience in using secure tokens, cookies, keys and tickets for authentication and authorization.
  • Understand OAuth2, JWT/JWS and other authentication technologies.
  • Attack and fix insecure JWT and cookie implementations.
  • Attack insecure implementations of session management, input validation, output encoding and loosely coupled components.
  • Implement and attack multi factor authentication for APIs.
  • Designing secure API architecture:
  • API and microservices security architecture.
  • Handle files securely by allowing only authorized downloads even in segmented microservice architectures.
  • Learn and understand cache security and what threats and vulnerabilities can arise out of insecure caching methods and configurations.
  • Attack and secure cache implementations and infrastructure.
  • Securing development environments:
  • Securing source code using secure Git configurations and live monitoring.
  • Securing software dependency and supply chain.

 

Students will be provided with
  • Course VM (that includes tools and exercises)
  • Course Slides
  • Sample custom tools as reference to ones created in the course.
  • Custom infrastructure creation/formation scripts to allow students to create labs on cloud.
Agenda

Day 1:

  • Introduction to modern APIs
  • Security Architecture for APIs
  • Data and File attacks against APIs and clients
  • Injection attacks against APIs and clients:
  • HTTP Security

Day 2:

  • Token Security
  • Cache Security
  • Credential handling and storage
  • Authentication and authorization in APIs
  • Securing Source Code

 

Training delivery format:

Full focus on hands on exercises and labs (55+) labs, with a CTF challenge and multiple questions. The labs have multiple levels to accommodate different levels and speeds of training attendees, as well as take-home labs for those interested in spending the night on the keyboard!

Why You Should Take This Course

This is a fully hands-on practical concentrated course on securing and attacking web and cloud APIs. This training aims to engage you in creating secure modern APIs, while showing you both modern and contemporary attack vectors.

Who Should Attend

  • Software developers, security engineers, architects, researchers, bug bounty hunters, system administrators, students and curious security professionals who would like to expand their skills.
  • Anyone interested in keeping relevant knowledge and skill in the world of cloud, API and app security.

Key Learning Objectives

  • Be able to create secure web APIs and microservices infrastructure.

  • Assess the security of API implementation and configuration.

  • Utilize cloud-native tools and infrastructure to deliver secure APIs.
  • Prerequisite Knowledge

    • Should be familiar with the concepts of Web, Linux, Cloud services, security, and APIs.
    • Should have basic programming skills.
    • Basic ability to use command line interfaces.
    • Scripting experience recommended.
    • Familiarity in Python and JavaScript is recommended.

    Hardware / Software Requirements

    • Intel based laptop (The class VM is an x86 Linux image, and will not run on Apple M1 ARM based chips)
    • Laptop with minimum 8GB RAM and 40GB free hard disk space with USB ports and virtualization enabled/available.
    • Student must have full control of the laptop (can install software, can disable anti virus..etc).
    • VMware Workstation or VMware Fusion (even trial versions can be used).
    • Enough storage to host multiple copies of the class VM in case modifications and restores are needed.
    • Ability to connect to the internet (The class requires going online).
    • An active AWS account for each student (free tier or otherwise) is required. Default region should be us-east-1 (US East N. Virginia)
    • Note: VMware player or VirtualBox is not recommended for this training.

    Your Instructor

    Mohammed Aldoub is an independent security consultant and Blackhat Trainer from Kuwait, who, in his 12 years of experience, worked on creating Kuwait’s national infrastructure for PKI, cryptography, smartcards and authentication.

    Mohammed delivers security trainings, workshops and talks in events like Blackhat (USA,EU, Asia),DEFCON, SANS, RSA, SecTor, Infosec in the City, OPCDE, SEC-T, CyberNights around the world in places like the Netherlands, USA, Sweden, London, Czech Republic, Singapore, Dubai, Lebanon, Riyadh, Kuwait, and others.

    Mohammed is focusing now on APIs, secure devops, modern appsec, cloud-native security, applied cryptography, security architecture and microservices.

    He is the author of “barq”, the AWS post exploitation attack framework, which you can find at: https://github.com/Voulnet/barq and he’s also the author of Desharialize, which you can find at: https://github.com/Voulnet/desharialize Mohammed is deeply interested in malware, especially those used by state actors in the Middle East zone, where he volunteered as OWASP Kuwait’s chapter leader. You can find his twitter account at https://twitter.com/Voulnet You can find his Github accout at: https://github.com/voulnet