2-day hands-on technical Workshop in HITB SecConf 2024 Bangkok

API Penetration Testing

Register$1,399.00

This intensive 2-day workshop offers participants a thorough grasp of Application Programming Interface (API) security, highlighting the critical importance of comprehensively understanding and rigorously testing API implementations using cutting-edge techniques and state-of-the-art tools to effectively identify vulnerabilities.

Duration

2-day

Delivery Method

In-Person

Level

beginner

Seats Available

20

ATTEND IN-PERSON: Onsite in Bangkok, Thailand

DATE: 27-28 August 2024

TIME: 09:00 to 17:00 ICT/GMT+7

Date Day Time Duration
27 Aug Tuesday 0900-17:00 ICT/GMT+7 8 Hours
28 Aug Wednesday 0900-17:00 ICT/GMT+7 8 Hours

This comprehensive two-day workshop goes deeply into the realm of API security. Participants will embark on a journey starting with a foundational understanding of APIs, throughout a discussion on various API architectures and protocols such as REST, SOAP, and GraphQL, with examples and focus on the different tools like Burp Suite, Swagger and SoapUI, which are a must to know for further dive into API security testing concepts.

Armed with this knowledge, attendees will continue their journey by learning key aspects of common API security testing methodologies & frameworks, such as the OWASP API Security Top 10 and the OWASP Web Security Testing Guide. The workshop includes multiple practical exercises and lab sessions covering a wide spectrum of topics including API reconnaissance, API authentication, API injection, and more, offering hands-on experience to reinforce theoretical understanding and foster practical skill development.

 

 Key learning objectives
  • Participants will acquire a thorough comprehension of API security principles.
  • Attendees will gain practical proficiency in utilizing professional tools such as Burp Suite, Swagger, and SoapUI, essential for intercepting, analyzing, and securing API traffic, enhancing their capability to conduct effective security testing.
  • Thanks to a set of guided instruction and practical exercises, participants will be leveraging security testing methodologies & frameworks such as the OWASP API Security Top 10 and the OWASP Web Security Testing Guide to assess the security of modern API implementations.

 

What will the students get
  • Battle-tested and future-proof API testing techniques.
  • Fully configured Virtual Machine (VM) with a selection of pre-configured testing tools including proprietary fuzzing dictionaries ready to be used for delivering effective testing activities.

 

 

Agenda/ Topics Covered

Overview on Application Programming Interfaces (APIs) Security

  • What is an API and why securing APIs is crucial for modern organizations.
  • API architectural pattern security: REST, SOAP and GraphQL.

 

Intercepting and Understanding the HTTP Protocol

  • What is HTTP and its different versions.
  • Intercepting HTTP(s) protocol and API requests using Burp Suite Pro
  • Tools of the trade for API security testing: Swagger, SoapUI, and beyond.

 

API Security Testing Methodology

  • Overview on the OWASP Web Security Testing Guide (WSTG) v4.2
  • The OWASP API Security Top 10 (2023)

 

API Reconnaissance & Attack Surface Analysis

  • What is an Attack Surface?
  • How to identify known & unknown API endpoints.
  • How to identify known & unknown API parameters.

 

API Authentication Security

  • Authentication Tokens
    • JWT, SAML, OAuth and API key security
    • XML encryption and signing
  • Authentication vs. Authorization
    • {Role/Resource/Fields} Level Access Control

 

API Injection Vulnerabilities

  • SQL Injection
  • NoSQL Injection
  • Command Injection

TRAINER

Why You Should Take This Course

This intensive 2-day workshop offers participants a thorough grasp of Application Programming Interface (API) security, highlighting the critical importance of comprehensively understanding and rigorously testing API implementations using cutting-edge techniques and state-of-the-art tools to effectively identify vulnerabilities.

Who Should Attend

This workshop is designed for anyone interested in learning how to effectively test the security of modern API implementations, including:
  • Security professional new to web and/or API security.
  • Software Developers, Software Security Engineers, and DevSecOps Engineers who wants to be exposed to common and more unconventional security topics.
  • Students willing to start maturing competences required to fulfill the role of application penetration tester or to start their journey as security engineers.

Prerequisite Knowledge

  • Basic knolwedge about HTTP and Web protocols.
  • Basic proficiency in API concepts and architecture is preferred.

Hardware / Software Requirements

  • Laptop running a Microsoft Windows 10+ or Apple macOS platform
  • CPU: 64-bit Intel i5/i7 with 4th generation + (2.0 GHz)
  • 8 GB of RAM or higher
  • 100 GB free space
  • Wi-Fi 802.11 capability (no wired connection available in the classroom)
  • Installed VMware Workstation / Player for Windows or VMWare Fusion for macOS
  • Local administrative access to the host OS is required