Offensive API Exploitation and Security - SlashAPI






COURSE OVERVIEW

Offensive API Exploitation and Security is a customized course that teaches how to defend your API’s. This course is an advanced, hands-on, practical program where each candidate is given a custom VM developed specifically for API penetration testing, and all tools are configured to verify safety defects in modern API.

API stands for Application Programming Interface which is widely used on the internet for Web Application, mobile, IoT, desktop applications, and much more as shown in examples above. The modern application uses the API to call or execute the actions or the activities of the user. Customers or service users are exposed to the API architecture or structure.
API Pentesting

The REST API uses multiple processing requests such as GEP, PAST, PUT, Erase, HEAD, and PATCH behavior. This helps the user to understand the API's structure and use this information attack API further. This understanding of API can be used to exploit the API.



Prerequisite: 

# Web Application Pentesting 
# Knowledge of OWASP Top 10 Security Risks



Training Level:

Live API Hacking | Security | Bug Bounty | Development



Why you Join us :

#. 100% #vulnerability #Practical on #Live Secure | Unsecure Web & Mobile APIs

#. Covered Bugs & Vulnerabilities with two-time practicals with Challenges

#. Cover each Bugs according to Bug Bounty Platforms like HackerOne and Bugcrowd




Syllabus-


An Introduction to APIs for the Security Testing

● What An API Is and Why It's Valuable
● Different Approach of API Security Testing
● Real-time Challenges of API Security Testing
● Tools and Frameworks for API Security Testing
● Types of Bugs that API Security testing detects
● Difference between Common API testing and API Security testing



Rethink Governance in an API-First World

● Primary Goal of API Governance
● So Why Implement API Governance?
● What Should API Governance Include?
● Implementing an API Governance Approach
● Modern APIs Are Different Than Integration
● how governance can enable security and compliance
● All WebApp and MobileApp development is API development
● best practices to help organizations scale their API program
● API governance : A key element for security and scaling API programs
● how to execute API governance throughout design, implementation & runtime
operations



Setup of API Security Testing environment

● Installation of API Security Testing tools
● Installation of API Security Testing Frameworks
● Configuration and Testing builds of Live Test Cases
Testing APIs Code Quality and Build Settings
● First, let’s look at the APIs Documentations
● API Documentation Made Easy Security Testing
● Security Review of APIs Documentations
● Understanding API-Based Platforms



Getting Started with API Security Testing

● Setup API Live Test Case Environment
● API Penetration Testing Methodologies
● API Security testing Checklists for Pentesters
● API Security testing Checklists for Developers
● API Security testing Checklists for Bug Hunters
● API Security testing according to API governance



MobileApp and WebApp APIs Security Testing

● Complete Security testing of Web API Applications
● Complete Security testing of Mobile API Applications
● Covering Security Audit of MobileApp API and WebApp API



Discovering Leaky APIs | Hidden APIs - Reconnaissance

● Configure Fiddler to find Sensitive and leaky APIs
● Configure Burpsuite to Security test of Hidden APIs
● Proxying Device Traffic Through Fiddler | Burpsuite
● Discovering More About Mobile Apps via Fiddler
● Discovering Hidden APIs via Documentation Pages
● Discovering Hidden APIs via Search Engine
● Discovering Hidden APIs via robots.txt
● Discovering Leaky APIs - UserID Endpoint
● Discovering Leaky APIs - User Input Endpoint
● Discovering Leaky APIs - User Interaction Endpoint
● Personally Identifiable Information (PII) Disclosure



API Authentication and Authorization Vulnerabilities

● A Practical Approach to Test: Various OAuth Misconfiguration
● A Practical Approach to Test: OAuth Authorization Bypass
● A Practical Approach to Test: Account takeover Issues
● Improper Restriction of Unprotected APIs Endpoint
● Transporting API Auth tokens as Cleartext Allowed
● Improper Restriction of Misconfigured API
● Insufficient Entropy For Random Values
● Leakage of API Authentication Tokens
● Improper Access Control



API Manipulation and Parameter Tampering

● A Practical Approach to Test: XML External Entity (XXE) Processing
● A Practical Approach to Test: HTTP Parameter Pollution Attacks
● A Practical Approach to Test: Cross-site Scripting (XSS)
● A Practical Approach to Test: Common Injection Attacks
● A Practical Approach to Test: Command Injection
● A Practical Approach to Test: SQL injection
● Manipulating App Logic by Request Tampering
● Response Tampering


API Security Top 10 according to OWASP
● OWASP API Security Vulnerabilities - Practicals
● Testing for Broken Function Level Authorization
● Testing for Broken Object Level Authorization
● Testing for Lack of Resources & Rate Limiting
● Testing for Broken User Authentication
● Testing for Improper Assets Management
● Testing for Security Misconfiguration
● Testing for Excessive Data Exposure
● Testing for Mass Assignment


Modern APIs Vulnerabilities and Bug Bounty - Introduction
● Why APIs Security Testing Important in Bug Bounty Hunting
● Why APIs Security Testing Important in WebApp Security Auditing
● Why APIs Security Testing Important in MobileApp Security Auditing


Modern APIs Vulnerabilities and Bug Bounty - Practicals
● A Practical Approach to Test: Insecure Direct Object Reference(IDOR)
● A Practical Approach to Test: Cross-Origin Resource Sharing (CORS)
● A Practical Approach to Test: Cross-Site Request Forgery (CSRF)
● A Practical Approach to Test: Open Redirection Vulnerability
● A Practical Approach to Test: Privilege escalation Issues
● A Practical Approach to Test: Local File Inclusion (LFI)
● A Practical Approach to Test: Remote File Inclusion(RFI)
● A Practical Approach to Test: Input validation Issues



Pricing
USD $100 Only




Contact us:
Need Technical Assistance? Speak with a support representitive by 
Mailing -

hackerslash@icloud.com