Offensive API Exploitation and Security

Examples Of APIs We Use In Our Everyday Lives

Travel Booking

Login using XYZ

Weather Snippets


Offensive API Exploitation and Security is a customized course that teaches how to defend your API’s. This course is an advanced, hands-on, practical program where each candidate is given a custom VM developed specifically for API penetration testing, and all tools are configured to verify safety defects in modern API.
API stands for Application Programming Interface which is widely used on the internet for Web Application, mobile, IoT, desktop applications, and much more as shown in examples above. The modern application uses the API to call or execute the actions or the activities of the user. Customers or service users are exposed to the API architecture or structure.
The REST API uses multiple processing requests such as GET, POST, PUT, DELETE, OPTIONS, PROPFIND etc. This helps the user to understand the API's structure and use this information attack API further. This understanding of API can be used to exploit the API.

Why hackerSlash?

hackerSlash has launched this custom made completely hands-on course, and advanced CTF(capture the flag) labs are introduced for each candidate. This Certification program will focus on complete API exploitation and defense technique. We will dive deep in detail all standards like SOAP, XML, REST, and GRAPH QL, and best practices.
We will also learn how we can penetrate cloud-based Web API and will go through advanced technique and industry best practices for a modern web application, mobile app, and desktop applications.


  • Cloud Based API Exploitation
  • Authentication and Access Control Bypass
  • Live Real World API Exploitation
  • All Injections
  • OAUTH2.0 Exploitation
  • IDOR (Insecure Direct Object Reference)
  • All Server-Side Vulnerabilities
  • Crypto and Algorithm Attacks
  • Content Discovery & API Fuzzing
  • REST, GRAPHQL and SOAP API Exploitation
  • Resources Access

    Course Delivery


    Module 1: Brief Introduction to API and case study
    Module 2: HTTP and HTTPS basics
    Module 3: Brief Introduction to TLS/SSL and how encryption work
    Module 4: API Standards in Details
    Module 5: Lab Setup for Offensive API Penetration Testing
    Module 6: Python Lab Setup for API Penetration Testing
    Module 7: Modern API Attacks and Countermeasure
    Module 8: Securing API and case study
    Module 9: Proxy Tools and configuration ( Burpsuite and Fiddler)
    Module 10: Exploring Hidden feature of BURP for API Exploitation
    Module 11: TOP-20 API Industry based Tools and configuration
    Module 12: Fuzzing API using custom scripts
    Module 13: Crafting series of attack for API Exploitation
    Module 14: API Reconnaissance and Fingerprint
    Module 15: REST-API Crafting attacks
    Module 16: Brief Introduction to JWT Token
    Module 17: Brief Introduction to Session, Cookie & Tokens
    Module 18: JWT Token Bypassing Technique
    Module 19: Cryptographic Algorithm Attack
    Module 20: UBER/GITHUB API Endpoint Analysis
    Module 21: Brief Introduction to OAuth 1 and OAuth 2
    Module 22: Brief Introduction to OpenID
    Module 23: Attack OAuth Token
    Module 24: Open REDIRECT Attack
    Module 25: XSS and CSRF Attack on OAuth
    Module 26: DOS/DDOS Attack on API
    Module 27: Implicit Attack Flow
    Module 28: Bruteforcing Attack on Token
    Module 29: Pure Bruteforcing Attack on API
    Module 30: Authentication Bypass
    Module 31: IDOR Attacks Flow and Hands-on
    Module 32: QL Injection Identifying on API
    Module 33: SQL Injection Attack on API
    Module 34: RCE Attack Flow and Hands-on
    Module 35: Mitigation of all API Attacks
    Module 36: Hash Cracking Technique
    Module 37: Public/Private Key Attacking technique
    Module 38: OAES Exam Walkthrough
    Module 39: OWASP API Exploitation and Security Top 10
    Module 40: OAuth2 Client CSRF Attack
    Module 41: OAuth2 Authorization Server CSRF
    Module 42: CVE-2016-4977( Vulnerable Version of Spring's OAuth)


    Even though the course will start from scratch we recommend, a candidate has a fundamental understanding of how Network and Web Applications work.


    This course will benefit all who want to choose their career as a Penetration Tester, and add API Security and OAuth to their skills.
    • Software Engineer
    • Security Expert
    • Application Developer
    • Web Developer
    • Backend Developer
    • Penetration Tester
    • Ethical Hacker


    • CPU: 64-bit Intel i5/i7 with 4th generation + (2.0 GHz)
    • 8 GB of RAM or higher
    • 300 GB free space
    • Administrator Access
    • Wi-Fi 802.11 capability
    • Windows 10 Pro, Linux or macOS (Latest updated)
    NOTE: All other software and configuration requirement will be provided and guided.


    40 hours live instructor led training with complete hands-on.


    Training + course material + exam certification.
    | Free For Selected Bangladeshi Students
    | $300 USD for International Students