Fortify APIs Mastering Penetration Testing for Robust Application Security

October 4th & 5th, 2023
Grand Hyatt, Kochi, India


Fortify APIs Mastering Penetration Testing for Robust Application Security

The objective of this course is to empower penetration testers and security professionals with the knowledge and skills needed to effectively identify and address vulnerabilities in APIs, ensuring robust application security. By the end of the course, participants will be able to:

  • Understand the unique challenges and approaches to API security testing.
  • Master automation techniques and tools for API penetration testing.
  • Develop comprehensive checklists and methodologies for discovering API insecurities.
  • Identify and mitigate common API vulnerabilities such as broken object level authorization, injection, and misconfigurations.
  • Gain practical experience in conducting API security assessments through hands-on exercises.
  • Enhance their ability to perform thorough API security testing within the context of application penetration testing.
  • Apply best practices for securing APIs and preventing potential security breaches.
  • Stay updated with the latest trends and techniques in API security testing.

Overall, this course aims to equip participants with the necessary skills, techniques, and knowledge to effectively assess and fortify API security, ultimately enhancing the overall security posture of applications.

Course Content (ToC):

  • Intro to API Security
    • Different Approach to API Security Testing
    • Challenges in API Security Testing
    • Traditional API testing v/s API Security Testing
    • Standards in API Development
    • OWASP Top 10 API attacks
  • Automation in API Testing
    • Role of automation in API pen-testing
    • Deep dive with postman for API pen-testing
    • Automation in API fuzzing with Open Source Tools
  • Discovering API Insecurities
    • Building API Security Testing Checklists
    • Discovering the API hidden endpoints
    • Common API endpoints for quick wins
    • Testing for unhandled HTTP methods
    • Sensitive data disclosed with API OSINT
  • API Pentesting OWASP Top 10
    • Broken Object Level Authorization
    • Broken User Authentication
    • Excessive Data Exposure
    • Lack of Resources & Rate Limiting
    • Broken Function Level Authorization
    • Mass Assignment
    • Security Misconfiguration
    • Injection
    • Improper Assets Management
    • Insufficient Logging & Monitoring



This course has no specific knowledge prerequisites, as it is designed to accommodate students with different skills.

Participants Requirements:

  • Laptop with atleast 8GB RAM, 50GB Disk space, and Virtualization turned on (In case of Non-unix OS)
  • Internet connection


2 Days

Who should attend

Mobile and Web Application Developers, Penetration testers, anyone who are interested in getting an exposure to API Security

What to expect

Gain exclusive, lifetime access to meticulously curated slides and immersive, hands-on material covering the most cutting-edge topics in API Security, unlimited email support and access to private groups to communicate with other participants.

Practical course on API Security that will boost your knowledge and career regardless of the skill level and experience you have. Top tips and tricks that you can use on the go and apply practically as you go back to your workplace.

What not to expect:

This is a course unlike any other, where you will be getting access to all the slides and lab exercises for lifetime.

This course however does not cover any sort of 0 days, OS level exploits (MacOS, Windows, Linux), binary exploitation etc.

Do not expect the instructors to be always going through the slides, as this is a more practical approach to learning rather than a theoretical course. In this highly hands-on workshop, the trainers will guide and assist you in exploiting real life simulated scenarios to enhance your practical skills, rather than simply going through the slides.


Ashwin Shenoi

Lead Security Engineer , CRED , India

Ashwin Shenoi is a Lead Security Engineer at CRED with an avid passion for application security. He is highly skilled in application penetration testing and automation. Ashwin is a core member of team bi0s, a top-ranked Capture The Flag (CTF) team according to CTFTime. In his role as head of the Web Security team at team bi0s, he also serves as the core challenge setter and organizer for various editions of InCTF and other CTFs organised by team bi0s. Ashwin is also a Security Trainer with 7ASecurity, and has presented talks and security trainings in various security conferences such as BlackHat Asia, BlackHat USA, BlackHat Europe, Nullcon, and ThreatCon. Ashwin has a strong background in identifying and exploiting vulnerabilities in open source applications, and he has been awarded multiple CVEs for his contributions to the security community.

Aswin M Guptha

Senior Security Engineer , Traboda CyberLabs , India

Aswin M Guptha is a Security Researcher at Traboda who has over 8 years of expertise in Web Application Security. He has extensively participated in various penetration testing activities on infrastructure ranging from CMSs to hospitals over the past few years. He is also involved in testing various mobile applications. He has also delivered talks and training for students, working professionals and government authorities on various advanced topics.


Information Security Research Association Kerala Police


UNICEF UNICRI Centre for Artificial Intelligence and Robotics International Centre for Missing & Exploited Children WeProtect Global Alliance CESP | Conseil Européen des Syndicats de Police Kerala IT Mission


Federal Bank Synthite RP GRPUP


Keyzotrick Intelligence Pvt. Ltd National Critical Information Infrastructure Protection Centre Bharat Petroleum Palo Alto Networks Cyble - Cybersecurity Threat Intelligence Platform & Solutions Seqrite


Cochin Shipyard ICICI Bank State Bank of India SBI Life Geojit SFS Homes Cochin International Airport Manage Engine Resecurity: Cybersecurity Solutions and Services Fortinet Technologies India Pvt Ltd &


GAIL (india) LIMITED Canara Bank Elite Foods CSB Bank Petronet LNG Luker India Trend Micro AVT Natural CYFIRMA Indian Oil Corporation Cochin Port Trust Kerala State Industrial Development Corporation ESAF Bank The Kerala Minerals and Metals Limited


PureID Cyble - Cybersecurity Threat Intelligence Platform & Solutions Resecurity: Cybersecurity Solutions and Services Prophaze Manage Engine Darwis Fortinet Technologies India Pvt Ltd & Alibi Global Private Limited eSec Forte Technologies Palo Alto Networks Seqrite Innspark Enterprise Security C-DAC: Centre for Development of Advanced Computing, India ECS Biztech State Bank of India Kratikal Tech Pvt. Ltd. CYFIRMA TerraEagle Netskope Geojit


EliteCISOs GTech - Group of Technology Companies - Technopark, Infopark, Cyberpark BSides Odisha


WTC Kochi


Information Security Media Group The 420



Jet Suit demo partner


c0c0n @16

c0c0n is a 15 years old platform that is aimed at providing opportunities to showcase, educate, understand and spread awareness on Information Security, data protection, and privacy...

Where & When?

Oct 04th to 07th 2023
Grand Hyatt, Kochi, India

Reach us @

(+91) 974-690-6654