Exploring the Unexplored - API Penetration Testing

Exploring the Unexplored - API Penetration Testing


Day 1 (15- Nov, 2024)

11:00 - 13:00

Foundations of API Security and Lab Setup

In this foundational part, participants will set up the tools and lab environment required for safe and effective API testing, including tools like Postman, Burp Suite, and OWASP ZAP. This part also introduces core API security principles and the OWASP API Top 10, helping participants understand the structure and functionality of APIs and the most common vulnerabilities that can compromise their security. This foundational knowledge is crucial for understanding API attack surfaces and recognizing potential risks in API-driven applications.


  • Lab Setup and Environment Configuration
  • Introduction to API Security and OWASP API Top 10

    Tools:
  • Postman
  • Burp Suite
  • OWASP ZAP
  • Nmap
14.00 - 16.00

Reconnaissance, Endpoint Discovery, and Reverse Engineering

This part focuses on techniques for gathering information about APIs, uncovering hidden or undocumented endpoints, and reverse engineering applications to reveal API details. Participants will learn both passive and active reconnaissance methods, using tools like FFUF and Recon-ng to discover endpoints. They will also use reverse engineering techniques, such as analyzing APKs and utilizing browser dev tools, to map out API structures and data flows. These skills are essential for understanding the full scope of an API’s functionality and identifying possible entry points for testing and exploitation.


  • Reconnaissance and Endpoint Discovery
  • Reverse Engineering of API

    Tools:
  • FFUF
  • Recon-ng
  • Browser DevTools
  • APKTool
  • Postman

Day 2 (16- Nov, 2024)

11:00 - 13:00

Scanning, Enumeration, and Vulnerability Exploitation

Participants will learn to scan and enumerate APIs to identify exposed data, misconfigurations, and security weaknesses, using tools like Nmap and OWASP ZAP. This part also covers exploiting common vulnerabilities, such as flaws in authentication and authorization mechanisms, as well as input validation issues, including SQL injection and cross-site scripting. Through practical exercises, participants will build skills to test for weaknesses in access controls and data validation, enhancing their ability to detect and exploit common security flaws in APIs.


  • Scanning and Enumeration
  • Authentication, Authorization, and Access Control Testing
  • Exploiting Input Validation and Injection Vulnerabilities

    Tools:
  • SQLMap
  • OWASP ZAP
  • Nmap
  • Burp Suite
  • JWT.io
  • Postman
14.00 - 16.00

Advanced Vulnerabilities, OWASP API Top 10 Application, and Reporting

In this final part, participants will tackle advanced API vulnerabilities such as Server- Side Request Forgery (SSRF), Insecure Direct Object References (IDOR), and Mass Assignment, understanding their impact and how to exploit them. The course will also provide hands-on experience with each category in the OWASP API Top 10, ensuring participants can apply these principles to real-world testing scenarios. Finally, participants will learn to document findings in a structured report with clear recommendations, ensuring they can effectively communicate vulnerabilities and solutions to stakeholders.


  • Advanced API Vulnerabilities
  • OWASP API Security Top 10 Practical Overview
  • Reporting and Remediation

    Tools:
  • Burp Suite
  • OWASP ZAP
  • Postman

Sponsors