In this foundational part, participants will set up the tools and lab environment required for safe and effective API testing, including tools like Postman, Burp Suite, and OWASP ZAP. This part also introduces core API security principles and the OWASP API Top 10, helping participants understand the structure and functionality of APIs and the most common vulnerabilities that can compromise their security. This foundational knowledge is crucial for understanding API attack surfaces and recognizing potential risks in API-driven applications.
This part focuses on techniques for gathering information about APIs, uncovering hidden or undocumented endpoints, and reverse engineering applications to reveal API details. Participants will learn both passive and active reconnaissance methods, using tools like FFUF and Recon-ng to discover endpoints. They will also use reverse engineering techniques, such as analyzing APKs and utilizing browser dev tools, to map out API structures and data flows. These skills are essential for understanding the full scope of an API’s functionality and identifying possible entry points for testing and exploitation.
Participants will learn to scan and enumerate APIs to identify exposed data, misconfigurations, and security weaknesses, using tools like Nmap and OWASP ZAP. This part also covers exploiting common vulnerabilities, such as flaws in authentication and authorization mechanisms, as well as input validation issues, including SQL injection and cross-site scripting. Through practical exercises, participants will build skills to test for weaknesses in access controls and data validation, enhancing their ability to detect and exploit common security flaws in APIs.
In this final part, participants will tackle advanced API vulnerabilities such as Server- Side Request Forgery (SSRF), Insecure Direct Object References (IDOR), and Mass Assignment, understanding their impact and how to exploit them. The course will also provide hands-on experience with each category in the OWASP API Top 10, ensuring participants can apply these principles to real-world testing scenarios. Finally, participants will learn to document findings in a structured report with clear recommendations, ensuring they can effectively communicate vulnerabilities and solutions to stakeholders.