API Exploration and Exploitation Orange Cyberdefense $2,800 Early (Early $2,600)
Name of Training:
API Exploration and Exploitation
Description:
Introduction to APIs, Engaging and exploring APIs, Enumerate the API Attack Surface, Demystifying the OWASP Top 10 for APIs, Exploring GraphQL, Capture The Flag Exercise
Training description:
The use of Application Programming Interfaces (APIs) have increased over the years. Therefore, the threat landscape of organizations increases with the adoption of APIs. The content of the course creates awareness around the various attack vectors used targeting APIs and provides actionable mitigation strategies.
The aim of this course is to empower you to conduct a risk assessment of an API. This hands-on course covers API basics, setting up a test environment, API threat model, API protocols and architectures, typical vulnerabilities, enumerating an attack surface and best practices around security.
Moreover, it focuses on gaining practical experience of the OWASP Top 10 for APIs. In addition, you would be gaining practical experience on exploiting typical vulnerabilities on RESTful (REST) APIs and GraphQL. The course concludes with a capture the flag (CTF) to apply knowledge gained during the course.
Training Outline:
Application Programming Interfaces (APIs) have been widely adopted as a value creator within the context of business. Whereby it is used to either expose or consume services as part of the supply chain. However, this strategy also increases the attack surface of businesses.
Securing these services is a critical imperative for the sustainability of businesses. The objective of the course is to enable you to perform a risk assessment on APIs.
This introductory course aims to unpack the security considerations of an API and demonstrate how various attack vectors could be used to impact the security of an API.
You would practically be exploiting vulnerabilities to gain better insight into the attack vectors and then evaluate the best strategies to mitigate the threat.
This course was designed around practical application of risk assessments targeting APIs.
More Details:
* 2-day course
* 60% practical and 40% theoretical
* Real-world attacks and methodologies
* Delivered by active penetration testers and red team members
Main modules:
- Introduction to APIs
- Engaging and exploring APIs
- Enumerate the API Attack Surface
- Demystifying the OWASP Top 10 for APIs
- Exploring GraphQL
- Capture The Flag Exercise
Our training is delivered via SensePost, the specialist ethical hacking team of Orange Cyberdefense. As one of Black Hat briefings longstanding training partners, we have trained thousands of students for the past two decades about the art of offensive and defensive approaches. It’s safe to say we enjoy teaching others how to pwn networks and applications. Our courses are developed from the work we perform for clients, so that you get a better understanding of how to exploit real-world scenarios.
Join us and hack hard!
Module structure?
This course consists of 6 High level Modules, +-26 Key concepts and +-30 Practicals.
Below is the outline based on the 6 Modules and the 26 sub-modules as well as an indication where the practicals fit into the course flow.
Module 1: Introduction To API
* What is an API?
* The API ecosystem
* Threat model of an API
* Review of code representing an API endpoint
Practical 1 – What to do with APIs:
This practical engages candidates to look for open APIs and how they could use at least threee APIs withinin a ficticoinal scenario business / operational environment.
Module 2: Engaging with the Target API:
*Setup and configure Postman, cURL and Burp to connect to target API
*Demonstrate the various HTTP headers
*Interacting with Swagger
*Demonstrate the various HTTP methods
*Discuss the use of JWT for authentication
Practical 2 – Abusing a JWT :
The practical would focus on creating a JWT to authenticate against an endpoint. In addition, the cracking of a JWT to target weak encryption protocols. Lastly how to resign the JWT and use with subsequent abuses.
Module 3: Enumerate API Attack Surface:
*Creating wordlists to enumerate endpoints
*Fuzzing endpoints to identify hidden endpoints
*Use of tools to create wordlists
Practical 3 – Using cewl and mentalist to create a wordlist:
The identification of endpoints are critical to enumerate the attack surface of APIs. This practical demonstrates the use of tools to create custom wordlists.
Module 4: Demystify the OWASP Top 10 for API:
Candidates would be exposed to the most common vulnerabilities targeting APIs. These vulnerabilities would be put into context through the use cases and allow candidates to perform the attack to get a better understanding. The focus would also be on identifying mitigation strategies to address the risk.
*Unpack the OWASP Top 10 for APIs
*Analyze the vulnerability: Broken Object Level Authorization
*Analyze the vulnerability: Broken User Authentication
*Analyze the vulnerability: Broken Function Level Authorization
*Analyze the vulnerability: Excessive Data Exposure
*Analyze the vulnerability: Lack of Resources & Rate Limiting
*Analyze the vulnerability: Mass Assignment
*Analyze the vulnerability: Security Misconfiguration
*Analyze the vulnerability: Injection
*Analyze the vulnerability: Improper Assets Management
*Analyze the vulnerability: Insufficient Logging & Monitoring
Practical 4 – Getting to know the top vulnerabiliites for APIs :
The practicals are part of the module decribing each vulnerability. The use cases were developed to practically demonstrate each vulnerability and give the candidate opportunity to experience each vulnerability. This in turrn would create awareness on how to test for each of these vulnerabilites.
*Practical review of Use Case: Unauthorized Enumeration and Viewing
*Practical review of Use Case: Insecure JSON Web token (JWT) configuration
*Practical review of Use Case: Weak password complexity
*Practical review of Use Case: Authentication susceptible to brute force attack
*Practical review of Use Case: OTP Bypass
*Practical review of Use Case: Escalate Privileges to gain Administrative Access
*Practical review of Use Case: API Response contains Unfilter Data
*Practical review of Use Case: API Response contains Unnecessary Data
*Practical review of Use Case: Impact of Zipbombing
*Practical review of Use Case: Rate Limiting - Abuse Number of Calls to End Point
*Practical review of Use Case: Rate Limiting Enabled
*Practical review of Use Case: Privilege Escalation
*Practical review of Use Case: HTTP OPTIONS Method Enabled
*Practical review of Use Case: Verbose Error Messages
*Practical review of Use Case: Outdated Application Servers
*Practical review of Use Case: Overly permissive Cross-Origin resource sharing (CORS)
*Practical review of Use Case: SQL Injection
*Practical review of Use Case: XXE Injection
*Practical review of Use Case: Command Injection
*Practical review of Use Case: Ennumerate API to identify deprecated endpoints
*Practical review of Use Case: No authentication required to acces endpoint
*Practical review of Use Case: Logging of data
*Practical review of Use Case: Logs containing sensitive data
*Practical review of Use Case: Logs does not have sufficient data
Module 5: Exploring GraphQL from a security perspective:
*Introduction to GraphQL
*Describing the various vulnerabilities associated with GraphQL
*Discuss various techniques to secure GraphQL
Practical 5 – Introspection for the Win
Candidate would be provided with an endpoint to explore the various vulnerabilities. This includes:
- Abuse the default configuration for GraphQL could expose the supported schema and queries.
- Explore the impact of IDORs to gain access to information within the context of GraphQL.
Module 6: Capture the Flag:
The course concludes with candidates participating in a capture the flag where secret documents of a target company needs to be found. The candidates would use knowledge acquired during the course to apply this and exploit vulnerabilities within the exposed API.
Trainer(s) bio:
Aubrey Labuschagne (William)
Aubrey is a security analyst at SensePost. Over the years he has had many roles which included project management, product management, development, training and being a security analyst. Interest for security grew from emergence into information warfare. His hobbies include the development of sensor centric platforms. He has a passion for training and has completed his masters on how to improve the effectiveness of security awareness programs. Favourite quote: "Nothing is real until experienced". He currently holds several certifications which include OSCP, ECSA and ISO 27032 certifications.
SensePost Training
SensePost, an elite ethical hacking team of Orange Cyberdefense have been training internationally since 2002. We pride ourselves on ensuring our content, our training environment and trainers are all epic in every way possible. The trainers you will meet are working penetration testers, responsible for numerous tools, talks and 0day releases. This provides you with real experiences from the field along with actual practitioners who will be able to support you in a wide range of real-world security discussions. We have years of experience building environments and labs tailored for learning, after all education is at the core of SensePost and Orange Cyberdefense.
Past content:
This training was delivered at Def Con Trainings 2022 in Las Vegas.
Trainer(s) social media links:
https://twitter.com/sensepost_train : @sensepost_train
https://twitter.com/sensepost : @sensepost
https://twitter.com/orangecyberdef : @orangecyberdef
[]
Technical difficulty:
Beginner
Why should people attend this course?
Application Programming Interfaces (APIs) have been widely adopted as a value creator within the context of business. Whereby it is used to either expose or consume services as part of the supply chain. However, this strategy also increases the attack surface of businesses.
Securing these services is a critical imperative for the sustainability of businesses.
We thus created this brand new course to expose developers and penetration testers to API’s and the vulnerabilities that they could contain.
Top 3 takeaways you will learn
* Understanding the usage and business context around APIs
* Set up and create the adequate testing environment and configuration
* Assess and analyse real world API’s with industry leading methodologies
Who should take this course?
This course is ideal for any developer looking to further their understanding of security in practise and to widen their understanding of vulnerabilities in APIs.
This course is also ideal for penetration testers looking to advance their API testing skills or those starting out in penetration testing of web and APIs.
Student requirements?
This is an beginner course in penetration testing of APIs. No security related experience is required but a technical understanding of computers, networks, Linux and Windows are a must.
Please ensure you are comfortable with the Linux command line before enrolling for this course. The students will be executing some commands from the command line when executing cURL to interact with the APIs.
What you should bring?
You should bring a laptop with a working modern browser like Firefox or Chrome to access the APIs and online lab.
What you will be provided with?
You will be given:
* Access to our web class portal containing slides, practicals, walkthroughs and tools and prerequisites. This is accessible during and after the training.
* Access to your own individual lab with numerous targets and capabilities, used for the practicals. This is accessible during the training.
Suggested Prerequisites:
Requires students to have a solid working understanding of the Linux command line and basic web hacking skills.
This is an intermediate course in penetration testing of APIs. No security related experience is required but a technical understanding of computers, networks, Linux and Windows are a must.
Please ensure you are comfortable with the Linux command line before enrolling for this course. You will be executing some commands from the command line when executing cURL to interact with the APIs.
What students should bring:
You should bring a laptop with a working modern browser like Firefox or Chrome to access the APIs and online lab.
DATE: August 12th-13th 2024
TIME: 8am to 5pm PDT
VENUE: Sahara Las Vegas
TRAINER: TBA
- 16 hours of training with a certificate of completion.
- 2 coffee breaks are provided per day
- Note: Food is not included
Registration terms and conditions:
Trainings are refundable before July 1st, the processing fee is $250.
Trainings are non-refundable after July 10th, 2024.
Training tickets may be transferred. Please email us for specifics.
Failure to attend the Training without prior written notification, will be considered a No-Show. No refund will be given.
By purchasing this ticket you agree to abide by the DCT Code of Conduct and the registration terms and conditions listed above.