Learn To Protect Your APIs By Hacking Them
Written by Nikos Vaggalis   
Tuesday, 06 September 2022

A free course from security expert Corey Ball will teach you all the techniques necessary to hack your APIs.The ultimate goal is to learn how to protect them by first identifying any undiscovered vulnerabilities.

Alongside the motto "Software is eating the world", I would add "APIs are eating the Internet". It is estimated that 83% of internet traffic comes from  interaction with APIs -  therefore learning how to protect them is of the utmost importance. But given the lack of expert cybersecurity personnel, knowledge has to be gained from other sources, like this course for instance.

APIsec University is hosted by Corey Ball, a true cybersec expert and author of the new book Hacking APIs - Breaking Web Application Programming Interfaces, published by No Starch Press.

In that book he teaches how to go about:

  • Enumerating API users and endpoints using fuzzing techniques
  • Using Postman to discover an excessive data exposure vulnerability
  • Performing a JSON Web Token attack against an API authentication process
  • Combining multiple API attack techniques to perform a NoSQL injection
  • Attacking a GraphQL API to uncover a broken object level authorization vulnerability

The book costs money, but the course does not.

APIsec Certified Expert is a path comprising of three courses that lead to a certification.You start out with API Security Certified Expert, continue as an API Security Defender and end up as an APIsec Certified User.

The APIsec Defender course provides the foundational knowledge required to help secure APIs, while APIsec Certified User goes through developing your API security testing skills to get the most from the APIsec automated testing platform.
Of the three courses, only API Security Certified Expert is half ready with the rest to follow.

API Security Certified Expert is also the one that is free and the one that mirrors the topics of the book, although not in as much depth. As with the book, it focuses on the offensive part of the story and is comprised of detailed workshops on API hacking techniques showing how to uncover vulnerabilities and logic flaws. Its outline is:

  • Introduction

  • Lab Setup

  • API Reconnaissance
    Learn passive tools and techniques that can be used to discover and analyze APIs.

  • Endpoint Analysis
    Learn to make API requests and analyze responses

  • Scanning APIs
    After you have discovered and analyzed an API it is time to learn to properly scan APIs for weaknesses

  • API Authentication Attacks
    Various API authentication attacks including password brute force, password reset, password spraying and MFA brute force

  • Exploiting API Authorization
    Testing the vulnerable application VAmPI for Broken Object Level Authorization vulnerabilities (BOLA)

  • Testing for Improper Assets Management
    Perform tests for Improper Assets Management

  • Mass Assignment
    Test for Mass Assignment vulnerabilities

  • Injection Attacks
    Learn to perform various injection attacks including SQL, NoSQL, and XSS.

  • Rate Limit Testing
    Learn a variety of techniques to test APIs for rate limiting

  • Combining Tools and Techniques
    Learn to combine tools and techniques from the previous module to exploit API weaknesses.

The material up to the chapter on  Scanning APIs is available already. The rest will follow, ETA middle of September. In any case you can enroll for free and start with what's available right now. As far as the remaining two courses that need to be taken in order to get certified, it hasn't been yet decided if they're going to be also free or paid and how much if that is so.

The question that remains is how valuable is APISec University's certification? In terms of the knowledge you will gain it is certainly worthwhile but if the question is whether the certification can help you land a job, well that depends on a number of things, primarily the extent to which the cybersec world recognizes Corey Ball. Corey is a cybersecurity consulting manager at Moss Adams, where he leads its penetration testing services and holds the OSCP, CCISO, CEH, CISA, CISM, CRISC, and CGEIT industry certifications. Pretty certified himself, if you ask me. His book is also doing well and is considered groundbreaking.

In any case, the free parts available are those that are core to every API-focused developer out there, so do not hesitate to enroll no matter whether you look to progress further or not.



More Information

API Security Certified Expert

Related Articles

HackerSploit Docker Security Essentials

The State Of Secure Software Development - Three OpenSSF Courses



To be informed about new articles on I Programmer, sign up for our weekly newsletter, subscribe to the RSS feed and follow us on Twitter, Facebook or Linkedin.


BASIC Turns 60

On May 1,1964 the first BASIC program ran and the world was about to change. Now when we look back it is easy to be critical, but these were different times.

New Eclipse Temurin OpenJDK Build Released

The Eclipse Foundation, together with the Adoptium Working Group, have announced the latest release of the Temurin Java SE runtime. This landmark release supports 54 version/platform combinations and  [ ... ]

More News

raspberry pi books



or email your comment to: comments@i-programmer.info


Last Updated ( Wednesday, 07 September 2022 )