SEC-T - 0x0EXPAND

(13)-15-16th of September 2022

Attacking and securing APIs

This is a fully hands-on practical concentrated course on securing and attacking web and cloud APIs. APIs are everywhere nowadays: In web apps, embedded systems, enterprise apps, cloud environments and even IoT, and it is becoming increasingly necessary to learn how to defend, secure and attack API implementation and infrastructure. This training aims to engage you in creating secure modern APIs, while showing you both modern and contemporary attack vectors.

 

You will learn:

 

    Attacking and defending web APIs. (REST, GraphQL):

    Learn REST and GraphQL security best practices.

    Create APIs that are easy to use securely and hard to use insecurely.

    Techniques and tools to design, test and attack APIs and microservices.

    Mitigate and defend against security weaknesses in APIs.

    Implement secure web socket channels and defend against Cross-Site WebSocket Hijacking.

    Attacking and securing Amazon cloud (AWS) APIs and infrastructure.

    Attack and defend against injection vulnerabilities such as Template Injection, SQL injection, NoSQL injection, pickle and YAML deserialization, object injections… etc

    Perform post exploitation and pivot attacks against AWS environments.

    Performing modern injection attacks:

    Attack and defend against injection vulnerabilities such as Template Injection, SQL injection, NoSQL injection, pickle and YAML deserialization, object injections… etc

    Securing passwords and secrets in APIs:

    Learn how to effectively manage the problem of credential storage.

    Attack insecure password protection schemes and export credentials.

    Utilize open-source and platform-independent credential management solutions.

    Implement secure password storage and handling.

    API authentication and authorization techniques.

    Understanding the intricate and minute details of authentication and authorization frameworks and technologies.

    Obtain actionable knowledge and experience in using secure tokens, cookies, keys and tickets for authentication and authorization.

    Understand OAuth2, JWT/JWS and other authentication technologies.

    Attack and fix insecure JWT and cookie implementations.

    Attack insecure implementations of session management, input validation, output encoding and loosely coupled components.

    Implement and attack multi factor authentication for APIs.

    Designing secure API architecture:

    API and microservices security architecture.

    Handle files securely by allowing only authorized downloads even in segmented microservice architectures.

    Learn and understand cache security and what threats and vulnerabilities can arise out of insecure caching methods and configurations.

    Attack and secure cache implementations and infrastructure.

    Securing development environments:

    Securing source code using secure Git configurations and live monitoring.

    Securing software dependency and supply chain.