Introduction

Course by APIsec University

The API Penetration Testing Course will guide you through actively testing web application programming interfaces (APIs) for security flaws. This course is a self-paced, practical guide that will show you the tools and techniques that can be leveraged to attack APIs. Although the skills that you will pick up in this course can be applied to a variety of APIs, the primary focus will be on REST APIs.

The ACE training will help you get your hands on the keyboard and walk you through the API hacking process. In this course, you will learn how to discover APIs, interact with endpoints, and exploit several weaknesses like Broken Authentication, Mass Assignment, and Broken Object Level Authorization. By the end of this course, you will have the skill set to thoroughly test web APIs.

Who is this for?

ACE is great for anyone interested in dedicating time to learning how to test APIs for security weaknesses. This course was meant to help improve the skills of bug bounty hunters, developers, and penetration testers. Before taking this course it would help to have a basic understanding of how web apps and APIs work.

The ACE course is completely free for anyone that wants to learn about API hacking. Those who would like to certify their knowledge can take the ACE exam. The ACE exam is a six-hour practical assessment of your ability to test APIs and find vulnerabilities. Students who pass the exam will receive the (ACE) certification.

Index

1. Setting Up

   1. Tools

   2. Hacking Lab

2. API Reconnaissance

   1. Introduction to API Reconnaissance

   2. Passive Reconnaissance

      1. Google Dorking

      2. GitDorking

      3. TruffleHog

      4. API Directories

      5. Shodan

      6. The Wayback Machine

   3. Active Reconnaissance

      1. Nmap

      2. OWASP Amass

      3. Directory Brute-force with Gobuster

      4. Kiterunner

      5. DevTools

3. Endpoint Analysis

   1. Reverse Engineering an API

   2. Excessive Data Exposure

      1. Assessment

4. Scanning APIs

   1. Finding Security Misconfigurations

   2. Scanning APIs with OWASP ZAP

      1. Assessment

5. Authentication Attacks

   1. Classic Authentication Attacks

      1. Note on Base64 Encoding

   2. API Token Attacks

      1. Assessment

6. Exploiting API Authorization

   1. Exploiting API Authorization

   2. Broken Object Level Authorization (BOLA)

   3. Broken Function Level Authorization (BFLA)

   4. Assessment

7. Improper Assets Management

   1. Improper Assets Management

   2. Finding Improper Assets Management Vulnerabilities

   3. Assessment

8. Mass Assignment Attacks

   1. Mass Assignment Attacks

   2. Other Mass Assignment Vectors

   3. Hunting for Mass Assignment

   4. Assessment

9. Exploiting Server-Side Request Forgery

   1. Exploiting Server-Side Request Forgery

   2. Types of SSRF

   3. Ingredients for SSRF

   4. Testing for SSRF

   5. Assessment

10. Injection Vulnerabilities

    1. Testing for Injection Vulnerabilities

    2. Discovering Injection Vulnerabilities

       1. SQL Injection Metacharacters

       2. NoSQL Injection

       3. OS Injection

    3. Fuzzing Wide with Postman

    4. Fuzzing Deep with WFuzz

    5. Assessment

11. Evasion And Combining Techniques

    1. Evasive Maneuvers

    2. Combining Techniques