No announcement yet.

Aubrey Labuschagne (William) & Marianka Botes - Pragmatic API Exploration

  • Filter
  • Time
  • Show
Clear All
new posts

  • Aubrey Labuschagne (William) & Marianka Botes - Pragmatic API Exploration

    Aubrey Labuschagne (William) & Marianka Botes - Pragmatic API Exploration
    Latest details, requirements, description, cost:

    Training description:

    The use of Application Programming Interfaces (APIs) have become ubiquitous as business expose and consume services.

    Therefore, the threat landscape of organizations increases with the adoption of APIs. The content of the course creates awareness around the various attack vectors used targeting APIs and provides actionable mitigation strategies.

    The aim of this course is to empower you to conduct a risk assessment of an API. This hands-on course covers API basics, setting up a test environment, API threat model, API protocols and architectures, typical vulnerabilities, enumerating an attack surface and best practices around security.

    Moreover, it focuses on gaining practical experience of the OWASP Top 10 for APIs. In addition, you would be gaining practical experience on exploiting typical vulnerabilities on RESTful (REST) APIs and GraphQL. The course concludes with a capture the flag (CTF) to apply knowledge gained during the course.

    Course overview:

    This course consists of 6 High level Modules, +-26 Key concepts and +-30 Practicals.

    Learning take-aways:
    * Understanding the usage and business context around APIs
    * Set up and create the adequate testing environment and configuration
    * Assess and analyse real world API’s with industry leading methodologies

    Below is the outline based on the 6 Modules and the 26 sub-modules as well as an indication where the practicals fit into the course flow.

    Module 1: Introduction To API
    * What is an API?
    * The API ecosystem
    * Threat model of an API
    * Review of code representing an API endpoint

    Practical 1 – What to do with APIs:
    This practical engages candidates to look for open APIs and how they could use at least threee APIs withinin a ficticoinal scenario business / operational environment.

    Module 2: Engaging with the Target API:
    *Setup and configure Postman, cURL and Burp to connect to target API
    *Demonstrate the various HTTP headers
    *Interacting with Swagger
    *Demonstrate the various HTTP methods
    *Discuss the use of JWT for authetnication

    Practical 2 – Abusing a JWT :
    The practical would focus on creating a JWT to authenticate against an endpoint. In addition, the cracking of a JWT to target weak encryption protocols. Lastly how to resign the JWT and use with subsequent abuses.

    Module 3: Enumerate API Attack Surface:
    *Creating wordlists to enumerate endpoints
    *Fuzzing endpoints to identify hidden endpoints
    *Use of tools to create wordlists

    Practical 3 – Using cewl and mentalist to create a wordlist:
    The identification of endpoints are ciritical to enumerate the attack surface of APIs. This practical demonstrates the use of tools to create custom wordlists.

    Module 4: Demystify the OWASP Top 10 for API:
    Candidates would be exposed to the most common vulnerabilities targeting APIs. These vulnerabilities would be put into context through the use cases and allow candidates to perform the attack to get a better understanding. The focus would also be on identiifying mitigation strategies to address the risk.

    *Unpack the OWASP Top 10 for APIs
    *Analyze the vulnerability: Broken Object Level Authorization
    *Analyze the vulnerability: Broken User Authentication
    *Analyze the vulnerability: Broken Function Level Authorization
    *Analyze the vulnerability: Excessive Data Exposure
    *Analyze the vulnerability: Lack of Resources & Rate Limiting
    *Analyze the vulnerability: Mass Assignment
    *Analyze the vulnerability: Security Misconfiguration
    *Analyze the vulnerability: Injection
    *Analyze the vulnerability: Improper Assets Management
    *Analyze the vulnerability: Insufficient Logging & Monitoring

    Practical 4 – Getting to know the top vulnerabiliites for APIs :
    The practicals are part of the module decribing each vulnerability. The use cases were developed to practically demonstrate each vulnerability and give the candidate opportunity to experience each vulnerability. This in turrn would create awareness on how to test for each of these vulnerabilites.
    *Practical review of Use Case: Unauthorized Enumeration and Viewing
    *Practical review of Use Case: Insecure JSON Web token (JWT) configuration
    *Practical review of Use Case: Weak password complexity
    *Practical review of Use Case: Authentication susceptible to brute force attack
    *Practical review of Use Case: OTP Bypass
    *Practical review of Use Case: Escalate Privileges to gain Administrative Access
    *Practical review of Use Case: API Response contains Unfilter Data
    *Practical review of Use Case: API Response contains Unnecessary Data
    *Practical review of Use Case: Impact of Zipbombing
    *Practical review of Use Case: Rate Limiting - Abuse Number of Calls to End Point
    *Practical review of Use Case: Rate Limiting Enabled
    *Practical review of Use Case: Privilege Escalation
    *Practical review of Use Case: HTTP OPTIONS Method Enabled
    *Practical review of Use Case: Verbose Error Messages
    *Practical review of Use Case: Outdated Application Servers
    *Practical review of Use Case: Overly permissive Cross-Origin resource sharing (CORS)
    *Practical review of Use Case: SQL Injection
    *Practical review of Use Case: XXE Injection
    *Practical review of Use Case: Command Injection
    *Practical review of Use Case: Ennumerate API to identify deprecated endpoints
    *Practical review of Use Case: No authentication required to acces endpoint
    *Practical review of Use Case: Logging of data
    *Practical review of Use Case: Logs containing sensitive data
    *Practical review of Use Case: Logs does not have sufficient data

    Module 5: Exploring GraphQL from a security perspective:
    *Introduction to GraphQL
    *Describing the various vulnerabilities associated with GraphQL
    *Discuss various techniques to secure GraphQL

    Practical 5 – Introspection for the Win

    Candidates would be provided with an endpoint to explore the various vulnerabilities. This includes:
    • Abuse the default configuration for GraphQL could expose the supported schema and queries.
    • Explore the impact of IDORs to gain access to information within the context of GraphQL.

    Module 6: Capture the Flag:
    The course concludes with candidates participating in a capture the flag where secret documents of a target company needs to be found. The candidates would use knowledge acquired during the course to apply this and exploit vulnerabilities within the exposed API.

    Takeaways for the students after completing the class:

    * Understanding the usage and business context around APIs
    * Set up and create the adequate testing environment and configuration
    * Assess and analyze real world API’s with industry leading methodologies

    More Details:
    * 2-day course
    * 60% practical and 40% theoretical
    * Real-world attacks and methodologies
    * CTF at the end of the course
    * Delivered by active penetration testers and red team members

    Student skill level:

    Beginner Level
    This is a beginner course in penetration testing of APIs. No security related experience is required but a technical understanding of computers, networks, Linux and Windows are a must.

    Please ensure you are comfortable with the Linux command line before enrolling for this course. The students will be executing some commands from the command line when executing cURL to interact with the APIs.

    What should students bring to the Training?:

    You should bring a laptop with a working modern browser like Firefox or Chrome to access the APIs.
    Ensure cURL (, Postman ( and Burp ( are installed as these tools would be used to interact with the APIs.


    Aubrey is a security analyst at SensePost. Over the years he has had many roles which included project management, product management, development, training and being a security analyst. Interest for security grew from emergence into information warfare. His hobbies include the development of sensor centric platforms. He has a big passion for training and has completed his masters on how to improve the effectiveness of security awareness programs. He currently holds several certifications which include OSCP, ECSA and ISO 27032 certifications.

    Marianka is a security analyst for the SensePost team at Orange Cyberdefense. She studied Information Technology at the North-West University (Pukke) in South Africa and has a big passion for hacking. In her off time she will study up some Dad jokes or find the best places to order chicken wings.

    Trainer(s) social media links:

    DATE:Aug 15th to 16th 2022
    TIME:8am to 5pm PDT
    VENUE:Caesars Forum Ballroom
    TRAINERS:Aubrey Labuschagne (William) & Marianka Botes

    CERTIFICATE TEST AVAILABLE (after class) Please purchase Certificate test

    - 16 hours of training with a certificate of completion for some classes
    - COVID safety: Masks required for indoor training
    - Note: Classes that do not meet their minimum class size by July 15 will be canceled, please register early
    - Note: Food is NOT included
    Last edited by number6; August 14, 2022, 21:10.

  • #2
    Start time updated from 9am to 8am.