Certified API Security Professional (CASP)

EDU Trainings s.r.o.

Popis kurzu

Obsah kurzu

Chapter 1: Introduction to API Security


Introduction to Application Programming Interface

What is an API?
Need for an API
Why Should You Secure Your APIs?
APIs vs. Web Applications


Understanding API Architecture

Overview of the HTTP protocol

Anatomy of a HTTP Request
Anatomy of a HTTP Response
HTTP Response Codes and Its Significance
Stateless and Stateful Requests


Overview of API architecture

API Protocols
API Data formats
Different Types of APIs


Simple Architecture

How Are APIs Typically Deployed?


Complex Architecture


Strategies To Secure APIs

Threat Modeling of APIs
Traditional VAPT vs API VAPT


API Defenses

Input Validation
Identification
Authentication
Authorization
Data Encryption
Transport Security
Error Handling and Logging
Supply Chain Security


Hands-on Exercises:

Understanding The Lab Setup
Working With Linux Command(s)
Working With Command Outputs
Working With Exit Code
Hosting Files Using HTTP Server



Chapter 2: API Security Tools of the trade


The Moving Parts in an API

API Gateway
Load Balancer/Reverse Proxy
Message Queues


Critical Toolchain for API Development

Source Code Management
CI/CD Tools
Artifact Management
Cloud Platform
Infrastructure as Code
Monitoring and Logging Tools
Collaboration Tools


Containerization
Ability To Talk to an API

cURL (curl)
Postman
OpenAPI (Swagger)
Python
An MITM Proxy


Hands-on Exercises: 

Understanding an API Language (Endpoints, Verbs, and State)
Understanding cURL Command
Performing CRUD Operations Using API
Setup the Burp Suite for API Security Testing
Understanding APIs Using OpenAPI Specifications
Performing Reconnaissance on an API
Path And Directory Discovery Using FFUF
Enumerating User Accounts From an API



Chapter 3: Authentication Attacks and Defenses


Overview of API Authentication
Types of Authentication

No Authentication (Public APIs)
HTTP Basic Authentication
API Token Authentication
OIDC Authentication
JSON Web Tokens (JWTs)
SAML Tokens
Mutual TLS


Authentication Attacks

Brute Force
Weak Password Storage
Password Reset Workflows
Account Lockouts
Insecure OpenID Connect Configuration
Insecure JWTs Validation


Authentication Defenses

Secure Authentication Workflows
Strong Password and Key Validation
Multi-Factor Authentication
Securely Storing the Tokens

Cookies
Local Storage and Session Storage
Token Storage and XSS


Rate Limiting
CAPTCHA


Hands-on Exercises:

Talking To An API Using OAuth and JWT
Talking To An API Using HTTP Basic and API Keys
Exploiting Broken Authentication With SQL Injection
Exploiting Broken Authentication With Weak Passwords
Cracking Weak Password Hashes With Dictionaries
Cracking Weak Password Hashes With Bruteforce And Combinations
Abusing JWT Tokens



Chapter 4: Authorization Attacks and Defenses


Overview of API Authorization
Types of Authorization

No Authorization
Role-Based Access Control (RBAC)
Discretionary Access Control (DAC)
​​Attribute-Based Access Control (ABAC)
Relationship-Based Access Control (ReBAC)


Authorization Attacks

Misconfigured Permissions
Broken Object Level Authorization
Broken Function Level Authorization
Horizontal Privilege Escalation
Vertical Privilege Escalation


Authorization Defenses

Defending Object & Function Level Access
Attribute-Based Access Control (ABAC) with Roles, and Relations
Decoupling Authorization Decisions With Policy As Code


Authorizing with OAuth Framework

OAuth Specification
Different Authorization Workflows
Insecure OAuth Configurations
OAuth 2.0 vs OAuth 2.1
Different Types of Tokens

Access Token
Refresh Token
ID Token




Hands-on Exercises:

Forging JWT Tokens For Privilege Escalation
Finding Another Users Location Using BOLA



Chapter 5: Input validation Threats and Defenses


Introduction to Input Validation

Input Validation
Input Sanitization


Injection Vulnerabilities

Cross-Site Scripting (XSS)
SQL Injection
ORM Injection
NoSQL Injection
Server Side Request Forgery
Deserialization Issues
Mass Assignment Issues


Fuzzing

Fuzzing 101
Fuzzing vs Brute Forcing
Fuzzing APIs Using Open Source and Commercial Tools

Burp Suite Intruder
OWASP ZAP Fuzzer
Wfuzz
FFUF




Injection Defenses

Implementing Input Validation
Client-Side vs. Server-Side Validation
Whitelisting & Blacklisting
Implementing Input Sanitization
Validating With Regular Expressions
Output Encoding

HTML Encoding
HTML Attribute Encoding
Javascript Encoding
CSS Encoding


Prepared Statements
Content Security Policy
Trusted Types


Hands-on Exercises:

Getting Free Coupons Without Knowing Coupon Code
Exploiting Mass Assignment Vulnerabilities
Insecure Deserialization To Remote Code Execution
Preventing Insecure Deserialization In Java
Post Exploitation In APIs Through Reverse Shells
Automated SQL Injection Using SQLMAP
Learning To Validate Input With Regular Expressions
Preventing DOM XSS With Trusted Types
Attacking GraphQL APIs



Chapter 6: Other API Security Threats


Introduction to OWASP API Top 10



Broken Object Level Authorization
Broken Authentication
Excessive Data Exposure
Lack of Resources and Rate Limiting
Broken Function Level Authorization
Mass Assignment
Security Misconfigurations
Injection
Improper Asset Management
Insufficient Logging and Monitoring
Broken Object Property Level Authorization
Unrestricted Resource Consumption
Unrestricted Access to Sensitive Business Flows
Server Side Request Forgery
Improper Inventory Management
Unsafe Consumption of APIs




Attacking Caching Layers (Memcache, Proxies, etc.,)
Attacking GraphQL APIs
Attacking SOAP APIs
Abusing Micro-services, and REST APIs
Post Exploitation in the API World
Hands-on Exercises:

Privilege Escalation With Cross Site Scripting
Abusing CORS Misconfigurations



Chapter 7: Other API Security Defenses


GraphQL API Security Best Practices
SOAP API Security Best Practices
REST API Security Best Practices
Data Security

Encoding and Decoding
Escaping
Hashing
Encryption and Decryption


Securing Data at Rest Using Encryption

Storing Credentials for Service-to-Service Communication
Password Storage and Its Considerations
Picking a Secure Algorithm


Securing Data in Transit Using TLS
Rate Limiting Best Practices
Security Headers

X-XSS-Protection
HTTP Strict Transport Security (HSTS)
Cache-Control
X-Frame-Options

X-Frame-Options vs frame-ancestors


Content Security Policy

Implementing CSP at Scale
Common Misconfigurations While Using CSP


Cross-Origin Resource Sharing (CORS)

Cookie Based Implementations
Token Based Implementations




Hands-on Exercises:

Adding Content Security Policy To Mitigate Cross Site Scripting
Implementing Rate Limiting With API Gateway
Securing HTTP Headers using Kong Gateway
Implementing Rate Limiting using API Key



Chapter 8: Implementing API Security Mechanisms

API Security Design Best Practices
Authentication Implementation
Authorization Implementation

Designing API Permissions
Designing OAuth Scopes


Rate-Limiting Implementation and Best Practices at Different Stages

Reverse Proxy
Load Balancer
API Gateways and WAFs
Request Throttling


Securely Store Secrets Using Hashicorp Vault
Data Security Implementation
Using Transport Layer Security (TLS)
Implementing Sufficient Logging & Monitoring

Secure Logging Implementation
Logging Using Syslog Format
Using ELK To Capture the Log Data


Hands-On Exercises:

Using HashiCorp Vault To Create and Consume Secrets Safely
Monitoring Docker Containers Using Grafana



Chapter 9: API Security, the DevSecOps Way


OWASP ASVS Framework

Understanding OWASP ASVS
Using ASVS To Secure Applications and APIs
Creating Checklists With OWASP ASVS


Automated Vulnerability Discovery
Finding Insecure Dependencies Using Software Component Analysis
Finding Vulnerabilities in Code Using Static Application Security Testing
Automating API Attacks Using Dynamic Application Security Testing
Addressing API Security Issues at Scale
Hands-on Exercises:

Creating a Simple CI/CD Pipeline
Deploying a Microservice(s) Using Continuous Deployment
Embedding Software Composition Analysis Into CI/CD Pipeline
Embedding Static Application Security Testing Into CI/CD Pipeline
Embedding Dynamic Application Security Testing Into CI/CD Pipeline



 







 

Certifikát Na dotaz.

Hodnocení