“Distributed” is the name of the game today, and web applications are no different. They’re often divided up into smaller ‘microservices’ and work with multiple clients, from browsers and mobile applications to other services.
This has resulted in many older websites becoming APIs, or Application Programming Interfaces. Today, APIs are ubiquitous and companies are adopting, developing, and harnessing their potential at massive scale.
In this API Security course, we take a deep-dive into both offensive and defensive techniques. We explore vulnerabilities that are specific to Web APIs, specifically REST APIs, and look at how these vulnerabilities can be exploited by malicious actors.
Subsequently, we look at defense, where we explore deep-rooted strategies in addressing these vulnerabilities comprehensively. All of these lessons will be taught with the aid of our world-renowned hands-on labs that show you not only what you should do, but how you should do it.
We’ll explore this class through the lens of the now-famous OWASP API Security Top 10 Document that defines the Top 10 API Vulnerabilities that currently affect Web APIs.
PK-based IDOR
Verb Tampering
IDOR Mass Assignment
Casbin with ACL
Input Validation - Request filter
JSONSchema
Excessive Data Exposure
Welcome to the course
Learning objectives for this class
Rest API: Introduction
GraphQL: Intro
GRPC Introduction
API Security Considerations
OWASP API Security Top 10
Learning objectives: API AuthZ
Broken Object Level Authorization (BOLA)
Lab Video: Broken Object Level Authorization
Lab: PK-based IDOR
Broken Function Level Authorization (BFLA)
Lab Video: Broken Function Level Authorization - Verb Tampering
Lab: Verb Tampering
Mass Assignment
Lab Video: Mass Assignment
Lab: IDOR Mass Assignment
Authorization Models
What is Casbin? How does it work?
Lab Video: Casbin with ACL-2
Lab: Casbin with ACL
Learning objectives
Introduction to input validation
Input Validation: A primer Part1
Input Validation: A primer Part2
Lab Video: Request filter input validation - Vulnerable variant
Lab Video: Request filter input validation - Defense
Lab: Input Validation - Request filter
JSONSchema
Lab Video: JSONSchema Input validation
Lab: JSONSchema
What is excessive data exposure?
Lab Video: Excessive data exposure: Attack & Defense
Lab: Excessive data exposure