Certified API Security Professional (CASP)
I. Overview:
The API security training prepares you for the Certified API Security Professional (CASP) course, a vendor-neutral APIsec certification designed to assess an IT professional’s API security expertise.
This API security course imparts professionals with deep knowledge of API security, adopting modern security practices and automation to secure APIs with appropriate techniques, catching security issues before they become critical, and alerting relevant engineers in real-time.
II. Duration: 40 hours
III. Objectives:
Upon completion of this API security certification course, you will be able to:
- Identify, exploit, and protect against a wide variety of API security vulnerabilities.
- Gain a practical understanding of API Security and the tools for automation.
- Understand and implement the modern ways of scaling API Security Testing.
- Gain abilities to audit APIs for security measures and provide solutions.
- Understand, assess, and secure APIs written in different architecture styles.
- Learn new ways to secure APIs through automation, and DevSecOps practices.
IV. Prerequisites:
- Course participants should have a basic understanding of Linux Commands and OWASP Top 10.
- Basic knowledge of application development is preferred but is not necessary.
V. Course outlines:
1. Module 1: Introduction to API Security
- Introduction to Application Programming Interface
- What is an API?
- Need for an API
- Why Should You Secure Your APIs?
- APIs vs. Web Applications
- Understanding API Architecture
- Overview of the HTTP protocol
- Anatomy of a HTTP Request
- Anatomy of a HTTP Response
- HTTP Response Codes and Its Significance
- Stateless and Stateful Requests
- Overview of API architecture
- API Protocols
- API Data formats
- Different Types of APIs
- Simple Architecture
- How Are APIs Typically Deployed?
- Complex Architecture
- Overview of the HTTP protocol
- Strategies To Secure APIs
- Threat Modeling of APIs
- Traditional VAPT vs API VAPT
- API Defenses
- Input Validation
- Identification
- Authentication
- Authorization
- Data Encryption
- Transport Security
- Error Handling and Logging
- Supply Chain Security
- Hands-on Exercises:
- Understanding an API Language (Endpoints, Verbs, and State)
- Understanding cURL Command
- Performing CRUD Operations Using API
2. Module 2: API Security Tools of the trade
- The Moving Parts in an API
- API Gateway
- Load Balancer/Reverse Proxy
- Message Queues
- Critical Toolchain for API Development
- Source Code Management
- CI/CD Tools
- Artifact Management
- Cloud Platform
- Infrastructure as Code
- Monitoring and Logging Tools
- Collaboration Tools
- Containerization
- Ability To Talk to an API
- cURL (curl)
- Postman
- OpenAPI (Swagger)
- Python
- An MITM Proxy
- Hands-on Exercises:
- Setup the Burp Suite for API Security Testing
- Understand APIs Using OpenAPI Specifications
- Performing Reconnaissance on an API
- Enumerate User Accounts From an API
- Hunt for Vulnerable APIs With Subdomain Enumerations
3. Module 3: Authentication Attacks and Defenses
- Overview of API Authentication
- Types of Authentication
- No Authentication (Public APIs)
- HTTP Basic Authentication
- API Token Authentication
- OIDC Authentication
- JSON Web Tokens (JWTs)
- SAML Tokens
- Mutual TLS
- Authentication Attacks
- Brute Force
- Weak Password Storage
- Password Reset Workflows
- Account Lockouts
- Insecure OpenID Connect Configuration
- Insecure JWTs Validation
- Authentication Defenses
- Secure Authentication Workflows
- Strong Password and Key Validation
- Multi-Factor Authentication
- Securely Storing the Tokens
- Cookies
- Local Storage and Session Storage
- Token Storage and XSS
-
Rate Limiting
-
CAPTCHA
- Hands-on Exercises:
- Talking to an API Using Basic, API Token and OAuth and JWTs
- Exploring Broken Authentication Using API Token, Oauth and JWTs
- Exploiting Weak Passwords
- Bruteforcing the passwords
- Exploiting misconfigurations in scope
- Forging Tokens
- Abusing JSON Web Token
4. Module 4: Authorization Attacks and Defenses
- Overview of API Authorization
- Types of Authorization
- No Authorization
- Role-Based Access Control (RBAC)
- Discretionary Access Control (DAC)
- Attribute-Based Access Control (ABAC)
- Relationship-Based Access Control (ReBAC)
- Authorization Attacks
- Misconfigured Permissions
- Broken Object Level Authorization
- Broken Function Level Authorization
- Horizontal Privilege Escalation
- Vertical Privilege Escalation
- Authorization Defenses
- Defending Object & Function Level Access
- Attribute-Based Access Control (ABAC) with Roles, and Relations
- Decoupling Authorization Decisions With Policy As Code
- Authorizing with OAuth Framework
- OAuth Specification
- Different Authorization Workflows
- Insecure OAuth Configurations
- OAuth 2.0 vs OAuth 2.1
- Different Types of Tokens
- Access Token
- Refresh Token
- ID Token
- Hands-on Exercises:
- Bypassing Access Control
- Exploiting Broken Object Level Authorization
- Exploiting Broken Function Level Authorization
- Exploiting Weak/Default Permissions
- Finding Another Cell Phone User’s Location
5. Module 5: Input validation Threats and Defenses
- Introduction to Input Validation
- Input Validation
- Input Sanitization
- Injection Vulnerabilities
- Cross-Site Scripting (XSS)
- SQL Injection
- ORM Injection
- NoSQL Injection
- Server Side Request Forgery
- Deserialization Issues
- Mass Assignment Issues
- Fuzzing
- Fuzzing 101
- Fuzzing vs Brute Forcing
- Fuzzing APIs Using Open Source and Commercial Tools
- Burp Suite Intruder
- OWASP ZAP Fuzzer
- Wfuzz
- FFUF
- Injection Defenses
- Implementing Input Validation
- Client-Side vs. Server-Side Validation
- Whitelisting & Blacklisting
- Implementing Input Sanitization
- Validating With Regular Expressions
- Output Encoding
- HTML Attribute Encoding
- Javascript Encoding
- CSS Encoding
- CSS Encoding
-
Prepared Statements
-
Content Security Policy
-
Trusted Types
- Hands-on Exercises:
- Input Validation Using Industry Best Practices
- Finding a Way To Get Free Coupons Without Knowing the Coupon Code
- Using Vulnerability Assessment Approaches Effectively
- Fuzzing APIs Using FFUF
- Exploiting Mass Assignment Vulnerabilities
6. Module 6: Other API Security Threats
- Introduction to OWASP API Top 10
- Broken Object Level Authorization
- Broken Authentication
- Excessive Data Exposure
- Lack of Resources and Rate Limiting
- Broken Function Level Authorization
- Mass Assignment
- Security Misconfigurations
- Injection
- Improper Asset Management
- Insufficient Logging and Monitoring
- Broken Object Property Level Authorization
- Unrestricted Resource Consumption
- Unrestricted Access to Sensitive Business Flows
- Server Side Request Forgery
- Improper Inventory Management
- Unsafe Consumption of APIs
- Attacking Caching Layers (Memcache, Proxies, etc.,)
- Attacking GraphQL APIs
- Attacking SOAP APIs
- Abusing Micro-services, and REST APIs
- Post Exploitation in the API World
- Hands-on Exercises:
- Bypassing Rate-Limiting
- Extract Sensitive Data by Abusing Default API Behavior
- Finding and Mitigating an IDOR Vulnerability
- Exploiting the CORS Misconfigurations
- Exploiting Undisclosed API Calls
- Attacking GraphQL APIs
7. Module 7: Other API Security Defenses
- GraphQL API Security Best Practices
- SOAP API Security Best Practices
- REST API Security Best Practices
- Data Security
- Encoding and Decoding
- Escaping
- Hashing
- Encryption and Decryption
- Securing Data at Rest Using Encryption
- Storing Credentials for Service-to-Service Communication
- Password Storage and Its Considerations
- Picking a Secure Algorithm
- Securing Data in Transit Using TLS
- Rate Limiting Best Practices
- Security Headers
- X-XSS-Protection
- HTTP Strict Transport Security (HSTS)
- Cache-Control
- X-Frame-Options
- X-Frame-Options vs frame-ancestors
-
Content Security Policy
- Implementing CSP at Scale
- Common Misconfigurations While Using CSP
-
Cross-Origin Resource Sharing (CORS)
- Cookie Based Implementations
- Token Based Implementations
- Hands-on Exercises:
- Bypassing CSP Header
- Configuring HSTS To Prevent MITM Attacks
- Finding the Missing Security Headers and Fixing Them
- Implementing Rate Limiting Using API Gateway
- Preventing DOM Based Cross Site Scripting with Trusted Types
8. Module 8: Implementing API Security Mechanisms
- API Security Design Best Practices
- Authentication Implementation
- Authorization Implementation
- Designing API Permissions
- Designing OAuth Scopes
- Rate-Limiting Implementation and Best Practices at Different Stages
- Reverse Proxy
- Load Balancer
- API Gateways and WAFs
- Request Throttling
- Securely Store Secrets Using Hashicorp Vault
- Data Security Implementation
- Using Transport Layer Security (TLS)
- Implementing Sufficient Logging & Monitoring
- Secure Logging Implementation
- Logging Using Syslog Format
- Using ELK To Capture the Log Data
- Hands-On Exercises:
- Implementing a WAF for APIs
- How To Configure TLSv1.2 and Beyond Securely To Achieve A+ on SSLlabs Scans
- Adding Content Security Policy Header to an API
- Second-Order Sensitive Information Leakage
9. Module 9: API Security, the DevSecOps Way
- OWASP ASVS Framework
- Understanding OWASP ASVS
- Using ASVS To Secure Applications and APIs
- Creating Checklists With OWASP ASVS
- Automated Vulnerability Discovery
- Finding Insecure Dependencies Using Software Component Analysis
- Finding Vulnerabilities in Code Using Static Application Security Testing
- Automating API Attacks Using Dynamic Application Security Testing
- Addressing API Security Issues at Scale
- Hands-on Exercises:
- Creating a Simple CI/CD Pipeline
- Deploying a Microservice/Docker Container to Production
- Exploiting a Microservice Using Docker Misconfiguration
- Exploiting a Microservice Using API Vulnerabilities
- Finding and Fixing API Security Issues Using SCA, SAST, and DAST in CI/CD Pipelines
- Securely Store Secrets Using Hashicorp Vault
10. API Security Certification Process
- After completing the course, you can schedule the CASP exam on your preferred date.
Học trực tuyến
Học tại Hồ Chí Minh
Học tại Hà Nội