back to List back

on this page

Attacking and Securing APIs (Arabic)

post-event
Sold Out
Mohammed Aldoub
Intermediate
2 Days
Sat 19 Nov - Sun 20 Nov
Sold Out
Venue:

Holiday In Riyadh Meydan | IHG
Olaya - King Fahed Road, PO Box 18030, Riyadh, 11415, Kingdom of Saudi Arabia

Timings:
  • Registration starts at 8am
  • Training from 9am to 5pm
Topics:
  • Attacking and defending web APIs. (REST, GraphQL). 
  • Learn AJAX, REST and GraphQL security best practices. 
  • Create APIs that are easy to use securely and hard to use insecurely. 
  • Techniques and tools to design, test and attack APIs and microservices. 
  • Mitigate and defend against security weaknesses in APIs. 
  • Implement secure web socket channels and defend against Cross-Site WebSocket Hijacking. 
  • Attacking and securing Amazon cloud (AWS) APIs and infrastructure: 
  • Create your own tools based on AWS API. 
  • Attack and defend against injection vulnerabilities such as Template Injection, SQL injection, NoSQL injection, pickle and YAML deserialization, object injections... etc 
  • Perform post exploitation and pivot attacks against AWS environments. 
  • Performing modern injection attacks: 
  • Attack and defend against injection vulnerabilities such as Template Injection, SQL injection, NoSQL injection, pickle and YAML deserialization, object injections... etc 
  • Securing passwords and secrets in APIs: 
  • Learn how to effectively solve the problem of credential storage. 
  • Attack insecure password protection schemes and export credentials. 
  • Utilize cloud-native credential management solutions. 
  • Utilize open-source and platform-independent credential management solutions. 
  • Implement secure password storage and handling. 
  • API authentication and authorization techniques. 
  • Understanding the intricate and minute details of authentication and authorization frameworks and technologies. 
  • Obtain actionable knowledge and experience in using secure tokens, cookies, keys and tickets for authentication and authorization. 
  • Understand OAuth2, JWT/JWS and other authentication technologies. 
  • Attack and fix insecure JWT and cookie implementations. 
  • Attack insecure implementations of session management, input validation, output encoding and loosely coupled components. 
  • Implement and attack multi factor authentication for APIs. 
  • Designing secure API architecture: 
  • API and microservices security architecture. 
  • Handle files securely by allowing only authorized downloads even in segmented microservice architectures. 
  • Learn and understand cache security and what threats and vulnerabilities can arise out of insecure caching methods and configurations. 
  • Attack and secure cache implementations and infrastructure. 
  • Securing development environments: 
  • Securing source code using secure Git configurations and live monitoring. 
  • Securing software dependency and supply chain. 
  • Utilizing cloud-native features to secure source code. 
Overview

This is a fully hands-on practical concentrated course on securing and attacking web and cloud APIs. APIs are everywhere nowadays: In web apps, embedded systems, enterprise apps, cloud environments and even IoT, and it is becoming increasingly necessary to learn how to defend, secure and attack API implementation and infrastructure. This training aims to engage you in creating secure modern APIs, while showing you both modern and contemporary attack vectors. 

With more than 55 labs in two days, you are in for a glue-me-to-the-keyboard adventure covering: 
-    Defending and attacking Web APIs (REST, GraphQL..etc) 
-    Attacking and securing AWS APIs and infrastructure. 
-    Launching and mitigating modern Injection attacks (SSTI, RCE, SQLi, NoSQLi, Deserialization, object injection and more) 
-    Securing and attacking passwords and secrets in APIs. 
-    API authentication, authorization and access control. 
-    Targeting and defending API architectures (Serverless, microservices, web services & APIs) 

Students should bring laptop with the below requirements: 
* Laptop with minimum 8GB RAM and 40GB free hard disk space with USB ports and virtualization enabled/available. 
* Student must have full control of the laptop (can install software, can disable anti virus..etc). 
* VMware Workstation or VMware Fusion (even trial versions can be used). 
* Enough storage to host multiple copies of the class VM in case modifications and restores are needed. 
* Ability to connect to the internet (The class requires going online). 
* An active AWS account for each student (free tier or otherwise) is required. Default region should be us-east-1 (US East N. Virginia) 
* Note: VMware player or VirtualBox is not recommended for this training. 

What students will be provided with:
* Course VM (that includes tools and exercises) 
* Course Slides 
* Sample custom tools as reference to ones created in the course. 
* Custom infrastructure creation/formation scripts to allow students to create labs on cloud. 

Who Should Take This Course:
  • Software developers, security engineers, architects, researchers, bug bounty hunters, system administrators, students and curious security professionals who would like to expand their skills. 
  • Anyone interested in keeping relevant knowledge and skill in the world of cloud, API and app security.
Download the Agenda at a Glance