Hack Your API First

WEBRip | English | MP4 + Project files | 1024 x 768 | AVC ~92.6 kbps | 15 fps

AAC | 128 Kbps | 44.1 KHz | 2 channels | 4h 07mn | 687.1 MB

Genre: eLearning Video / Development, Programming

Recent years have seen a massive explosion in the growth of rich client apps that talk over the web using APIs across HTTP, but unfortunately, all too often they contain serious security vulnerabilities that are actually very easy to locate. This course shows you how.

Web based APIs have grown enormously popular in recent years. This is in response to a couple of key changes in the industry: firstly, the enormous growth of mobile apps which frequently talk to back ends over the web. Secondly, the rapidly emerging 'Internet of Things' which promises to bring connectivity to common devices we use in our everyday lives. In the rush to push these products to market, developers are often taking shortcuts on security and leaving online services vulnerable to attack. The risks are not as obvious as they may be in traditional browser based web apps, but they're extremely prevalent and attackers know how to easily identify them. This course teaches you how to go on the offense and hack your own APIs before online attackers do.

Content:

Introduction

The Age of the API

The Hidden Nature of API Security

What Exactly Is an API?

What's the Scope of This Course?

Introducing Supercar Showdown

Introducing the Vulnerable Mobile App

Summary

Discovering Device Communication With APIs

Who Are We Protecting Our APIs From?

Proxying Device Traffic Through Fiddler

Interpreting Captured Data in Fiddler

Intercepting Mobile App Data in Fiddler

Discovering More About Mobile Apps via Fiddler

Filtering Traffic in Fiddler

Alternate Traffic Interception Mechanisms

Summary

Leaky APIs and Hidden APIs

Introduction

Discovering Leaky APIs

Securing a Leaky API

Discovering Hidden APIs via Documentation Pages

Discovering Hidden APIs via robots.txt

Discovering Hidden APIs via Google

Securing Hidden APIs

Summary

API Manipulation and Parameter Tampering

Introduction

Defining Untrusted Data

Modifying Web Traffic in Fiddler

Manipulating App Logic by Request Tampering

Response Tampering

Summary

API Authentication and Authorization Vulnerabilities

Introduction

Identifying Authentication Persistence

The Role of Tokens

An Auth Token in Practice

An Overview of Authorization Controls

Identifying Client Controls vs. Server Controls

Circumventing Client Authorization Controls

Testing for Insufficient Authorization

Testing for Brute Force Protection

The Role of OpenID Connect and OAuth

Summary

Working With SSL Encrypted API Traffic

Introduction

MitM'ing an HTTPS Connection With Fiddler

Configuring Fiddler to Decrypt Encrypted Connections

Proxying Encrypted Device Traffic via Fiddler

Rejecting Invalid Certificates

Identifying a Missing Certificate Validation Check

Loading the Fiddler Certificate on a Device

SSL Behavior on a Compromised Device

Identifying Invalid Certificates

The Value Proposition of Certificate Pinning

Demonstrating Certificate Pinning

Summary