Certified API Security Professional (CASP)
APIsec Course with Hands-on API Security Training
The API security training prepares you for the Certified API Security Professional (CASP) course, a vendor-neutral APIsec certification designed to assess an IT professional’s API security expertise.
This API security course imparts professionals with deep knowledge of API security, adopting modern security practices and automation to secure APIs with appropriate techniques, catching security issues before they become critical, and alerting relevant engineers in real-time.
Upon completion of this API security certification course, you will be able to:
- Identify, exploit, and protect against a wide variety of API security vulnerabilities.
- Gain a practical understanding of API Security and the tools for automation.
- Understand and implement the modern ways of scaling API Security Testing.
- Gain abilities to audit APIs for security measures and provide solutions.
- Understand, assess, and secure APIs written in different architecture styles.
- Learn new ways to secure APIs through automation, and DevSecOps practices.
Check Out Reviews
-
Self-paced Learning Mode
-
Browser-based Lab Access
-
24/7 Instructor Support via Mattermost
API Security Training Prerequisites
- Course participants should have a basic understanding of Linux Commands and OWASP Top 10.
- Basic knowledge of application development is preferred but is not necessary.
Chapter 1: Introduction to API Security
- Introduction to Application Programming Interface
- What is an API?
- Need for an API
- Why Should You Secure Your APIs?
- APIs vs. Web Applications
- Understanding API Architecture
- Overview of the HTTP protocol
- Anatomy of a HTTP Request
- Anatomy of a HTTP Response
- HTTP Response Codes and Its Significance
- Stateless and Stateful Requests
- Overview of API architecture
- API Protocols
- API Data formats
- Different Types of APIs
- Simple Architecture
- How Are APIs Typically Deployed?
- Complex Architecture
- Overview of the HTTP protocol
- Strategies To Secure APIs
- Threat Modeling of APIs
- Traditional VAPT vs API VAPT
- API Defenses
- Input Validation
- Identification
- Authentication
- Authorization
- Data Encryption
- Transport Security
- Error Handling and Logging
- Supply Chain Security
- Hands-on Exercises:
- Understanding The Lab Setup
- Working With Linux Command(s)
- Working With Command Outputs
- Working With Exit Code
- Hosting Files Using HTTP Server
Chapter 2: API Security Tools of the trade
- The Moving Parts in an API
- API Gateway
- Load Balancer/Reverse Proxy
- Message Queues
- Critical Toolchain for API Development
- Source Code Management
- CI/CD Tools
- Artifact Management
- Cloud Platform
- Infrastructure as Code
- Monitoring and Logging Tools
- Collaboration Tools
- Containerization
- Ability To Talk to an API
- cURL (curl)
- Postman
- OpenAPI (Swagger)
- Python
- An MITM Proxy
- Hands-on Exercises:
- Understanding an API Language (Endpoints, Verbs, and State)
- Understanding cURL Command
- Performing CRUD Operations Using API
- Setup the Burp Suite for API Security Testing
- Understanding APIs Using OpenAPI Specifications
- Performing Reconnaissance on an API
- Path And Directory Discovery Using FFUF
- Enumerating User Accounts From an API
Chapter 3: Authentication Attacks and Defenses
- Overview of API Authentication
- Types of Authentication
- No Authentication (Public APIs)
- HTTP Basic Authentication
- API Token Authentication
- OIDC Authentication
- JSON Web Tokens (JWTs)
- SAML Tokens
- Mutual TLS
- Authentication Attacks
- Brute Force
- Weak Password Storage
- Password Reset Workflows
- Account Lockouts
- Insecure OpenID Connect Configuration
- Insecure JWTs Validation
- Authentication Defenses
- Secure Authentication Workflows
- Strong Password and Key Validation
- Multi-Factor Authentication
- Securely Storing the Tokens
- Cookies
- Local Storage and Session Storage
- Token Storage and XSS
- Rate Limiting
- CAPTCHA
- Hands-on Exercises:
- Talking To An API Using OAuth and JWT
- Talking To An API Using HTTP Basic and API Keys
- Exploiting Broken Authentication With SQL Injection
- Exploiting Broken Authentication With Weak Passwords
- Cracking Weak Password Hashes With Dictionaries
- Cracking Weak Password Hashes With Bruteforce And Combinations
- Abusing JWT Tokens
Chapter 4: Authorization Attacks and Defenses
- Overview of API Authorization
- Types of Authorization
- No Authorization
- Role-Based Access Control (RBAC)
- Discretionary Access Control (DAC)
- Attribute-Based Access Control (ABAC)
- Relationship-Based Access Control (ReBAC)
- Authorization Attacks
- Misconfigured Permissions
- Broken Object Level Authorization
- Broken Function Level Authorization
- Horizontal Privilege Escalation
- Vertical Privilege Escalation
- Authorization Defenses
- Defending Object & Function Level Access
- Attribute-Based Access Control (ABAC) with Roles, and Relations
- Decoupling Authorization Decisions With Policy As Code
- Authorizing with OAuth Framework
- OAuth Specification
- Different Authorization Workflows
- Insecure OAuth Configurations
- OAuth 2.0 vs OAuth 2.1
- Different Types of Tokens
- Access Token
- Refresh Token
- ID Token
- Hands-on Exercises:
- Forging JWT Tokens For Privilege Escalation
- Finding Another Users Location Using BOLA
Chapter 5: Input validation Threats and Defenses
- Introduction to Input Validation
- Input Validation
- Input Sanitization
- Injection Vulnerabilities
- Cross-Site Scripting (XSS)
- SQL Injection
- ORM Injection
- NoSQL Injection
- Server Side Request Forgery
- Deserialization Issues
- Mass Assignment Issues
- Fuzzing
- Fuzzing 101
- Fuzzing vs Brute Forcing
- Fuzzing APIs Using Open Source and Commercial Tools
- Burp Suite Intruder
- OWASP ZAP Fuzzer
- Wfuzz
- FFUF
- Injection Defenses
- Implementing Input Validation
- Client-Side vs. Server-Side Validation
- Whitelisting & Blacklisting
- Implementing Input Sanitization
- Validating With Regular Expressions
- Output Encoding
- HTML Encoding
- HTML Attribute Encoding
- Javascript Encoding
- CSS Encoding
- Prepared Statements
- Content Security Policy
- Trusted Types
- Hands-on Exercises:
- Getting Free Coupons Without Knowing Coupon Code
- Exploiting Mass Assignment Vulnerabilities
- Insecure Deserialization To Remote Code Execution
- Preventing Insecure Deserialization In Java
- Post Exploitation In APIs Through Reverse Shells
- Automated SQL Injection Using SQLMAP
- Learning To Validate Input With Regular Expressions
- Preventing DOM XSS With Trusted Types
- Attacking GraphQL APIs
Chapter 6: Other API Security Threats
- Introduction to OWASP API Top 10
-
- Broken Object Level Authorization
- Broken Authentication
- Excessive Data Exposure
- Lack of Resources and Rate Limiting
- Broken Function Level Authorization
- Mass Assignment
- Security Misconfigurations
- Injection
- Improper Asset Management
- Insufficient Logging and Monitoring
- Broken Object Property Level Authorization
- Unrestricted Resource Consumption
- Unrestricted Access to Sensitive Business Flows
- Server Side Request Forgery
- Improper Inventory Management
- Unsafe Consumption of APIs
-
- Attacking Caching Layers (Memcache, Proxies, etc.,)
- Attacking GraphQL APIs
- Attacking SOAP APIs
- Abusing Micro-services, and REST APIs
- Post Exploitation in the API World
- Hands-on Exercises:
- Privilege Escalation With Cross Site Scripting
- Abusing CORS Misconfigurations
Chapter 7: Other API Security Defenses
- GraphQL API Security Best Practices
- SOAP API Security Best Practices
- REST API Security Best Practices
- Data Security
- Encoding and Decoding
- Escaping
- Hashing
- Encryption and Decryption
- Securing Data at Rest Using Encryption
- Storing Credentials for Service-to-Service Communication
- Password Storage and Its Considerations
- Picking a Secure Algorithm
- Securing Data in Transit Using TLS
- Rate Limiting Best Practices
- Security Headers
- X-XSS-Protection
- HTTP Strict Transport Security (HSTS)
- Cache-Control
- X-Frame-Options
- X-Frame-Options vs frame-ancestors
- Content Security Policy
- Implementing CSP at Scale
- Common Misconfigurations While Using CSP
- Cross-Origin Resource Sharing (CORS)
- Cookie Based Implementations
- Token Based Implementations
- Hands-on Exercises:
- Adding Content Security Policy To Mitigate Cross Site Scripting
- Implementing Rate Limiting With API Gateway
- Securing HTTP Headers using Kong Gateway
- Implementing Rate Limiting using API Key
Chapter 8: Implementing API Security Mechanisms
- API Security Design Best Practices
- Authentication Implementation
- Authorization Implementation
- Designing API Permissions
- Designing OAuth Scopes
- Rate-Limiting Implementation and Best Practices at Different Stages
- Reverse Proxy
- Load Balancer
- API Gateways and WAFs
- Request Throttling
- Securely Store Secrets Using Hashicorp Vault
- Data Security Implementation
- Using Transport Layer Security (TLS)
- Implementing Sufficient Logging & Monitoring
- Secure Logging Implementation
- Logging Using Syslog Format
- Using ELK To Capture the Log Data
- Hands-On Exercises:
- Using HashiCorp Vault To Create and Consume Secrets Safely
- Monitoring Docker Containers Using Grafana
Chapter 9: API Security, the DevSecOps Way
- OWASP ASVS Framework
- Understanding OWASP ASVS
- Using ASVS To Secure Applications and APIs
- Creating Checklists With OWASP ASVS
- Automated Vulnerability Discovery
- Finding Insecure Dependencies Using Software Component Analysis
- Finding Vulnerabilities in Code Using Static Application Security Testing
- Automating API Attacks Using Dynamic Application Security Testing
- Addressing API Security Issues at Scale
- Hands-on Exercises:
- Creating a Simple CI/CD Pipeline
- Deploying a Microservice(s) Using Continuous Deployment
- Embedding Software Composition Analysis Into CI/CD Pipeline
- Embedding Static Application Security Testing Into CI/CD Pipeline
- Embedding Dynamic Application Security Testing Into CI/CD Pipeline
API Security Certification Process
- After completing the course, you can schedule the CASP exam on your preferred date.
- The process of achieving Practical DevSecOps CASP Certification can be found on the exam and certification page.
API Security Fundamentals
No email required