Hack Your API First by Troy Hunt-0daytown

Hack Your API First by Troy Hunt [repost]

Recent years have seen a massive explosion in the growth of rich client apps that talk over the web using APIs across HTTP, but unfortunately, all too often they contain serious security vulnerabilities that are actually very easy to locate. This course shows you how.

Web based APIs have grown enormously popular in recent years. This is in response to a couple of key changes in the industry: firstly, the enormous growth of mobile apps which frequently talk to back ends over the web. Secondly, the rapidly emerging ‘Internet of Things’ which promises to bring connectivity to common devices we use in our everyday lives. In the rush to push these products to market, developers are often taking shortcuts on security and leaving online services vulnerable to attack. The risks are not as obvious as they may be in traditional browser based web apps, but they’re extremely prevalent and attackers know how to easily identify them. This course teaches you how to go on the offense and hack your own APIs before online attackers do.

Content:

Introduction
The Age of the API
The Hidden Nature of API Security
What Exactly Is an API?
What’s the Scope of This Course?
Introducing Supercar Showdown
Introducing the Vulnerable Mobile App
Summary
Discovering Device Communication With APIs
Who Are We Protecting Our APIs From?
Proxying Device Traffic Through Fiddler
Interpreting Captured Data in Fiddler
Intercepting Mobile App Data in Fiddler
Discovering More About Mobile Apps via Fiddler
Filtering Traffic in Fiddler
Alternate Traffic Interception Mechanisms
Summary
Leaky APIs and Hidden APIs
Introduction
Discovering Leaky APIs
Securing a Leaky API
Discovering Hidden APIs via Documentation Pages
Discovering Hidden APIs via robots.txt
Discovering Hidden APIs via Google
Securing Hidden APIs
Summary
API Manipulation and Parameter Tampering
Introduction
Defining Untrusted Data
Modifying Web Traffic in Fiddler
Manipulating App Logic by Request Tampering
Response Tampering
Summary
API Authentication and Authorization Vulnerabilities
Introduction
Identifying Authentication Persistence
The Role of Tokens
An Auth Token in Practice
An Overview of Authorization Controls
Identifying Client Controls vs. Server Controls
Circumventing Client Authorization Controls
Testing for Insufficient Authorization
Testing for Brute Force Protection
The Role of OpenID Connect and OAuth
Summary
Working With SSL Encrypted API Traffic
Introduction
MitM’ing an HTTPS Connection With Fiddler
Configuring Fiddler to Decrypt Encrypted Connections
Proxying Encrypted Device Traffic via Fiddler
Rejecting Invalid Certificates
Identifying a Missing Certificate Validation Check
Loading the Fiddler Certificate on a Device
SSL Behavior on a Compromised Device
Identifying Invalid Certificates
The Value Proposition of Certificate Pinning
Demonstrating Certificate Pinning
Summary