Instructor: Cory Sabol & Jennifer Shannon
Course Length: 8 Hours
Includes: Six months of complimentary access to the Antisyphon Cyber Range, certificate of participation, six months access to class recordings.
Note: This abbreviated version of the API Testing course was specifically for the Most Offensive Con that Ever Offensived! Virtual Summit event held March 1-3, 2023. For information about the full 16-hour course, click here.
This workshop-style intermediate course is designed to complement a student’s understanding of traditional Web Application Security. It focuses on modern application and API security features and tactics to protect APIs and microservices from attacks. Because the material in this course leans on standard HTTP and browser features, and standard web and API security best practices, the lessons and labs are applicable across programming languages and platform implementations. This material in this course is approached both from the perspective of an adversary and that of a defender.
- Explore OWASP API Security Top 10 2019
- How to attack REST APIs
- How to prevent API security flaws
- Explore and attack OAuth and JWTs
- Understand that strong data validation is key to API security
Who Should Take This Course
Anyone with an interest in REST API security will benefit from this course. The course is aimed at teaching students how to think about REST API security from an attacker mindset, which is useful for defenders and attackers alike.
Students will need a computer capable of running the local SamuraiWTF VM lab environment.
What Each Student Will Be Provided
Students will be provided access to download an OVA image of the SamuraiWTF lab environment virtual machine. Students will be able to continue to use this VM after the course to practice labs on their own time.
Cory Sabol is a senior consultant with a background in web development, game development, and machine learning. He has done substantial research on the topic of container security, focused primarily on Docker and Kubernetes. In addition to using these skills to identify and exploit misconfigurations during penetration testing engagements, Cory has taught workshops on this topic to other security professionals. Cory also has considerable experience with API security. He has developed custom API security testing frameworks and tooling. He has also led the development efforts on the Arrrspace containerized microservice training target. Currently he is researching game security and developing game security labs and training materials.
Jennifer is a senior security consultant at Secure Ideas with a background in malware analysis, penetration testing, and teaching. An avid computer geek for most of her life, she began her journey in cybersecurity as a SOC Analyst, where she showed an aptitude for penetration testing and malware analysis. Her background as “blue team” uniquely prepared her for guiding clients through remediation and contextualizing findings for their environment.
She graduated with honors from Florida State College at Jacksonville’s networking program. While pursuing her degree, she dedicated time to teaching computing skills to underrepresented minorities. Jennifer continues to be passionate about teaching and is eager to share her knowledge with anyone who will listen.
Live Training Events
There are no sessions of this course currently on our schedule.