Pentesting APIs

Pentesting APIs

Instructor: Packt - Course Instructors

Access provided by Marie Curie Alumni Association

10 modules

Gain insight into a topic and learn the fundamentals.

Intermediate level

Recommended experience

3 weeks to complete

at 10 hours a week

Flexible schedule

Learn at your own pace

10 modules

Gain insight into a topic and learn the fundamentals.

Intermediate level

Recommended experience

3 weeks to complete

at 10 hours a week

Flexible schedule

Learn at your own pace

What you'll learn

Understand the role of APIs in modern applications and their security challenges
Set up a penetration testing environment for API security testing
Identify and exploit common API vulnerabilities through practical techniques

Details to know

Shareable certificate

Add to your LinkedIn profile

Assessments

10 assignments

Taught in English

See how employees at top companies are mastering in-demand skills

Learn more about Coursera for Business

logos of Petrobras, TATA, Danone, Capgemini, P&G and L'Oreal

There are 10 modules in this course

This course provides learners with the essential skills to secure APIs against evolving cyber threats. You will master real-world techniques for discovering vulnerabilities, fingerprinting, and exploiting APIs to identify weaknesses and implement effective security measures. API security is critical in today’s digital world, where APIs are core components of modern applications.

You will learn how to set up an environment for penetration testing, assess API security, and apply expert techniques to protect APIs from common threats. Practical exercises focus on real-world scenarios, equipping you with the skills to proactively defend APIs against exploitation. The course stands out by combining theory with hands-on practice, offering a comprehensive guide to identifying, testing, and securing APIs. You’ll explore vulnerabilities in both RESTful and GraphQL APIs, gaining expert insights into real-world cybersecurity challenges. This course is ideal for security engineers, developers, and analysts with a basic understanding of web development and cybersecurity. It’s designed for those looking to enhance their skills in API security and protection.

In this section, we explore APIs, their types, protocols, and security principles, emphasizing their role in system integration and the risks of poor security practices.

What's included

2 videos6 readings1 assignment

2 videos Total 2 minutes

Course Overview 1 minute
Understanding APIs and Their Security Landscape - Overview Video 1 minute

6 readings Total 170 minutes

Introduction 30 minutes
A Brief History of APIs 20 minutes
API Types and Protocols 30 minutes
REST 30 minutes
gRPC 30 minutes
GraphQL 30 minutes

1 assignment Total 10 minutes

API Security and Communication Fundamentals 10 minutes

In this section, we guide the setup of a secure penetration testing environment, focusing on tool selection, lab configuration, and repository usage for practical API testing.

What's included

1 video4 readings1 assignment

In this section, we explore API reconnaissance techniques, including enumeration, OSINT, and analyzing documentation to identify vulnerabilities and improve security practices.

What's included

1 video5 readings1 assignment

1 video Total 1 minute

API Reconnaissance and Information Gathering - Overview Video 1 minute

5 readings Total 140 minutes

Introduction 30 minutes
Looking at crAPI 30 minutes
Analyzing API Documentation and Endpoints 30 minutes
Leveraging OSINT 20 minutes
Identifying Data and Schema Structures 30 minutes

1 assignment Total 10 minutes

API Security and Information Gathering Fundamentals 10 minutes

In this section, we cover API authentication and authorization testing, including weak credentials and access control issues.

What's included

1 video9 readings1 assignment

1 video Total 1 minute

Authentication and Authorization Testing - Overview Video 1 minute

9 readings Total 210 minutes

Introduction 20 minutes
Basic Authentication 20 minutes
Session Tokens 30 minutes
JSON Web Tokens (JWTs) 30 minutes
Testing for Weak Credentials and Default Accounts 20 minutes
Common Credentials and Default Accounts 20 minutes
Exploring Authorization Mechanisms 20 minutes
Attribute-based Access Control 20 minutes
Bypassing Access Controls 30 minutes

1 assignment Total 10 minutes

Authentication and Authorization Fundamentals 10 minutes

In this section, we explore injection vulnerabilities, testing SQL and NoSQL injection, and validating user input to enhance API security and prevent data breaches.

What's included

1 video8 readings1 assignment

1 video Total 1 minute

Injection Attacks and Validation Testing - Overview Video 1 minute

8 readings Total 210 minutes

Introduction 30 minutes
Testing for SQL Injection 30 minutes
Hidden Union SQL Injection 30 minutes
Exploiting SQL Injection on a Vulnerable API 30 minutes
Testing for NoSQL Injection 20 minutes
Operator Injection 30 minutes
Validating and Sanitizing User Input 20 minutes
Sanitizing Query Parameters 20 minutes

1 assignment Total 10 minutes

Injection Attacks and Input Validation 10 minutes

In this section, we explore error handling in APIs, focusing on identifying error codes, fuzzing for vulnerabilities, and leveraging error responses for infrastructure analysis.

What's included

1 video3 readings1 assignment

In this section, we explore testing for DoS vulnerabilities, identifying rate-limiting mechanisms, and evaluating their effectiveness to enhance API resilience against malicious traffic.

What's included

1 video7 readings1 assignment

1 video Total 1 minute

Denial of Service and Rate-Limiting Testing - Overview Video 1 minute

7 readings Total 200 minutes

Introduction 30 minutes
Interacting with Mockoon’s Endpoints 30 minutes
Leveraging Scapy to Attack Mockoon 20 minutes
Sending Fragmented Packets with hping3 30 minutes
Identifying Rate-Limiting Mechanisms 30 minutes
Leaky Buckets 30 minutes
Circumventing Rate Limitations 30 minutes

1 assignment Total 10 minutes

API Security and Traffic Control 10 minutes

In this section, we explore identifying sensitive data exposure, testing for information leakage, and implementing prevention strategies in APIs to enhance security and reduce vulnerabilities.

What's included

1 video5 readings1 assignment

In this section, we examine API abuse and business logic testing, focusing on identifying vulnerabilities, simulating abuse scenarios, and implementing security measures to prevent exploitation.

What's included

1 video7 readings1 assignment

1 video Total 1 minute

API Abuse and Business Logic Testing - Overview Video 1 minute

7 readings Total 190 minutes

Introduction 30 minutes
Exploring API Abuse Scenarios 30 minutes
Setting Up OpenBullet2 20 minutes
Creating a Configuration and Attacking 30 minutes
Other Features and Security Recommendations 30 minutes
Parameter Tampering 30 minutes
Testing for Business Logic Vulnerabilities 20 minutes

1 assignment Total 10 minutes

Exploring API Security and Business Logic Risks 10 minutes

In this section, we explore secure coding practices for APIs, focusing on authentication, input validation, and encryption to prevent vulnerabilities and ensure data integrity.