Hack Your API First
Recent years have seen a massive explosion in the growth of rich client apps that talk over the web using APIs across HTTP, but unfortunately, all too often they contain serious security vulnerabilities that are actually very easy to locate. This course shows you how.
What you'll learn
Web based APIs have grown enormously popular in recent years. This is in response to a couple of key changes in the industry: firstly, the enormous growth of mobile apps which frequently talk to back ends over the web. Secondly, the rapidly emerging 'Internet of Things' which promises to bring connectivity to common devices we use in our everyday lives. In the rush to push these products to market, developers are often taking shortcuts on security and leaving online services vulnerable to attack. The risks are not as obvious as they may be in traditional browser based web apps, but they're extremely prevalent and attackers know how to easily identify them. This course teaches you how to go on the offense and hack your own APIs before online attackers do.
Table of contents
- Who Are We Protecting Our APIs From? 5m
- Proxying Device Traffic Through Fiddler 5m
- Interpreting Captured Data in Fiddler 5m
- Intercepting Mobile App Data in Fiddler 2m
- Discovering More About Mobile Apps via Fiddler 8m
- Filtering Traffic in Fiddler 4m
- Alternate Traffic Interception Mechanisms 5m
- Summary 4m
- Introduction 5m
- Identifying Authentication Persistence 6m
- The Role of Tokens 7m
- An Auth Token in Practice 5m
- An Overview of Authorization Controls 5m
- Identifying Client Controls vs. Server Controls 3m
- Circumventing Client Authorization Controls 4m
- Testing for Insufficient Authorization 3m
- Testing for Brute Force Protection 5m
- The Role of OpenID Connect and OAuth 3m
- Summary 4m
- Introduction 5m
- MitM'ing an HTTPS Connection With Fiddler 4m
- Configuring Fiddler to Decrypt Encrypted Connections 8m
- Proxying Encrypted Device Traffic via Fiddler 2m
- Rejecting Invalid Certificates 4m
- Identifying a Missing Certificate Validation Check 6m
- Loading the Fiddler Certificate on a Device 4m
- SSL Behavior on a Compromised Device 3m
- Identifying Invalid Certificates 7m
- The Value Proposition of Certificate Pinning 3m
- Demonstrating Certificate Pinning 5m
- Summary 3m
About the author
Troy Hunt is a Microsoft Regional Director and MVP for Developer Security, an ASPInsider, and a full time Author for Pluralsight—a leader in online training for technology and creative professionals. Troy has been building software for browsers since the very early days of the web and possesses an exceptional ability to distill complex subjects into relatable explanations. This has led Troy to become an industry thought leader in the security space and produce more than twenty top-rated courses ... more