Actual Training

Pelatihan REST API Security (PT Pamapersada Nusantara)

Pada tanggal 10-12 April 2019 telah dilaksanakan inhouse training dengan topik REST API Security. Peserta dari pelatihan ini adalah pengembang aplikasi mobile dari PT Pamapersada Nusantara. Pelatihan ini dilangsungkan di Pusat Pelatihan PT Pamapersada di Cileungsi, Bogor.

Dengan semakin popular nya aplikasi mobile dan aplikasi dengan arsitektur microservices maka pengetahuan tentang keamanan pada aplikasi tersebut semakin dibutuhkan, sehingga dapat meminimalkan serangan yang mungkin terjadi.

Tujuan dari pelatihan ini adalah membahas berbagai macam serangan dan ancaman keamanan pada aplikasi backend berbasis REST API.

Adapun materi yang disampaikan pada pelatihan REST API Security ini adalah sebagai berikut:

-Introduction

  • The Age of the API
  • The Hidden Nature of API Security
  • What Exactly Is an API?
  • What’s the Scope of This Course?
  • Introducing Supercar Showdown
  • Introducing the Vulnerable Mobile App

· Discovering Device Communication With APIs

  • Who Are We Protecting Our APIs From?
  • Proxying Device Traffic Through Fiddler
  • Interpreting Captured Data in Fiddler
  • Intercepting Mobile App Data in Fiddler
  • Discovering More About Mobile Apps via Fiddler
  • Filtering Traffic in Fiddler
  • Alternate Traffic
  • Interception Mechanisms

· Leaky APIs and Hidden APIs

  • Introduction
  • Discovering Leaky APIs
  • Securing a Leaky API
  • Discovering Hidden APIs via Documentation Pages
  • Discovering Hidden APIs via robots.txt
  • Discovering Hidden APIs via Google
  • Securing Hidden API

· API Manipulation and Parameter Tampering

  • Introduction
  • Defining Untrusted Data
  • Modifying Web Traffic in Fiddler
  • Manipulating App Logic by Request Tampering
  • Response Tampering
  • API Authentication and Authorization Vulnerabilities
  • Introduction
  • Identifying Authentication Persistence
  • The Role of Tokens
  • An Auth Token in Practice
  • An Overview of Authorization Controls
  • Identifying Client Controls vs. Server Controls
  • Circumventing Client Authorization Controls
  • Testing for Insufficient Authorization
  • Testing for Brute Force Protection
  • The Role of OpenID Connect and OAuth

· Working With SSL Encrypted API Traffic

  • MitM’ing an HTTPS Connection With Fiddler
  • Configuring Fiddler to Decrypt Encrypted Connections
  • Proxying Encrypted Device Traffic via Fiddler
  • Rejecting Invalid Certificates
  • Identifying a Missing Certificate Validation Check
  • Loading the Fiddler Certificate on a Device
  • SSL Behavior on a Compromised Device
  • Identifying Invalid Certificates
  • The Value Proposition of Certificate Pinning
  • Demonstrating Certificate Pinning

23

Posted in UncategorizedTagged , ,