How to Hack Your API-Security Testing Review

Test Automation Published on:
Code Hacker

The Age of the API

Are you aware of the fact that anyone can see your API traffic? The question is, what are you doing about it? Do you even know how to begin, or what tools to use for security testing? Don't fear! Troy Hunt's PluralSight course, Hack Your API First is a great introduction to start you on your way to security testing awesomeness.

In a recent post I talked about how the GUI in no longer King, and why API testing is so important — so you can imagine how excited I was to learn about Troy's course on security testing APIs.

I feel this is a topic that is about to see massive growth in the coming years — and that this is a great chance to get ahead of the API explosion curve.

Don't believe me? Here are some startling numbers:

  • The number of OPEN APIs is projected to be 30,000 by 2016.
  • The number of API requests made each hour exceeds the population of India.
  • The number of Social Media APIs has increased nearly 300% since 2009.

[*Taken from smartbears Read! API site]

Hack Your API Course Details

The training course is broken down into six main modules (listed below) and contains over four hours of video instruction:

  • Introduction
  • Discovering Device Communications with APIs
  • Leaky APIs and Hidden APIs
  • API Manipulation and Parameter Tampering
  • API Authentication and Authorization Vulnerabilities
  • Working with SSL Encrypted API traffic

If you really want to see what it takes to get started security testing your APIs, this is the course for you.

Troy will show you how to get started using a free open source tool, Fiddler, in order to intercept and manipulate your API data. And let me tell you — it's some eye opening stuff. I was amazed at just how easy it was for me to view some of my company's API traffic. This is important, because using the techniques Troy shares in this course will enable you to uncover risk and vulnerabilities in your applications.

Scope of Hack Your API Course

What I really enjoyed about this training is that Troy developed it in such a way that is actually technology-agnostic. The course is applicable to any application that talks over HTTP or HTTPS, whether it's a smart phone, a tablet, or a laptop application.

You'll be learning security testing techniques you can put into practice right away against pretty much any https-based application, running on any type of server, using any type of framework (like .NET or PHP or Node).

Rather than focus on a specific piece of tech, this course will help you discover best practices and patterns to watch out for. Since you won't be focusing on a specific piece of technology, the skills you acquire from this course won't be out of date any time soon.

My Experience with API Security Testing

The team I'm on is fairly new to REST API development. When I applied some of the things I learned from this course (especially from the leaky API module), I was able to uncover some data that would have been considered a risk for my company if we had gone live with our application.

Consequently, I was able to have some really good dialogue with our developer regarding the ramifications of exposing the data that is really needed for our API. Not exposing everything reduces the risk of needlessly sharing potentially sensitive data.

This was a big catch, because my company is involved in healthcare and medical devices which can be audited by the FDA at any given time. If the FDA finds a large enough issue, they can potentially pull or products from the market — leading to millions of dollars in lost revenue.

In fact, the FDA recently set some new guidelines for medical devices' cyber security. The agency recommends that companies should always consider cyber security risks as they design and develop medical devices in order to protect patients from the possible risks.

In Hack Your API First, Troy actually demonstrates an alternate traffic interception mechanism for applications that are hard to proxy. So how would you capture data from say a radiology machine?

There are a few options that are shown, one being with the use of a hardware device called a “WiFI Pineapple” to intercept and muck around with the communication that goes on with equipment like this. He uses an example of an internet scale, but the same principles can be applied to medical devices. This is a great demonstrates that shows that anything that talks over HTTP provides an hacker with an opportunity to monitor the API communications.

Recommendation For Hack Your Api Course

Everything Troy shares in this course is designed to help you succeed in uncovering risk in your APIs. If you're just starting out with security testing and not sure where to start (or why it's so important), I believe this course is a must-view — and it's affordable! Troy also has a bunch of other security- related courses available. If you're serious about security testing, I recommend you also check out his Hack Yourself First: How to go on the Cyber-Offense course. Take all six courses and become a security testing sensation!

One month of unlimited access to PluralSight costs only $29. The training moves quickly, so be sure to have your “pause” finger ready in order to soak up every drop of security testing goodness.


Free Bonus

For a sneak peak of some of the security testing awesomeness Troy shares in his course, take a listen to episode 21 of TestTalks, where I interview Troy about this course and much, much more.

Code Hacker