Join us at hack.lu 2025 — Info & Registration
Duration: 90 min
Type: Workshop
Speakers: Parth Shukla
Abstract
This comprehensive workshop is designed to provide participants with a deep understanding of API security, its challenges, and best practices to mitigate risks. Spanning six engaging sessions, the program begins with an introduction to API security and real-world breaches, highlighting the critical importance of securing APIs.
Participants will explore reconnaissance techniques, including using tools like Shodan and Google Dorking, to identify API endpoints. The workshop delves into common API vulnerabilities, such as SQL Injection and XSS, complemented by practical hands-on scanning with Burp Suite.
Additionally, the sessions cover OSINT (Open Source Intelligence) techniques with tools like Maltego, theHarvester, and Wayback, empowering attendees to gather intelligence on API targets. The program culminates with guided vulnerability exploitation exercises and a collaborative group activity to identify and exploit API flaws.
Concluding with a wrap-up session and an open Q&A, this workshop equips participants with the knowledge and skills to secure APIs effectively while fostering a hands-on learning environment
Description
Session 1: Introduction to API Security
Overview of API Security
Real-world examples of API security breaches
Importance of securing APIs
Session 2: Reconnaissance Techniques
Introduction to reconnaissance
Using Shodan for API recon
Google Dorking for API endpoints
Practical exercise: Recon on a sample API
Session 3: Identifying API Vulnerabilities
Common API vulnerabilities
Demonstration: SQL Injection, XSS on APIs
Hands-on: Scanning an API with Burp Suite
Session 4: OSINT for API Security
What is OSINT?
Tools: Maltego, theHarvester,Wayback
Practical exercise: Conducting OSINT on an API target
Session 5: Hands-On Vulnerability Exploitation
Step-by-step guide to exploiting API vulnerabilities
Practical exercises on various vulnerabilities
Group activity: Find and exploit vulnerabilities on a mock API
Session 6: Wrap-Up and Q&A
Recap of key points
Final thoughts and best practices
Open Q&A session for participants