top of page
  • Writer's pictureInfosec In the City (IIC)

#IICSG2019 Training — Attacking & Securing APIs

by Mohammed Aldoub

With the increased, and eventually complete, reliance on APIs in modern systems, as well as the quick decline of the monolithic architecture for systems and applications; it is becoming increasingly necessary to tackle and understand the various security issues, weaknesses and gotchas in API designs. Many products, platforms and technologies now expose an API or two (or many more), sometimes in decentralised and autonomous fashion. Where does security come in this new world of rapid build-up and teardown of microservices and serverless (Functionality as a Service — FaaS) architectures? 

How do web and mobile apps securely communicate with APIs through devices they can't trust, network paths they cannot predict, and on infrastructure they don't own? 

All of that, and many more, will be studied, tried, tested and answered in this fast-paced, scenario-based hands-on training course. 

This course will discuss various attacks and countermeasures for security issues typically found in API servers and clients such as authentication, injection attacks, credential handling, cryptography, authorisation, caching, secure file and resource management, and many more. 

This training aims to engage students in design, analysis and breakdown of security in clientside and serverside components of modern APIs and application infrastructure, whilst combining both new and old attack vectors and pitfalls. This course doesn't reinvent the wheel in security, but it will help you not to reinvent the old bugs. 


Date: 17-18 Jun 2019

Venue: Sands Expo & Convention Centre, Marina Bay Sands


Super Early Bird (Sign up by 31 Mar 2019): $3,000 SGD

Early Bird (Sign up by 30 Apr 2019): $3,300 SGD

Standard (Sign up by  31 May 2019): $3,600 SGD

Late: $3,900 SGD


  • API and microservices security architecture. 

  • How to create APIs that are easy to use securely and hard to use insecurely. 

  • What are the techniques and tools to design, test and attack APIs and microservices. 

  • Understanding the intricate and minute details of authentication and authorisation frameworks and technologies. 

  • Learning how to effectively solve the problem of credential storage. 

  • Attack and defend against injection vulnerabilities e.g. Template Injection, SQL injection, NoSQL injection (MongoDB, GraphQL, etc.). 

  • Attack and defend against API and serverless oriented vulnerabilities e.g. serialisation, JSON injection, pickling, Edge Side Includes, Serverless Event Injection, etc. 

  • Learn AJAX and REST security best practices. 

  • Know when to use signing, when to use encryption, and when to use both. 

  • Implement applied, battle-tested secure cryptography. 

  • Obtain actionable knowledge and experience in using secure tokens, cookies, keys and tickets for authentication and authorisation.

  • Attack insecure implementations of session management, input validation, output encoding and loosely coupled components. 

  • Implement secure communication channels with API consumers e.g. web browsers and mobile apps. 

  • Mitigate and defend against XSS, CSRF, JSONP and CORS security weakness in APIs. 

  • Implement secure web socket channels and defend against Cross-Site WebSocket Hijacking. 

  • Implement and attack multi-factor authentication for APIs. 

  • Learn and understand cache security and what threats and vulnerabilities can arise out of insecure caching methods and configurations. 

  • Handle files securely by allowing only authorised downloads even in segmented microservice architectures. 


Day 1

Introduction to the Modern Web

  • Differences between modern and conventional web technologies.  

  • Microservices and APIs. 

  • Cloud-native apps and technologies. 

  • Containers and orchestration. 

  • Serverless apps. 

  • Security in this new world. 

  • Setting up local and cloud environments for the class. 

Security Architecture for APIs

  • Security of API consumers (Web, Mobile, Microservices, other APIs).  

  • Types of threats for APIs.

  • Serverside attacks against API implementations (injection attacks, data exposure attacks, etc.). 

  • 3rd-party attacks against APIs (authentication weaknesses, cache attacks, etc.).

  • Clientside attacks against API consumers (Confused Deputy attacks, data exposure, authorisation abuse, ID and token hijacking). 

  • Attacks against API infrastructures. 

  • Designing and implementing defensible APIs and infrastructures. 

  • Logging and Monitoring for Serverless. 

Data and File Attacks Against APIs and Clients 

  • Attacking and Securing AWS S3 buckets. 

  • Insecure Direct File or Object Access (IDOR) attacks. 

  • Securing file downloads with AWS Signed URLs and Signed Cookies. 

  • Securing file downloads using X-Sendfile and X-Accel-Redirect.

  • Securing file downloads using UUIDs and one-time tokens. 

  • 3rd-party threats against file downloads (caching, URL shorteners, CDNs). 

  • File upload security (path traversal attacks, file inclusion, file type confusion, safe bucket uploads with Presigned URLs, etc.)

Injection Attacks Against APIs and Clients 

  • SQL and NoSQL injection attacks. 

  • Template injection attacks. 

  • Object manipulation attacks (Serialisation, Pickling and Eval attacks). 

  • GraphQL security. 

  • XXE attacks. 

  • XSS. 

  • Serverless Event Injection. 

  • Edge Side Include Injection. 

  • Serverside Request Forgery.

Cache Security

  • Cache security concerns and configurations in API. 

  • Knowing what to cache and what not to cache. 

  • Cache attacks: Edge Side Include Injection, Cache Poisoning. 

  • Secure configuration of caching proxies. 

  • Redis and Memcached security. 

Day 2

HTTP Security

  • Same Origin Policy (SOP)

  • HTTP Attacks

  • HTTP Security Headers 

  • Web Socket Security

Token Security

  • Using Tokens for Authentication and Authorisation 

  • JSON Web Tokens (JWT) and JSON Web Signature (JWS) Security

  • Mapping Tokens to Users and Devices

  • Double Wrapping JWT

  • Stateful v. Stateless Authentication

Authentication and Authorisation in APIs

  • OAuth

  • Session Management and Privileges

  • Multifactor Authentication  (MFA)

Credential Handling and Storage 

  • Credential storage in apps (Local Storage, Apple Keychain and Secure Enclave, Android KeyStore)

  • Credential storage for APIs

  • Checking for compromised credentials using HIBP

  • Secrets API in Kubernetes, Docker Swarm, Mesosphere


  • Secure SSL/TLS Configuration (Cipher suites, Pinning, PFS, Key and Certificate Management). 

  • Applied cryptography for secret storage and transmission. 

  • Securely applying digital signatures. 

  • Secure password storage and handling. 

  • Applied cryptography using Libsodium, BouncyCastle. 

Rate Limiting and Bot Control

  • Implementing rate-limiting and bot control. 

  • Catching and blocking bad bots.

  • Managing bot control and CAPTCHAs in APIs and mobile. ​​


  • Software developers, security engineers, architects, researchers, bug bounty hunters, system administrators, students and curious security professionals who would like to expand their skills. 

  • Anyone interested in keeping relevant knowledge and skill in the world of cloud, API and app security. 


  • Should be familiar with the concepts of Web, Linux, cloud services, security and APIs. 

  • Should have basic programming skills. 

  • Basic ability to use command-line interfaces. 

  • Scripting experience recommended. 

  • Familiarity in Python, JavaScript and Go is recommended. 


  • Laptop with minimum 8GB RAM and 40GB free hard disk space with USB ports and virtualisation enabled/available.

  • Students must have full control of the laptop (can install software, can disable antivirus, etc.).

  • VMware Workstation or VMware Fusion (even trial versions can be used).

  • Enough storage to host multiple copies of the class VM in case modifications and restores are needed. 

  • Ability to connect to the Internet (the class requires going online). 

  • An active AWS account for each student (free tier or otherwise) is required. 

Note: VMware Player or VirtualBox is not recommended for this training. 


MOHAMMED ALDOUB is an independent security consultant from Kuwait, who, in his 10 years of experience, worked on creating Kuwait's national infrastructure for PKI, cryptography, smartcards and authentication. Mohammed delivered security training, workshops and talks in the Netherlands, USA, Czech Republic, Lebanon, Riyadh, Kuwait, and other places. 
Mohammed is deeply interested in malware, especially those used by state actors in the Middle East zone, where he volunteers as OWASP Kuwait's Chapter Lead. Mohammed is focusing now on secure DevOps, modern AppSec, Cloud-native security, applied cryptography, security architecture and microservices. You can find his Twitter account at @Voulnet
73 views0 comments


Post: Blog2_Post
bottom of page