API Security for White Hat Hackers : Uncover Offensive Defense Strategies and Get up to Speed with Secure API Implementation

API Security for White Hat Hackers Uncover Offensive Defense Strategies and Get up to Speed with Secure API Implementation

Become an API security professional and safeguard your applications against threats with this comprehensive guide Key Features Gain hands-on experience in testing and fixing API security flaws through practical exercises Develop a deep understanding of API security to better protect your organizatio...

Descripción completa

Detalles Bibliográficos
Autor principal: Staveley, Confidence (-)
Otros Autores: Romeo, Christopher
Formato: Libro electrónico
Idioma:Inglés
Publicado: Birmingham : Packt Publishing, Limited 2024.
Edición:1st ed
Materias:
Application software > Security measures.
Ver en Biblioteca Universitat Ramon Llull:https://discovery.url.edu/permalink/34CSUC_URL/1im36ta/alma991009837628706719
Tabla de Contenidos:
  • Cover
  • Title Page
  • Copyright and Credits
  • Dedications
  • Foreword
  • Contributors
  • Table of Contents
  • Preface
  • Part 1: Understanding API Security Fundamentals
  • Chapter 1: Introduction to API Architecture and Security
  • Understanding APIs and their role in modern applications
  • How do APIs work?
  • Leveraging APIs in modern applications - Advantages and benefits
  • Understanding APIs with real-world business examples
  • An overview of API security
  • Why is API security so important?
  • The basic components of API architecture and communication protocols
  • Types of APIs and their benefits
  • Common communication protocols and security considerations
  • Summary
  • Further reading
  • Chapter 2: The Evolving API Threat Landscape and Security Considerations
  • A historical perspective on API security risks
  • The early days of APIs
  • The rise of the web and web APIs
  • The rise of REST and modern APIs
  • The era of microservices, IoT, and cloud computing
  • The modern API threat landscape
  • Key considerations for API security in a growing ecosystem
  • Emerging trends in API security
  • Zero-trust architecture in API security
  • Exploring blockchain for enhanced API security
  • The rise of automated attacks and bots
  • Quantum-resistant cryptography in API security
  • Serverless architecture security in API security
  • Behavioral analytics and user behavior profiling in API security
  • Lesson from a real-life API data breach
  • Uber data breach (2016)
  • Equifax data breach (2017)
  • MyFitnessPal data breach (2018)
  • Facebook Cambridge Analytica scandal (2018)
  • Summary
  • Further reading
  • Chapter 3: OWASP API Security Top 10 Explained
  • OWASP and the API Security Top 10 - A timeline
  • Exploring the API Security Top 10
  • OWASP API 1 - Broken Object Level Authorization
  • OWASP API 2 - Broken Authentication.
  • OWASP API 3 - Broken Object Property Level Authorization
  • OWASP API 4 - Unrestricted Resource Consumption
  • OWASP API 5 - Broken Function Level Authorization
  • OWASP API 6 - Unrestricted Access to Sensitive Business Flows
  • OWASP API 7 - Server-Side Request Forgery
  • OWASP API 8 - Security Misconfiguration
  • OWASP API 9 - Improper Inventory Management
  • OWASP API 10 - Unsafe Consumption of APIs
  • Summary
  • Further reading
  • Part 2: Offensive API Hacking
  • Chapter 4: API Attack Strategies and Tactics
  • Technical requirements
  • API security testing - The essential toolset breakdown
  • Overviewing and setting up Kali Linux on a virtual machine
  • The browser as an API hacking tool
  • Using Burp Suite and proxy settings
  • Burp Suite tools explained
  • Setting up FoxyProxy for Firefox
  • Configuring Burp Suite certificates
  • Exploring Burp Suite's Proxy functionalities
  • Setting up Postman for API testing and interception with Burp Suite
  • Understanding Postman collections
  • Summary
  • Further reading
  • Chapter 5: Exploiting API Vulnerabilities
  • Technical requirements
  • Understanding API attack vectors
  • Types of attack vectors
  • Fuzzing and injection attacks on APIs
  • Fuzzing attacks
  • Injection attacks
  • Exploiting authentication and authorization vulnerabilities in APIs
  • Password brute-force attacks
  • JWT attacks
  • Summary
  • Chapter 6: Bypassing API Authentication and Authorization Controls
  • Technical requirement
  • Introduction to API authentication and authorization controls
  • Common methods for API authentication and authorization
  • Bypassing user authentication controls
  • Bypassing token-based authentication controls
  • Bypassing API key authentication controls
  • Bypassing role-based and attribute-based access controls
  • Real-world examples of API circumvention attacks
  • Summary
  • Further reading.
  • Chapter 7: Attacking API Input Validation and Encryption Techniques
  • Technical requirements
  • Understanding API input validation controls
  • Techniques for bypassing input validation controls in APIs
  • SQL injection
  • XSS attacks
  • XML attacks
  • Introduction to API encryption and decryption mechanisms
  • Techniques for evading API encryption and decryption mechanisms
  • Case studies - Real-world examples of API encryption attacks
  • Summary
  • Further reading
  • Part 3: Advanced Techniques for API Security Testing and Exploitation
  • Chapter 8: API Vulnerability Assessment and Penetration Testing
  • Understanding the need for API vulnerability assessment
  • API reconnaissance and footprinting
  • Techniques for API reconnaissance and footprinting
  • API scanning and enumeration
  • Techniques for API scanning and enumeration
  • API exploitation and post-exploitation techniques
  • Exploitation techniques
  • Post-exploitation techniques
  • Best practices for API VAPT
  • API vulnerability reporting and mitigation
  • Future of API penetration testing and vulnerability assessment
  • Summary
  • Further reading
  • Chapter 9: Advanced API Testing: Approaches, Tools, and Frameworks
  • Technical requirements
  • Automated API testing with AI
  • Specialized tools and frameworks in AI-powered API testing
  • Other AI security automation tools
  • Large-scale API testing with parallel requests
  • Gatling
  • How to use Gatling for large-scale API testing with parallel requests
  • Advanced API scraping techniques
  • Pagination
  • Rate limiting
  • Authentication
  • Dynamic content
  • Advanced fuzzing techniques for API testing
  • AFL
  • Example use case
  • API testing frameworks
  • The RestAssured framework
  • The WireMock framework
  • The Postman framework
  • The Karate DSL framework
  • The Citrus framework
  • Summary
  • Further reading.
  • Chapter 10: Using Evasion Techniques
  • Technical requirements
  • Obfuscation techniques in APIs
  • Control flow obfuscation
  • Code splitting
  • Dead code injection
  • Resource bloat
  • Injection techniques for evasion
  • Parameter pollution
  • Null byte injection
  • Using encoding and encryption to evade detection
  • Encoding
  • Encryption
  • Defensive considerations
  • Steganography in APIs
  • Advanced use cases and tools
  • Defensive considerations
  • Polymorphism in APIs
  • Characteristics of polymorphism
  • Tools
  • Defensive considerations
  • Detection and prevention of evasion techniques in APIs
  • Comprehensive logging and monitoring
  • Behavioral analysis
  • Signature-based detection
  • Dynamic signature generation
  • Machine learning and artificial intelligence
  • Human-centric practices for enhanced security
  • Summary
  • Further reading
  • Part 4: API Security for Technical Management Professionals
  • Chapter 11: Best Practices for Secure API Design and Implementation
  • Technical requirements
  • Relevance of secure API design and implementation
  • Designing secure APIs
  • Threat modeling
  • Implementing secure APIs
  • Tools
  • Secure API maintenance
  • Tools
  • Summary
  • Further reading
  • Chapter 12: Challenges and Considerations for API Security in Large Enterprises
  • Technical requirements
  • Managing security across diverse API landscapes
  • Balancing security and usability
  • Challenges
  • Protecting legacy APIs
  • Using API gateways
  • Implementing web application firewalls (WAFs)
  • Regular security audits
  • Regularly updating and patching
  • Monitoring and logging activity
  • Encrypting data
  • Developing secure APIs for third-party integration
  • Security monitoring and IR for APIs
  • Security monitoring
  • IR
  • Summary
  • Further reading
  • Chapter 13: Implementing Effective API Governance and Risk Management Initiatives.
  • Understanding API governance and risk management
  • Key components of API governance and risk management
  • Establishing a robust API security policy
  • Define objectives and scope
  • Identify security requirements
  • Authentication and authorization
  • Data encryption
  • Input validation and sanitization
  • Logging and monitoring
  • Compliance and governance
  • Conducting effective risk assessments for APIs
  • Understanding API risks
  • Methodologies and frameworks
  • Scope definition
  • Risk identification and analysis
  • Risk prioritization
  • Mitigation strategies
  • Documentation and reporting
  • Ongoing monitoring and review
  • Compliance frameworks for API security
  • Regulatory compliance
  • Industry standards
  • API security audits and reviews
  • Objective and scope
  • Methodologies and techniques
  • Compliance and standards
  • Identification of vulnerabilities and risks
  • Remediation and recommendations
  • Ongoing monitoring and maintenance
  • Typical audit and review process
  • Summary
  • Further reading
  • Index
  • Other Books You May Enjoy.

Ejemplares similares