Ethical Hacking of RESTful and GraphQL APIs Training Course
- IT & Software
- Jan 15, 2025
Ethical Hacking of RESTful and GraphQL APIs Training Course, available at $44.99, has an average rating of 4.7, with 58 lectures, based on 11 reviews, and has 87 subscribers.
You will learn about RESTful API vulnerabilities GraphQL API vulnerabilities Basic web application vulnerabilities Basic mobile application vulnerabilities Getting started in web application bug bounty Getting started in mobile application bug bounty REST API Introduction REST API Discovery and Recon REST API Enumeration REST API Broken Object Level Authorization (BOLA) REST API Broken Authentication REST API Broken Object Property Level Authorization REST API Excessive Data Exposure REST API Mass Assignment REST API Unrestricted Resource Consumption REST API Broken Function Level Authorization (BLFA) REST API Unrestricted Access to Sensitive Business Flows REST API Server Side Request Forgery (SSRF) REST API Security Misconfiguration REST API Improper Inventory Management REST API Unsafe Consumption of APIs REST API Server-side parameter pollution GraphQL Introduction What is GraphQL GraphQL Key terminologies GraphQL Burp extensions GraphQL Wordlists GraphQL Payloads GraphQL Tools GraphQL API Attack Surface, Recon, Enumeration GraphQL Attack Surface Analysis GraphQL GET requests and the issues GraphQL POST requests GraphQL Information Disclosure GraphQL Introspection GraphQL GET vs. POST Introspection GraphQL Introspection filter bypass example GraphQL Non-prod GraphQL endpoints GraphQL Field Suggestion GraphQL Automating Field Suggestion GraphQL Field Stuffing GraphQL Abusing Error Messages GraphQL IDE GraphQL DoS GraphQL Deep Recursion Query Attack GraphQL Circular Fragment Vulnerabilities GraphQL Batch Query Attacks / Resource Intensive Query Attacks GraphQL Field Duplication Attacks GraphQL Alias based attacks (DoS scenario) GraphQL Directive Overloading GraphQL Object Limit Overriding GraphQL Array-Based Query Batching GraphQL Authentication and Authorization attacks GraphQL Login functions GraphQL Bypassing protections GraphQL Alias based attacks / query batching GraphQL JWT token forgery GraphQL Cookie forgery GraphQL Access control issues and IDORs GraphQL Injection attacks GraphQL OS Command Injection GraphQL SQL Injection GraphQL HTML Injection GraphQL XSS (Cross-site scripting) GraphQL Request Forgery and Hijacking GraphQL Server-side request forgery (SSRF) GraphQL Cross-site request forgery (CSRF) GraphQL GET based CSRF GraphQL POST based CSRF GraphQL Cross-Site WebSocket Hijacking (CSWH) This course is ideal for individuals who are Anybody interested in learning basic ethical web application hacking / penetration testing or Anybody interested in learning basic API hacking / penetration testing or Anybody interested in learning basic ethical web application bug bounty hunting or Anybody interested in learning basic ethical API bug bounty hunting or Anybody interested in learning how hackers hack web applications or Anybody interested in learning how hackers hack mobile applications or Anybody interested in learning how hackers hack APIs or Developers looking to expand on their knowledge of vulnerabilities that may impact them or Anyone interested in application security or Anyone interested in Red teaming or Anyone interested in offensive security It is particularly useful for Anybody interested in learning basic ethical web application hacking / penetration testing or Anybody interested in learning basic API hacking / penetration testing or Anybody interested in learning basic ethical web application bug bounty hunting or Anybody interested in learning basic ethical API bug bounty hunting or Anybody interested in learning how hackers hack web applications or Anybody interested in learning how hackers hack mobile applications or Anybody interested in learning how hackers hack APIs or Developers looking to expand on their knowledge of vulnerabilities that may impact them or Anyone interested in application security or Anyone interested in Red teaming or Anyone interested in offensive security.
Enroll now: Ethical Hacking of RESTful and GraphQL APIs Training Course
Summary
Title: Ethical Hacking of RESTful and GraphQL APIs Training Course
Price: $44.99
Average Rating: 4.7
Number of Lectures: 58
Number of Published Lectures: 58
Number of Curriculum Items: 58
Number of Published Curriculum Objects: 58
Original Price: $29.99
Quality Status: approved
Status: Live
What You Will Learn
Who Should Attend
Target Audiences
Welcome to the Ethical Hacking of RESTful and GraphQL APIs Training Course
Important note: This course is NOT teaching the actual usage of Burp Suite and its features. This course is a heavily hands-on introduction to both RESTful as well as GraphQL API vulnerabilities. These APIs are very common in modern web and mobile applications.
Your instructor is Martin Voelk. He is a Cyber Security veteran with 25 years of experience. Martin holds some of the highest certification incl. CISSP, OSCP, OSWP, Portswigger BSCP, CCIE, PCI ISA and PCIP. He works as a consultant for a big tech company and engages in Bug Bounty programs where he found thousands of critical and high vulnerabilities.
This course features theoretical introductions into API vulnerabilities followed by practical exploitations of common RESTful API and GraphQL API vulnerabilities. Some labs are being performed utilizing the Portswigger Web Academy Labs. Other labs are performed on standalone VMs such as crAPI and DVGA. As people use different platforms, The training will not show the set up of crAPI or DVGA. But you can install these easily on a free virtualization software like virtual box on Windows or MacOSX.Martin will be solving a lot of labs and explains each step on finding the vulnerability and why it can be exploited in a certain way. The videos are easy to follow along and replicate. This training is highly recommended for anyone who wants to start out in API Penetration Testing or API Bug Bounty Hunting.
The course features the following topics.
REST API Introduction
REST API Discovery and Recon
REST API Enumeration
REST API Broken Object Level Authorization (BOLA)
REST API Broken Authentication
REST API Broken Object Property Level Authorization
REST API Excessive Data Exposure
REST API Mass Assignment
REST API Unrestricted Resource Consumption
REST API Broken Function Level Authorization (BLFA)
REST API Unrestricted Access to Sensitive Business Flows
REST API Server Side Request Forgery (SSRF)
REST API Security Misconfiguration
REST API Improper Inventory Management
REST API Unsafe Consumption of APIs
REST API Server-side parameter pollution
GraphQL Introduction
GraphQL What is it?
GraphQL Key terminologies
GraphQL Burp extensions
GraphQL Wordlists
GraphQL Payloads
GraphQL Tools
GraphQL API Attack Surface, Recon, Enumeration
GraphQL Attack Surface Analysis
GraphQL GET requests and the issues
GraphQL POST requests
GraphQL Information Disclosure
GraphQL Introspection
GraphQL GET vs. POST Introspection
GraphQL Introspection filter bypass example
GraphQL Non-prod GraphQL endpoints
GraphQL Field Suggestion
GraphQL Automating Field Suggestion
GraphQL Field Stuffing
GraphQL Abusing Error Messages
GraphQL IDE
GraphQL DoS
GraphQL Deep Recursion Query Attack
GraphQL Circular Fragment Vulnerabilities
GraphQL Batch Query Attacks / Resource Intensive Query Attacks
GraphQL Field Duplication Attacks
GraphQL Alias based attacks (DoS scenario)
GraphQL Directive Overloading
GraphQL Object Limit Overriding
GraphQL Array-Based Query Batching
GraphQL Authentication and Authorization attacks
GraphQL Login functions
GraphQL Bypassing protections
GraphQL Alias based attacks / query batching
GraphQL JWT token forgery
GraphQL Cookie forgery
GraphQL Access control issues and IDORs
GraphQL Injection attacks
GraphQL OS Command Injection
GraphQL SQL Injection
GraphQL HTML Injection
GraphQL XSS (Cross-site scripting)
GraphQL Request Forgery and Hijacking
GraphQL Server-side request forgery (SSRF)
GraphQL Cross-site request forgery (CSRF)
GraphQL GET based CSRF
GraphQL POST based CSRF
GraphQL Cross-Site WebSocket Hijacking (CSWH)
Notes & Disclaimer
Portswigger labs are a public and a free service from Portswigger for anyone to use to sharpen their skills. All you need is to sign up for a free account. crAPI and DVGA are free as well and can be cloned from GitHub. I will to respond to questions in a reasonable time frame. Learning Web / Mobile Application Pen Testing / Bug Bounty Hunting is a lengthy process, so please don’t feel frustrated if you don’t find a bug right away. Try to use Google, read Hacker One reports and research each feature in-depth. This course is for educational purposes only. This information is not to be used for malicious exploitation and must only be used on targets you have permission to attack.
Course Curriculum
Chapter 1: ETHICAL HACKING OF REST & GRAPHQL APIs
Lecture 1: REST & GRAPHQL API AGENDA
Lecture 2: Setting up Burp
Chapter 2: RESTful API Introduction
Lecture 1: RESTful API Introduction
Chapter 3: RESTful API Discovery and Recon
Lecture 1: RESTful API Discovery and Recon
Lecture 2: Enumeration Lab
Chapter 4: RESTful API Broken Object Level Authorization (BOLA)
Lecture 1: RESTful API Broken Object Level Authorization (BOLA)
Lecture 2: RESTful API Broken Object Level Authorization (BOLA) – lab 1
Lecture 3: RESTful API Broken Object Level Authorization (BOLA) – lab 2
Chapter 5: RESTful API Broken Authentication
Lecture 1: RESTful API Broken Authentication
Lecture 2: RESTful API Broken Authentication – lab 1
Chapter 6: RESTful API Broken Object Property Level Authorization (Excessive Data Exposure)
Lecture 1: RESTful API Broken Object Property Level Authorization (Excessive Data Exposure)
Lecture 2: RESTful API Broken Object Property Level Authorization (Excessive Data Exposure)
Lecture 3: RESTful API Broken Object Property Level Authorization (Excessive Data Exposure)
Chapter 7: RESTful API Unrestricted Resource Consumption
Lecture 1: RESTful API Unrestricted Resource Consumption
Lecture 2: RESTful API Unrestricted Resource Consumption – lab 1
Chapter 8: RESTful API Broken Function Level Authorization (BFLA)
Lecture 1: RESTful API Broken Function Level Authorization (BFLA)
Lecture 2: RESTful API Broken Function Level Authorization (BFLA) – lab 1
Lecture 3: RESTful API Broken Function Level Authorization (BFLA) – lab 2
Lecture 4: RESTful API Broken Function Level Authorization (BFLA) – lab 3
Chapter 9: RESTful API Unrestricted Access to Sensitive Business Flows
Lecture 1: RESTful API Unrestricted Access to Sensitive Business Flows
Lecture 2: RESTful API Unrestricted Access to Sensitive Business Flows – labs 1 and 2
Lecture 3: RESTful API Unrestricted Access to Sensitive Business Flows – labs 3
Chapter 10: RESTful API Server Side Request Forgery
Lecture 1: RESTful API Server Side Request Forgery
Lecture 2: RESTful API Server Side Request Forgery – lab 1
Chapter 11: RESTful API Security Misconfiguration
Lecture 1: RESTful API Security Misconfiguration
Chapter 12: RESTful API Improper Inventory Management
Lecture 1: RESTful API Improper Inventory Management
Chapter 13: RESTful API Unsafe Consumption of APIs
Lecture 1: RESTful API Unsafe Consumption of APIs
Lecture 2: RESTful API Unsafe Consumption of APIs – lab 1
Chapter 14: RESTful API server-side parameter pollution
Lecture 1: RESTful API server-side parameter pollution
Lecture 2: Server-side parameter pollution – lab 1
Chapter 15: GraphQL API Introduction
Lecture 1: GraphQL API Introduction
Chapter 16: GraphQL API Attack Surface Analysis, Recon, Enumeration
Lecture 1: GraphQL API Attack Surface Analysis, Recon, Enumeration
Lecture 2: GraphQL API Attack Surface Analysis, Recon, Enumeration – lab 1
Chapter 17: GraphQL API Information Disclosure
Lecture 1: GraphQL API Information Disclosure
Lecture 2: GraphQL API Information Disclosure – lab 1 introspection
Lecture 3: GraphQL API Information Disclosure – lab 2 graphql ide
Lecture 4: GraphQL API Information Disclosure – lab 3 field suggestion
Lecture 5: GraphQL API Information Disclosure – lab 4 stack traces
Lecture 6: GraphQL API Information Disclosure – lab 5 – Accessing private GraphQL posts
Lecture 7: GraphQL API Information Disclosure – lab 6 – Burp Accidental exposure of private
Lecture 8: GraphQL API Information Disclosure – lab 7 – Finding a hidden GraphQL endpoint
Chapter 18: GraphQL API Denial of Service (DoS)
Lecture 1: GraphQL API Denial of Service (DoS)
Lecture 2: GraphQL API Denial of Service (DoS) – lab 1 and 2 resource intensive batch query
Lecture 3: GraphQL API Denial of Service (DoS) – lab 3 deep recursion query
Lecture 4: GraphQL API Denial of Service (DoS) – lab 4 field duplication
Lecture 5: GraphQL API Denial of Service (DoS) – lab 5 alias based DoS
Lecture 6: GraphQL API Denial of Service (DoS) – lab 6 circular fragment attack
Chapter 19: GraphQL API Authentication and Authorization bypasses
Lecture 1: GraphQL API Authentication and Authorization bypasses
Lecture 2: GraphQL API Authentication and Authorization bypasses – lab 1 cookie forge
Lecture 3: GraphQL API Authentication and Authorization bypasses – lab2 header bypass
Lecture 4: GraphQL API Authentication and Authorization bypasses – lab 3 Bypassing GraphQL
Chapter 20: GraphQL API Injection attacks
Lecture 1: GraphQL API Injection attacks
Lecture 2: GraphQL API Injection attacks – lab 1 os command injection
Lecture 3: GraphQL API Injection attacks – lab 2 sql injection
Lecture 4: GraphQL API Injection attacks – lab 3 and 4 XSS and HTML injection
Chapter 21: GraphQL API Request Forgery and Hijacking
Lecture 1: GraphQL API Request Forgery and Hijacking
Lecture 2: GraphQL API Request Forgery and Hijacking – lab 1 SSRF
Lecture 3: GraphQL API Request Forgery and Hijacking – lab 2 Performing CSRF exploits over
Instructors
Martin Voelk
Senior IT Security Consultant and Instructor
Rating Distribution
Frequently Asked Questions
How long do I have access to the course materials?
You can view and review the lecture materials indefinitely, like an on-demand channel.
Can I take my courses with me wherever I go?
Definitely! If you have an internet connection, courses on Udemy are available on any device at any time. If you don’t have an internet connection, some instructors also let their students download course lectures. That’s up to the instructor though, so make sure you get on their good side!
- Random Picks
- Popular
- Hot Reviews
- CIA Part 2 Test Bank Questions, Answers Explanations
- Master Google Ads (Search Ads, AdWords) in 2024
- YouTube Masterclass The Best Guide to YouTube Success
- Advanced Photoshop Manipulations Tutorials Bundle
- 3DS Max Tutorial. Learn The Art of Modelling and Animation
- Personal Finance
- Company Valuation Financial Modeling
- The Beginner Forex Trading Playbook
- 1YouTube Masterclass The Best Guide to YouTube Success
- 2Photoshop CC- Adjustement Layers, Blending Modes Masks
- 3Personal Finance
- 4The Architecture of Oscar Niemeyer
- 5Advanced Photoshop Manipulations Tutorials Bundle
- 6SolidWorks Essential Training ( 2023 2024 )
- 7ZB Trading Cryptocurrency Price Action Course
- 8Python for Absolute Beginners
- 1Linux Performance Monitoring Analysis Hands On !!
- 2Content Writing Mastery 1- Content Writing For Beginners
- 3Media Training for PrintOnline Interviews-Get Great Quotes
- 4Learn Facebook Ads from Scratch Get more Leads and Sales
- 5The Complete Digital Marketing Course Learn From Scratch
- 6C#- Start programming with C# (for complete beginners)
- 7[FREE] How to code 10 times faster with Emmet
- 8Driving Results through Data Storytelling