API Security Testing Guide by The XSS Rat

API Security Testing Guide by The XSS Rat

API Security Testing Guide by The XSS Rat

Learn how to build and break an API in record time including the API top 10

Language: english

Note: 4.0/5 (186 notes) 40,774 students

Instructor(s): Wesley Thijs

Last update: 2022-06-09

What you’ll learn

  • Build your own API to hack
  • Protect an API with a firewall
  • The OWASP API top 10 vulnerabilities
  • API hacking with postman



  • You need to be at a somewhat decent technical level
  • Critical thinking mind and curiosity



About the course

In this course we will be teaching you a very important way of hacking and building APIs with practical labs and examples. You will get a feel for these issues sooner than you can say “API”.

With the rise of software and web applications we need to make sure to protect them as carefully as possible. This guide will be your handbook in your journey for testers, managers and software developers.

We will bring you from a beginner to an advances level in no time and with our practical examples you will even learn how to use and install an API firewall.

About me

I am the XSS Rat, an experienced ethical hacker who stands for quality and who believes knowledge is a building block we can all use to grow bigger than we ever were. As a software tester I have a unique skill set that centres around logic flaws and IDORs which I have not seen very much by other hunters. This gives me the advantage of finding less duplicates and maximising my chance of finding a vulnerability by picking the correct target and applying the correct test strategy.

What will you learn?

– The OWASP API top 10

– Building and hacking an API

– How to install an API firewall

– Hacking APIs with postman

Who is this course for?

I explain everything as clearly as possible in this course so everyone with even a basic understanding of technical topics can understand what can go wrong and how to prevent it.


Who this course is for

  • Software development managers
  • Software engineers
  • Software testers
  • Security testers
  • Security architects
  • Software analysts


Course content

  • Notion notes download – HTML version
    • Download all the PDF files here
    • API0.2019: What is an API
    • API1:2019 Broken Object Level Authorization
    • API2:2019 Broken User Authentication
    • API3:2019 Excessive Data Exposure
    • API4:2019 Lack of rate limiting
    • API5:2019 Broken Function Level Authorization
    • API6:2019 Mass Assignment
    • API7:2019 Security Misconfiguration
    • API8:2019 Injection
    • API9:2019 Improper Assets Management
    • API10:2019 Insufficient Logging & Monitoring
  • Video’s: OWASP API TOP 10
    • API top 10 – 0 through 3
    • OWASP API TOP 10 – 4 to 7
    • API8-2019 Injection
    • API9-2019 improper asset management
    • OWASP API top 10 – 10 insufficient logging and monitoring
  • Labs: API top 10
    • Go to the labs linked on the udemy page
  • Video’s: API top 10 demonstrated
    • A1 – Broken level authorization
    • A2 – Broken authentication
    • A3 – Excessive information disclosure
    • A4 – lack of rate limiting
    • A5 – broken function level authorisation
    • A6 Mass assignment
    • A7 – Security misconfiguration
    • A8 – Injections
    • A9 – Improper asset managment
    • A10 – Insufficient logging and monitoring
  • Building and hacking an API
    • Let’s build an API to hack – Part 1: The basics
    • Let’s build an API to hack – Part 2: Faking it before breaking it
    • Let’s build an API to hack – Part 3: Information disclosure
    • Let’s build an API to hack — Part 4: Mass assignment
    • Let’s build an API to hack – Part 5: Emulating login and hacking it with postman
    • Let’s build an API to hack – Part 6: Emulating SQLi and showing possible SSTI
    • Building an API part 7: API Broken Access Control Through Replacing HTTP Method
    • API roulette – Name the issues
    • REST-API-GOAT: Chain postman burp suite
    • Hacking an API with postman – theory
    • Postman API hacking – Tiredful API
  • API firewalls
    • Video: API firewall
    • API Firewall guide
  • API Hacking with postman
    • API hacking with postman Part 1 – getting the basics down
    • API hacking with postman Part 2 – importing the API description
    • API hacking with postman Part 3 Pre-request scripts, tests and console
    • API hacking with postman Part 4 – Getting dirty with data sources
  • Extra’s
    • API Testing
    • Swagger and OpenAPI
    • API Security – Top 10 Best Practices
    • How to secure your rest API from attackers


Time remaining or 698 enrolls left


Don’t miss any coupons by joining our Telegram group 

Udemy Coupon Code 100% off | Udemy Free Course | Udemy offer | Course with certificate