The document outlines achievements in cybersecurity competitions and provides an extensive overview of API penetration testing, discussing its importance, methodologies, and common vulnerabilities. It details various types of APIs, including RESTful, SOAP, and GraphQL, along with their architectural styles, protocols, and data formats. The text also includes examples of API requests and responses in both JSON and XML formats.

1. SOME OF MY ACHIEVEMENT
• Champion Qubicles CTF 2020
• 1st runner-up in Bug Hunt 2022
• 1st runner-up in Leetcon CTF 2023
• 2nd runner-up in Flag Hunt 2023
• 2nd runner-up in Inter-university
National Cyber Drill, 2022

2. OUTLINES
• What is API Penetration testing?
• Importance of API Penetration testing
• Top API Vulnerabilties list
• Most uses tools for API Penetration testing
• Pre-requirement to start API Penetration
testing
• Resources list

3. API PENETRATION TESTING(DAY-1)
Md Foysal Hossain

4. API PEN-TESTING
• API Pen-Testing is a one type of
penetration testing where a pen-tester
trying to find out the vulnerabilities of
API.
• Exploit API Vulnerabilities such as
Injection attack ,BOLA , BFLA , etc.

5. IMPORTANCE OF API PEN-TESTING
• Security Assurance
• Protection Sensitive data
• Reputation and Trust
• Business Continuity
• Secure Social Life
• Defense in Depth
• Prevention of Hacking

6. TOP API VULNERABILITIES
• Broken Object Level Authorization - BOLA
• Broken Functional Level Authorization - BFLA
• Security Misconfiguration
• Mass Assignment
• Code Injection
• Broken User Authentication
• Excessive Data Exposure
• Improper Assets Management
• Insufficient logging and Monitoring

7. MOST USES TOOLS FOR API HACKING
• Burp suite professional
• FFUF
• Nmap
• Nuclei
• PostMan
• SOAP UI
• Katalon Studio
• Gobuster / dirsearch

8. COURSE REQUIREMENT
• Basic knowledge about web application
• Basic knowledge about web pen-testing
• Basic knowledge about API
• Basic knowledge in Kali Linux
• Basic knowledge about JSON,XML

9. API PENETRATION TESTING(DAY-2)
Md Foysal Hossain

10. OUTLINES
• What is API ?
• Types of API
• Types of Web API Architectures and Protocols
• RESTful APIs
• GraphQL APIs
• SOAP APIs
• RESTful APIs vs SOAP APIs

11. WHAT IS API?
• API stands for Application Programming
Interface
• It provides a computer friendly method
that interacting between client and server
• API acts as a bridge that enables different
applications, services, or platforms to
interact with each other, share information,
and perform specific tasks.
• Use: Web, Mobile App, Cloud computing
and more

12. TYPES OF API
• Private APIs: These are internal to an enterprise and only used
for connecting systems and data within the business.
• Public APIs: These are open to the public and may be used by
anyone. There may or not be some authorization and cost
associated with these types of APIs.
• Partner APIs: These are only accessible by authorized external
developers to aid business-to-business partnerships.
• Composite APIs: These combine two or more different APIs to
address complex system requirements or behaviors.

13. TYPES OF API ARCHITECTURES AND PROTOCOLS
• Restful API
• SOAP API
• GraphQL API
• WebSocket API

14. RESTful API
• Rest stands for Representational State Transfer
• RESTful APIs are commonly used in web development to build
scalable and efficient web services
• RESTful APIs provide a standardized and scalable approach to
building web services that can be consumed by various clients
across different platforms.
• Stateless
• Client Server
• Uniform Interface (GET,POST,PUT,DELETE) {CRUD}
• Cacheable
• Layered System
• JSON or XML format

15. RESTful API
• POST
POST /api/books
Content-Type: application/json
{
"title": "The Great Gatsby",
"author": "F. Scott Fitzgerald",
"year": 1925
}
• PUT
PUT /api/books/{id}
Content-Type: application/json
{
"title": "New Title"
}
• DELETE
DELETE /api/books/{id}

16. SOAP API
• SOAP stands for Simple Object Access Protocol
• It is a protocol for exchanging structured information in web
services
• XML-based Messaging
• SOAP can be used over various protocols such as HTTP, SMTP,
and more, although it is most commonly used with HTTP or HTTPS

17. SOAP API
• POST /currencyconverter HTTP/1.1
• Host: example.com
• Content-Type: text/xml; charset=utf-8
• SOAPAction: "http://example.com/currencyconverter/ConvertCurrency"
• <soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:tns="http://example.com/currencyconverter.wsdl">
• <soap:Body>
• <tns:ConversionRequest>
• <!-- Specify the input data -->
• </tns:ConversionRequest>
• </soap:Body>
• </soap:Envelope>

18. GraphQL API
• GraphQL API is an API design approach and query language
developed
• It provides a flexible and efficient way to request and
manipulate data from a server
• GraphQL APIs use SDL to define the schema, which describes the
types of data available and the relationships between them.
• Unlike RESTful APIs that often require multiple endpoints for
different resources, GraphQL APIs typically have a single
endpoint that accepts all queries and mutations.
• Example:

19. Difference among SOAP, RESTful, GraphQL APIs
RESTful API SOAP API GraphQL API
Architectural Style REST SOAP GraphQL
Data Format JSON,XML (Most JSON) XML JSON,XML(Most JSON)
Protocol HTTP Can use various protocols HTTP, WebSocket
Req. Structure Resource based URLs SOAP messages Custom Queries
Res. Structure JSON, XML(Most JSON) XML JSON,XML(Most JSON)
Caching Supported Supported Customizable

20. API PENETRATION TESTING(DAY-3)
Md Foysal Hossain

21. OUTLINES
• What is JSON ?
• Basic idea about JSON
• How JSON works in API
• What is XML
• Basic idea about XML
• How XML works in API

22. JSON
• JSON stands for Java-script Object Notation.
• It is a lightweight data interchange format that is
easy for humans to read and write, and easy for
machines to parse and generate.
• It is widely used for transmitting data between a
server and a web application.
• It is often use as a alternative to XML

23. JSON Structure
• Objects and Arrays are the main components of
JSON data structure.
• Objects:
• Arrays:
{
"name": "John",
"age": 30,
"city": "New York"
}
[ "apple", "banana", "orange"]

24. JSON Structure
{
"name": "John",
"age": 30,
"address": {
"street": "123 Main St",
"city": "New York",
"zipcode": "10001"
},
"hobbies": ["reading", "traveling", "photography"],
"isEmployed": true,
"spouse": null
}

25. JSON in API
• API Request
• API server Processing
• Data Representation
• JSON Response
• API Response

26. JSON in API Example
• Request:
GET /api/user/123
HTTP/1.1 200 OK
Content-Type: application/json
{
"id": 123,
"name": "John Doe",
"email": "johndoe@example.com",
"age": 30,
"address": {
"street": "123 Main St",
"city": "New York",
"zipcode": "10001"
}
}
• Response:

27. XML
• XML stands for eXtensible Markup Language.
• XML allows users to define their own customized
markup tags, making it highly flexible and
adaptable to different data structures.
• It is widely used for structuring and storing data
in a hierarchical format.
• Data is enclosed within opening and closing tags,
forming an element
• Example:
<bookstore>
---------------
</bookstore>

28. XML in API
• API Request
• XML Data Format
• API Server Processing
• XML Response
• API Response Handling

29. XML in API Example
• API Request:
GET /api/books?id=123
• XML Response:
HTTP/1.1 200 OK
Content-Type: application/xml
<book>
<id>123</id>
<title>The Great Gatsby</title>
<author>F. Scott Fitzgerald</author>
<year>1925</year>
</book>

30. XML in API Example
• API Request: • API Response:
POST /api/books
Content-Type: application/xml
<book>
<title>To Kill a Mockingbird</title>
<author>Harper Lee</author>
<year>1960</year>
</book>
HTTP/1.1 201 Created
Content-Type: application/xml
<message>
Book added successfully.
</message>

31. API PENETRATION TESTING(DAY-4)
Md Foysal Hossain