New Horizons New Horizons Project Management Academy Project Management Academy Six Sigma Online Six Sigma Online TCM Security TCM Security TRACOM TRACOM Velopi Velopi Watermark Learning Watermark Learning
Contact Sales Contact Support
Educate 360
New Horizons New Horizons Project Management Academy Project Management Academy Six Sigma Online Six Sigma Online TCM Security TCM Security TRACOM TRACOM Velopi Velopi Watermark Learning Watermark Learning
Contact Sales Contact Support
Educate 360
New Horizons New Horizons Project Management Academy Project Management Academy Six Sigma Online Six Sigma Online TCM Security TCM Security TRACOM TRACOM Velopi Velopi Watermark Learning Watermark Learning
Contact Sales Contact Support LMS Login Login
TCM-Sec-Primary-Logo
Get a Free Consultation

Practical API Hacking

Everything you need to start hacking APIs.

View Membership Options

Training for a team or organization? Contact us about group access.

Practical API Hacking

Inside the Course

Scroll down to explore the skills you’ll build, the techniques you’ll master, and the requirements to get started.

Start Learning This Course Today

The All-Access Membership gives you unlimited access to this course, hands-on labs, and a complete library of cybersecurity training. Everything you need to build real-world skills is included.

View Membership Options

Questions?

If you need clarification on the course or its requirements, simply use the chat button below and our team will assist you.

Chat with Support
  • Difficulty: Intermediate
  • Duration: 6h
  • Access: Included in Membership

Overview

Practical API Hacking provides you with everything you need to start hacking APIs. This course was designed for beginners and those who are familiar with web application hacking but who want to expand their skill set.

The course covers industry-standard tools such as Burp Suite and Postman, and how to find and exploit vulnerabilities common to applications powered by APIs. Throughout the course there are demonstration labs to help you understand the theory, and challenges to make sure you get hands-on experience too.

Live Training Available for This Topic

Looking to go deeper? This course aligns with upcoming instructor-led sessions covering real-world applications and guided labs.

Explore Instructor-Led Training

Objectives

Understand API Fundamentals:

  • Learn how APIs work and how to enumerate API endpoints.

Understand Common API Vulnerabilities:

  • Review common vulnerabilities in API-driven applications.

Exploit API Endpoints:

  • Learn how to perform successful attacks against vulnerable API endpoints.

System Requirements

  • 8GB RAM & 256GB HDD
  • Up-to-Date OS & Internet Browser
  • Stable internet connection
  • A machine capable of running Kali Linux.

Prerequisites

  • Basic knowledge of how web applications work.

Course Curriculum

  • Welcome to the Course!
    • Start Here
    • Course Discord & Getting Support
  • Introduction
    • What is an API?
    • Interacting with APIs
    • Types of APIs
    • API Security
  • Lab Setup
    • Tool Installation
    • BURP Suite Introduction
    • Postman Introduction
    • Docker Introduction
  • Enumerating APIs
    • Introduction to Enumeration
    • Fuzzing APIs
    • Discovery via Source code
  • Attacking Authorization
    • Introduction to Authorization
    • BOLA Lab
    • BFLA Lab
    • Challenge Solution
  • Attacking Authentication
    • Introduction to Authentication
    • Attacking Authentication
    • Attacking Tokens
    • JSON Web Tokens – Part 1: Theory
    • JSON Web Tokens – Part 2: Attacking JWTs
    • JSON Web Tokens – Part 3: jwt_tool
    • Challenge Solution
  • Injection
    • Introduction to Injection Attacks
    • Introduction to SQL Injection
    • SQL Injection Lab
    • SQL Injection Lab – Login Bypass
    • NoSQL Injection Lab
    • Challenge Solution
  • Mid-course Capstone
    • Mid-course Capstone Challenge
    • Challenge Solution
  • Mass Assignment
    • Introduction to Mass Assignment
    • Code Walkthrough
    • Mass Assignment Lab
    • Challenge Solution
  • Excessive Data Exposure
    • Introduction to Excessive Data Exposure
    • Excessive Data Exposure Lab
    • Challenge Solution
  • SSRF – Server-side Request Forgery
    • Introduction to SSRF
    • SSRF Lab
    • Challenge Solution
  • Chaining Vulnerabilities
    • Command Injection
    • Challenge Solution
  • Final Capstone
    • Final Capstone Challenge
    • Challenge Solution
    • Congratulations & Thank You!
    • Next Steps: The Practical Web Pentest Professional (PWPP) Certification

This Course Is Included in Your All-Access Membership

One membership gives you ongoing access to Practical API Hacking, every other paid Academy course, and an active community of learners and mentors in Discord.

Start Learning with All-Access

INSTRUCTORS

Meet Your Instructor

Learn from industry experts with real-world cybersecurity experience.

Instructor Alex Olsen

Alex Olsen

Alex is a Web Application Security specialist with experience working across multiple sectors, from single-developer applications all the way up to enterprise web apps with tens of millions of users. He enjoys building applications almost as much as breaking them and has spent many years supporting the shift-left movement by teaching developers, infrastructure engineers, architects, and anyone who would listen about cybersecurity.

Alex holds a Master’s Degree in Computing, as well as CEH and OSCP certifications.

Prepare for the Practical Web Pentest Professional (PWPP) Exam

The PWPP certification will assess a student’s ability to perform a web application penetration test by requiring them to exploit more advanced vulnerabilities including NoSQL, race conditions, mass assignment, SSRF, template injection, and more.


Pair the Practical Web Hacking course with the PWPP exam to validate your skills with a recognized credential.

PWPP
Learn About the PWPP Certification

FAQS

Common Questions

Here are a couple of our most commonly asked questions, contact us if you don’t find an answer!

Can I get a refund if I'm unhappy with my purchase?
2
3

Yes. All courses come with a 24-hour money-back guarantee.

Will I receive a certificate of completion when I finish a course?
2
3

Yes. All courses come with a certificate of completion.

Do the courses count as Continuing Education Units (CEUs)?
2
3

Yes. Every certificate of completion comes with the total CEUs earned listed on the certificate.

What is the All-Access Membership?
2
3

As of July 1st, 2023 TCM Academy transitioned to a monthly subscription model, where you now receive full access to all of the courses on our platform for as long as your subscription remains active.

What if you already own courses on TCM Academy?
2
3

If you already own a course on our platform, you will continue to own that course. Previously owned courses will not be affected by this change.

I can see the course, but it won’t load or play. What should I do?
2
3

We use Cloudflare to protect our course platform and unfortunately, it does not play nice with VPNs. If you are experiencing issues, turn off your VPN and try again. If that does not solve the issue, please contact our support team at support@tcm-sec.com and we will help you out.

This course is included in our All-Access Membership, starting at $29.99/month.

Get full access to this course and our full course catalog when you enroll in our All-Access Membership.

Practical API Hacking
Choose Your Membership Plan

RELATED COURSES

Continue Your Learning Path

Explore related courses that expand on the skills covered here.

See the Full Course Catalog

Ready to level up your Cybersecurity Career?

Get unlimited access to every TCM Security Academy course, hands-on lab, and certification pathway with an All-Access Membership. Learn at your own pace, build real-world skills, and take the next step toward a career in cybersecurity.

Get Started for Free
PWPA