- Working knowledge of OWASP API Security Top 10
- Web application security penetration testing experience
- Know the difference between authentication and authorization
- How to use an HTTP MitM proxy tool such as Burp Suite
- Basic knowledge of how to call REST APIs
- Python interpreter (minimal version 3.8)
The simulator used in this lab can be run from your local machine and does not require a paid cloud service account. The lab material was tested from a Linux system, but other OSes should function in theory.
It is assumed that you have cloned the repository. Peaking at the source code for solutions may or may not assist you. You will still have to explain your answers to demonstrate competent knowledge and mastery of the material.
cd simulator/
bash x509/generate-self-signed.bash
python3 main_http_endpoint_server.py
You should see a message indicating that the simulator API service has started. It listens on port 8443 by default, but you can provide a command-line argument to change it.
- Consult the README.md in trainee/cloud-clients/TYPE/ for specific examples
- Startup Burp Suite
- Configure your API client to use the HTTP proxy
- Usually an environment variable like
https_proxy=http://localhost:8080 - proxychains is another helpful tool
- You will need to add trust to the Burp CA certification
http://localhost:8080/cert
- Usually an environment variable like
- Setup the local credentials for calling the simulator APIs
- Consult the README.md in trainee/cloud-clients/TYPE/
- Review the tenant (client API caller) IAM pseudo-policies in trainee/iam_policies
- Note that editing these does not alter the simulator
Proceed to scenario overview
Copyright © 2023 Coalfire.