API Penetration Testing Course

The API Penetration Testing course covers all the key topics to become an APIsec professional. This hands-on course includes over 12 hours of live instruction and provides detailed labs on API hacking techniques and how to uncover vulnerabilities.

Enroll Now

Course Topics


The APIsec Certified Expert (ACE) will guide you through actively testing for API security flaws. This course is a self-paced, practical guide that will show you the tools and techniques that can be leveraged to attack web APIs.

Lab Setup

You'll need to prepare an API hacking system for this course. In this section we'll provide resources for you to set up your own hacking lab.

API Reconnaissance

In this module, you will learn passive tools and techniques that can be used to discover and analyze APIs.

Endpoint Analysis

In this module, you will learn to make API requests and analyze responses. In addition, you will learn to test for Excessive Data Exposure and Business Logic Flaws.

Scanning APIs

Now that you have discovered and analyzed an API it is time to learn to properly scan APIs for weaknesses. In this module, you will learn to scan for common security misconfigurations.

API Authentication Attacks

Here we dive into various API authentication attacks including password brute force, password reset, password spraying and MFA brute force.

Exploiting API Authorization

In this workshop, I will guide you through testing the vulnerable application VAmPI for Broken Object Level Authorization vulnerabilities (BOLA).

Testing for Improper Assets Management

In this module, you will learn to perform tests for Improper Assets Management.

Mass Assignment

In this module, you will learn to test for Mass Assignment vulnerabilities.

Injection Attacks

In this module, you will learn to perform various injection attacks including SQL, NoSQL, and XSS.

Rate Limit Testing

In this module, you will learn a variety of techniques to test APIs for rate limiting.

Combining Tools and Techniques

In this module, you will learn to combine tools and techniques from the previous module to exploit API weaknesses.

Photo of Corey Ball

Corey Ball

Chief Hacking Officer, APIsec University

You can design an API you think is ultra-secure, but if you don't test it, then a cybercriminal somewhere is going to do it for you."


Meet the Instructor
Corey Ball

Corey Ball has emerged as one of the leading experts in API security and is the author of Hacking APIs. Corey is a cybersecurity consulting manager at Moss Adams, where he leads its penetration testing services. He has over ten years of experience working in IT and cybersecurity across several industries, including aerospace, agribusiness, energy, financial tech, government services, and healthcare.

Enroll Now

Earn your APIsec University Certificate

  • Earn an APIsec University certificate and badge for completing any of our courses.

  • Post your badge on LinkedIn and share your accomplishments. You can even receive CPE credits for taking these courses.