Hands-On API testing
RCCE students will learn API security testing methodologies including REST API testing, authentication testing, authorization testing, input validation testing, business logic testing, and API fuzzing. RCCE students will learn to plan and execute API security assessments, test API authentication mechanisms for weaknesses, verify authorization controls at the object and function level, fuzz API endpoints to discover input validation vulnerabilities, test business logic flows for manipulation opportunities, use API testing tools including Burp Suite, Postman, and custom scripts, and write API security assessment reports with prioritized remediation guidance. This practice-intensive course emphasizes applied skills through lab exercises, real-world scenarios, and production-realistic workflows. At an expert level, RCCE students will learn by doing, building muscle memory and practical confidence through repeated hands-on engagement. Students complete exercises that mirror actual workplace tasks, ensuring skills transfer directly to their professional roles.
- Security Engineers building defensive controls
- Security Analysts and Blue Team members
- Systems Administrators with security responsibilities
- GRC and Risk Professionals supporting controls
- Professionals implementing Hands-On API testing
- Execute hands-on tasks for core skills — covering Plan and execute API security assessments, Test authentication mechanisms for weaknesses.
- Execute hands-on tasks for plan and execute api security assessments — covering Test authentication mechanisms for weaknesses.
- Execute hands-on tasks for tools & reporting — covering Burp Suite API interception and testing, Postman collection-based security tests.
- Execute hands-on tasks for burp suite api interception and testing — covering Postman collection-based security tests.
- Execute hands-on tasks for learning approach — covering Practice-intensive: labs mirror real-world tasks, Build muscle memory through repeated hands-on engagement.
- Execute hands-on tasks for api security landscape
- Execute hands-on tasks for why api security testing matters — covering APIs expose business logic directly to consumers, Traditional WAFs miss API-specific attack vectors.
- Design a scalable privilege management architecture with policy and enforcement
- Execute hands-on tasks for rest principles
- Execute hands-on tasks for attack surface areas — covering Stateless client-server communication, Endpoints, parameters, headers, body payloads, Headers: Authorization, Content-Type, X-Custom-*.
- Build detections and response workflows for privilege escalation, including Endpoints, parameters, headers, body payloads.
- Execute hands-on tasks for key http components for testing — covering Headers: Authorization, Content-Type, X-Custom-*, Methods: GET, POST, PUT, PATCH, DELETE, OPTIONS.
| Module 01 | Core Skills |
| Module 02 | Plan and execute API security assessments |
| Module 03 | Tools & Reporting |
| Module 04 | Burp Suite API interception and testing |
| Module 05 | Learning Approach |
| Module 06 | API Security Landscape |
| Module 07 | Why API Security Testing Matters |
| Module 08 | REST API Architecture & Attack Surface |
| Module 09 | REST Principles |
| Module 10 | Attack Surface Areas |
| Module 11 | JSON/XML response payloads |
| Module 12 | Key HTTP Components for Testing |
| Module 13 | Headers: Authorization, Content-Type, X-Custom-* |
| Module 14 | JSON over HTTP |
All hands-on labs run on Rocheston Rose X OS. Students practice hands-on api testing by implementing the controls discussed in class, with a focus on real-world deployment, monitoring, and validation.
- Lab 1: Execute hands-on tasks for core skills
- Lab 2: Execute hands-on tasks for plan and execute api security assessments
- Lab 3: Execute hands-on tasks for tools & reporting
- Lab 4: Execute hands-on tasks for burp suite api interception and testing
- Lab 5: Execute hands-on tasks for learning approach
Upon successful completion of this course, students will receive an official RCCE Course Completion Certificate for Hands-On API testing, verifiable through the Rocheston certification portal.
- Full access to all course materials and slide decks
- Hands-on lab access on Rocheston Rose X OS environment
- Access to Rocheston CyberNotes
- Access to Rocheston Zelfire — EDR/XDR SIEM platform
- Access to Rocheston Raven — online cyber range exercise platform
- Access to Rocheston Vulnerability Vines AI