Details
DC303 is the local Defcon group for Denver, Colorado where local hackers meet up, share, and learn. This is a monthly meeting with topics that you would typically find at the Defcon conference in Las Vegas. Most members work in the computer security field and the topics typically lean towards offense.
We strive for hands-on experience with topics, so we encourage people to bring a laptop. The meeting announcements usually include suggested setup steps, e.g. VM, or Docker containers.
Topic: Alan Shen - Crash Course into the OWASP API Top 10
At this month's meeting, Alan will preview his upcoming SnowFROC talk, Crash Course into the OWASP API Top 10. As a DC303 exclusive complementing the talk, we will practice on the vulnerable applications Completely Ridiculous API (crAPI) and VAPI. To participate in the interactive part of the event, bring your own laptop with an intercepting proxy (Burp, ZAP, etc.) as well as an API testing tool like Postman. There will be several options for accessing the labs, including using API Sec University's hosted environment, a local Proxmox lab network we will host in the space for the event, or setting up your own VMs on your laptop.
Recommended Tools:
- https://portswigger.net/burp/communitydownload
- https://www.zaproxy.org/
- https://www.postman.com/
- https://github.com/OWASP/crApi (or alternative to deploying a VM: http://crapi.apisec.ai/)
- https://github.com/roottusk/vapi (or alternative to deploying a VM: http://vapi.apisec.ai/)
Talk Abstract: Application Programming Interfaces (APIs) are the glue that allows independently evolving systems to communicate with each other, and are an important focus for security investment due to their privileged access to sensitive data and functionality. Recently, the OWASP API Top 10 has been updated for 2023, so join us as we introduce the OWASP API Security Project. We'll cover what's new in the 2023 API Top 10, as well as compare the differences with the previous 2019 version. For those interested in hands-on practice, we'll also briefly introduce the OWASP crAPI (completely ridiculous API) Project which demonstrates common API vulnerabilities.
This event is in the denhac classroom. Enter through the middle door on 7th st and you'll see the classroom in the hallway to the left as you enter. Don't forget to sign the denhac waiver if you've never been before! denhac.org/waiver
DC303