API Security Lab

APIs (Application Programming Interfaces) are integral to modern software development and digital transactions, facilitating communication and data exchange between diverse systems. However, their widespread use has made them prime targets for cyberattacks. Many APIs are developed rapidly without sufficient security measures, leading to vulnerabilities such as weak authentication, data exposure, inadequate logging, and poor error handling.The bachelor thesis aims to develop labs in API security for future OST Hacking-Lab students to raise awareness of risks.

The research phase extensively examined API history, styles, and security fundamentals. Key areas such as threat identification, authentication methods and the OWASP Top 10 API Security Risks 2023 were explored. This foundational research informed the collection and categorization of lab ideas, which were then evaluated using a decision matrix based on feasibility, educational value, and expandability criteria.

A proof of concept (PoC) phase validated the feasibility of each lab, followed by iterative improvements based on detailed feedback from usability testing. Participants evaluated the labs on setup difficulty, usability, design, and realism, leading to enhancements that ensured an effective learning experience.

The project successfully developed six labs covering most OWASP Top 10 API Security risks. Each lab provided hands-on experience identifying and mitigating these vulnerabilities through practical exercises using tools in a containerized environment.

To enhance the educational value, future expansions could include additional labs to cover remaining OWASP risks and specialized areas like cloud provider APIs and advanced OAuth2 authentication flows.