In this talk, I'll walk you through—with live demos, examples, and war stories—what you need to know to defend and attack modern API-based web applications. I will demonstrate how an API-based application is different and how it's the same as the traditional web applications you know and love. We'll also learn about modern tools that can make testing easier and how critical it is to think through all the different security controls at your disposal to mitigate the plethora of threats out there.
Join us as we dive into these questions and discuss:
• How did we get here?
• What's changed from traditional web applications, to SOAP, to modern JSON-based SPA web apps?
• An architectural mental model to understand these threats
• New attacks against Web APIs
• New defenses against modern threats