ASCP Review

Summary

API Security Certified Professional (ASCP) is a practical certification from APISec University that tests someone's ability to effectively conduct live penetration testing on web APIs to identify and assess potential security vulnerabilities. It's currently priced at $450 and requires you to identify, assess, and exploit two custom API-driven applications in a 12-hour exam. It comes with a free retake and a challenge coin and certificate if you pass it.

I greatly recommend this certification to anyone who wants to prove their API penetration testing skills and further improve their career.

Prior Experience

Due to my work, I have ample experience of penetration testing on web APIs and web applications. I also have gone through resources provided by APISec University such as VAmPI, vAPI, crAPI, and other vulnerable APIs.

The Course

The API penetration testing course by Corey Ball also provided by APISec University is a free, hands-on course that teaches you about how APIs, proper reconnaissance, analysis on how endpoints work, common API vulnerabilities, and combining these to find vulnerabilities in modern applications.

The instructor, Corey Ball, walks you through his methodology in finding vulnerabilities and assessing APIs, and teaches you how these can be exploited. While the videos and course text are long, they are rich with knowledge, and I suggest everyone to finish it fully and do the exercises.

This is the main course that ASCP is based on as far as I know so the knowledge, techniques, and methodologies you need to pass the exam will be in the course.

The Exam

The exam is a 12-hour non-proctored exam where you are given 2 custom coded API-driven applications that you need to get 6 out of 8 flags from to pass the exam. The exam environment was smooth, I didn't have any issues with the platform at all.

Overall, the exam was really great. It was definitely API driven and the exploit chains you'd have to do were very much related to APIs. The exam was around a medium-hard scale in my opinion as this required some out of the box thinking and some proper analysis of how the APIs work.

It took me around 2 hours to get my first flag but after that, I took frequent 5-to-10-minute breaks to get a fresh mind and taking time to analyze the APIs, how they work, how they responded to certain inputs, etc. did help me in getting more flags. I finished with 7/8 flags found at around 8 hours in and just tried to grind to find that last flag but unfortunately, I was not able to find.

I believe the course was enough for me to pass the exam, but I also have prior experience with API penetration testing so I may be biased here.

Key Takeaways

The course and exam were really great. The course is free for anyone to learn and the exam, while is $450, I believe is well worth it as APISec University is one of the only training platforms as far as I know that are fully hands-on with API Security.

It definitely helped solidify my knowledge with APIs and API penetration testing and I can say I have picked up a lot of techniques while learning the course that translates seamlessly to the work I do.

If anyone wants to practice for the exam, I believe the resources provided by APISec University are ample enough. The main thing is to build a methodology in testing APIs. Try to take time to understand the vulnerabilities of APIs, understand their nature, etc. and this will surely translate in you passing the exam.