Pen-testing Cloud REST APIs

Presented at DEF CON 33 (2025), Aug. 9, 2025, 9 a.m. (240 minutes).

This workshop will teach how to start pen testing a cloud REST API. Attendees should have a fundamental knowledge of OWASP Top 10 and web application security. Attendees will learn how to setup tools (i.e. Burp) and practice on a simulated cloud environment to discover vulnerabilities in cloud REST APIs. This includes attacks in authorization, XSS, and SQL injection. Technologies such as OpenStack, Salesforce, and Google Cloud will be covered.

Presenters:

• Rodney Beede - Principal Consultant at Coalfire
  Rodney is a principal consultant and has specialized in cloud security for over 10 years. He has spoken at multiple conferences on topics from cloud security engineering to IoT device hacking. He has multiple CVEs for discovered web application security vulnerabilities. He started his career in enterprise web application software development but shifted to the security industry with this master's thesis research project "A Framework for Benevolent Computer Worms" 2012. Website: https://www.rodneybeede.com

Similar Presentations:

• DEF CON 21 (2013) / Resting on Your Laurels Will Get You Pwned: Effectively Code Reviewing REST Applications to Avoid Getting Pwned
• ToorCon: Seattle (Beta) (2007) / Anycast Cloud Bursting
• Kernelcon 2020 Virtual / The Top 10 Tools For Cloud Penetration Testing