Hey friend 👋,
Last weekend was the annual BSides Vancouver conference. It was fantastic to see the security community getting together again in person. I had a great time chatting with Mikko after his keynote. We've been in the industry for about the same amount of time and have chewed a lot of the same ground over the years.
With the weather looking so great, I couldn't stay cooped up at the conference. I grabbed Mikko's book and enjoyed an iced chai outside. Highly recommend you pick up his new book "If it's smart, it's vulnerable" if you haven't yet. Worth the read.
Speaking of reading... it's time for another month in review!
Articles in April
April was an interesting month. I covered some unusual topics based on conversations and feedback I have had with many of you.
- I talked about the pricing dilemma around API pentest engagements and how if you pay peanuts, you get monkeys. 🐒
- I showed you how to exploit Server Side Request Forgery (SSRF) vulnerabilities in an API. 😈
- I taught you how to use GPG as a security researcher and how to encrypt and sign your exploits so others can't access or weaponize them. 🔐
- I demonstrated how to recover sensitive secrets and source code hidden within layers of Docker images, even if they were deleted. 🐳
I've seen a disturbing trend lately in the community. There are far too many new security researchers out there who think they are OWED SOMETHING if they find a vulnerability in software, even if the vendor didn't ask them to look for it.
And they are getting themselves in trouble when reporting it. Some even got arrested.
Anyways, I want our community to be able to safely report security vulnerabilities to vendors and make money doing so the right way (if that's your motivation). So this week, I have written "The Security Researcher's Guide to Reporting Vulnerabilities to Vendors."
I hope you like it.
|READ THE GUIDE|
For those in the Pacific Northwest, the OWASP AppSec Days Pacific Northwest conference is just over a month away. The schedule is now published on the website. Come enjoy the weekend in Portland, Oregon, and uplevel your appsec skills.
Every attendee also gets a copy of Adam Shostack's new book, "Threats: What Every Engineer Should Learn from Star Wars. "
Make sure you register soon, as tickets are going fast!
Come hack in the CMD+CTRL Cyber Range
OWASP Vancouver is hosting Security Innovation's CMD+CTRL Cyber Range this month at the Microsoft office downtown. Tap into your inner evildoer and test your skills in hunting down web application vulnerabilities, all within an authentic environment where you can exploit your way through hundreds of vulnerabilities that lurk in business applications today.
Hope to see you there.
You're reading the API Hacker's Inner Circle Newsletter created by Dana Epp (he/him).
🧠 I help teach developers, testers, and hackers how to improve their API hacking tradecraft. Thanks for reading. 🙏
⏩ Enjoy the newsletter? Please forward this to a friend who would find these articles and insights useful!
👋 Did a pal share this with you? Sign up for your own copy here. I send out the newsletter every Tuesday.