Wow. August went by fast. Fires. Floods. Hacker Summer camp. Just crazy.
Honestly, I tried to hide from it all in August. I gravitated to the cool breeze of the sea when I could. Almost felt guilty listening to friends talk about the hell they were going through while I was looking at this:
While I was on the island, I tried to get some reading in. I'm not much of a fiction reader. Cryptonoicon by Neal Stephenson is one of my favorites, but that tomb of a book almost killed me.
I've been reading Zero Day by Mark Russinovich. It's a story about the real possible threats of cyber terrorism, told with a technical edge of realism.
I've known Mark for over 25 years. When I ran the L0rds of R1ng Zer0 we came across each other when he was at Winternals Software writing SysInternals, and I was writing kernel mode drivers for host-based intrusion prevention in Windows NT.
I never get around to reading his books, and when I see him on the Microsoft campus, I am reminded of that. MS bought his company back in 2006, and he's now the CTO for Microsoft Azure. I felt now was the time to give it a try before the next MVP Summit.
The book is pretty good. Similar to Cryptonomicon, there are several stories being weaved in and out of the narrative. I think non-techies might find it a bit heavy on the tech; techies may roll their eyes from time to time at the obvious points Mark tries to (over)explain.
But it's a decent read. He's actually got this in a series of 3 books, and I think I'll have to give his other ones a read.
Articles in August
So even though I hid out in the cool air, I did keep writing. Topics were all over the place as I was responding to people's interests shared with me in the inner circle.
1️⃣ You learned how to write vulnerability report titles that don’t suck! No one likes writing reports. It gets worse when they are barely looked at because the titles aren't compelling.
2️⃣ You were given instructions on how to set up your own wiretaps on compromised web servers to remotely collect sensitive data for use in API privesc. I've had people in the community already reach out after applying this technique to share some of their #wins now. Awesome!! 🎉
3️⃣ You were shown how to embrace failure as a hacker. We explored together how mistakes and setbacks can fuel innovation, refine skills, and deepen understanding in the world of API hacking.
4️⃣ You saw how to leverage command injection vulnerabilities found in APIs to gain a reverse shell to a server with nothing more than cURL. Always fun to learn how to live off the land to gain access to API servers and infrastructure during your security testing.
5️⃣ You followed me as I tried using Noir for API attack surface detection. It's always fun to try out new tools and see how they can improve our workflow.
Wishing I'd cover something else? Just hit "reply" on this email and let me know. It might be considered for a future article!
I saw this tweet this week, and it reminded me that not everyone knows about changes like this in the new OWASP API Security Top 10:
Earlier this year, I wrote about Exploiting Server Side Request Forgery (SSRF) in an API. What you might not know though is that last year I wrote an even more interesting article on using OAST to detect vulnerabilities in an API.
Through Burp Suite's Collaborator client, you can better detect those more complex vulnerabilities in an API, including blind SSRF.
Both articles are worth the read, especially if you want to perfect your technique for manipulating code execution on the server side.
🎓 APIsec University has officially released its new Certified API Security Analyst Exam (CASA). It consists of 100 questions curated by Corey Ball to test your expertise in API security threats, risks, and best practices.
🎬 Do you hack GraphQL APIs? Check out this Burp Suite Short that shows you how to use the new GraphQL Introspection capability in the crawler of Burp Suite to help you identify hidden attack surfaces on the GraphQL API endpoints you are testing.
📚 I read an interesting article by one of the devs of cURL about their thoughts on what is wrong with CVEs. He's got an interesting point. It's kind of heavy-handed for security researchers to open CVEs without consulting with the vendor to take credit for issues, especially when the ratings may be in dispute.
🤔 There was a conspicuous absence of dedicated API security talks at Black Hat this year. Salt Security took notice and has some thoughts on The Quiet API Security Crisis.
📊 OK. Here is an interesting stat from Wallarm. There has been a 514% rise in detected API attacks YoY. And 40% of all web attacks are API-related now. Surprising? Not if you are part of this inner circle. You know there is an intensified API threat landscape. Check out their full report for even more insights into the latest API threat stats.