Helping developers, testers, and hackers improve their approach to appsec and find vulnerabilities in their apps and APIs before their adversaries do. Interested to know more? Subscribe to my newsletter below!
ποΈ The API Hacker's Month in Review - August 2023 π
Wow. August went by fast. Fires. Floods. Hacker Summer camp. Just crazy.
Honestly, I tried to hide from it all in August. I gravitated to the cool breeze of the sea when I could. Almost felt guilty listening to friends talk about the hell they were going through while I was looking at this:
While I was on the island, I tried to get some reading in. I'm not much of a fiction reader. Cryptonoicon by Neal Stephenson is one of my favorites, but that tomb of a book almost killed me.
I've been reading Zero Day by Mark Russinovich. It's a story about the real possible threats of cyber terrorism, told with a technical edge of realism.
I've known Mark for over 25 years. When I ran the L0rds of R1ng Zer0 we came across each other when he was at Winternals Software writing SysInternals, and I was writing kernel mode drivers for host-based intrusion prevention in Windows NT.
I never get around to reading his books, and when I see him on the Microsoft campus, I am reminded of that. MS bought his company back in 2006, and he's now the CTO for Microsoft Azure. I felt now was the time to give it a try before the next MVP Summit.
The book is pretty good. Similar to Cryptonomicon, there are several stories being weaved in and out of the narrative. I think non-techies might find it a bit heavy on the tech; techies may roll their eyes from time to time at the obvious points Mark tries to (over)explain.
But it's a decent read. He's actually got this in a series of 3 books, and I think I'll have to give his other ones a read.
Articles in August
So even though I hid out in the cool air, I did keep writing. Topics were all over the place as I was responding to people's interests shared with me in the inner circle.
1οΈβ£ You learned how to write vulnerability report titles that donβt suck! No one likes writing reports. It gets worse when they are barely looked at because the titles aren't compelling.
2οΈβ£ You were given instructions on how to set up your own wiretaps on compromised web servers to remotely collect sensitive data for use in API privesc. I've had people in the community already reach out after applying this technique to share some of their #wins now. Awesome!! π
3οΈβ£ You were shown how to embrace failure as a hacker. We explored together how mistakes and setbacks can fuel innovation, refine skills, and deepen understanding in the world of API hacking.
4οΈβ£ You saw how to leverage command injection vulnerabilities found in APIs to gain a reverse shell to a server with nothing more than cURL. Always fun to learn how to live off the land to gain access to API servers and infrastructure during your security testing.
5οΈβ£ You followed me as I tried using Noir for API attack surface detection. It's always fun to try out new tools and see how they can improve our workflow.
Wishing I'd cover something else? Just hit "reply" on this email and let me know. It might be considered for a future article!
Pro Tip
I saw this tweet this week, and it reminded me that not everyone knows about changes like this in the new OWASP API Security Top 10:
Earlier this year, I wrote about Exploiting Server Side Request Forgery (SSRF) in an API. What you might not know though is that last year I wrote an even more interesting article on using OAST to detect vulnerabilities in an API.
Through Burp Suite's Collaborator client, you can better detect those more complex vulnerabilities in an API, including blind SSRF.
Both articles are worth the read, especially if you want to perfect your technique for manipulating code execution on the server side.
Industry News
π APIsec University has officially released its new Certified API Security Analyst Exam (CASA). It consists of 100 questions curated by Corey Ball to test your expertise in API security threats, risks, and best practices.
π¬ Do you hack GraphQL APIs? Check out this Burp Suite Short that shows you how to use the new GraphQL Introspection capability in the crawler of Burp Suite to help you identify hidden attack surfaces on the GraphQL API endpoints you are testing.
π I read an interesting article by one of the devs of cURL about their thoughts on what is wrong with CVEs. He's got an interesting point. It's kind of heavy-handed for security researchers to open CVEs without consulting with the vendor to take credit for issues, especially when the ratings may be in dispute.
π€ There was a conspicuous absence of dedicated API security talks at Black Hat this year. Salt Security took notice and has some thoughts on The Quiet API Security Crisis.
π OK. Here is an interesting stat from Wallarm. There has been a 514% rise in detected API attacks YoY. And 40% of all web attacks are API-related now. Surprising? Not if you are part of this inner circle. You know there is an intensified API threat landscape. Check out their full report for even more insights into the latest API threat stats.
Hack hard!
Dana
π The API Hacker Inner Circle
Helping developers, testers, and hackers improve their approach to appsec and find vulnerabilities in their apps and APIs before their adversaries do. Interested to know more? Subscribe to my newsletter below!
Hey friend π, WTF, where did June go? I swear I blinked, and it was gone. Apologies for this newsletter not arriving yesterday. It was Canada Day, and I was out being loud and proud. (Sorry... couldn't resist. π¨π¦) In all honesty, I was sitting quietly eating cookies and catching up on some reading. And not some funky flavour of Oreos (albeit they have some great Maple Cream Oreos out there), but some patriotic Maple Leaf Peek Freans. IYKYK. Canadians prefer Birthday cookies (or Nanaimo bars...
Hey friend π, Wow, did May go by fast. I think these months need to start getting rate-limited so I can actually keep up. I have to admit though, members of the inner circle have kept me going. First, Stephen sent me this... I got a chuckle from that. And then Viktor shared with me a new flavor he came across... WTF? Who would eat that? I'm all for hacking late at night with a plate of cookies, but damn. Silliness aside, the last thing we want is kids seeing that. You just never know these...
Hey friend π, April has been a bit intense. Ya, it started with jokers putting toothpaste in our Oreos. π€’ It ended with some well-deserved R&R on the beaches of the West Coast of Vancouver Island. I can't complain too much; I mean, I was also introduced to Churro Oreos... I can't believe these are a thing... ... and it ended with long walks along the beach... Walking along Cox Bay for a week isn't a bad way to decompress... While I was away, I got to finish reading Pegasus: How a Spy in Your...