profile

😈 The API Hacker Inner Circle

πŸ—“οΈ The API Hacker's Month in Review - August 2023 πŸ‘€

Published 8 months agoΒ β€’Β 3 min read

Wow. August went by fast. Fires. Floods. Hacker Summer camp. Just crazy.

Honestly, I tried to hide from it all in August. I gravitated to the cool breeze of the sea when I could. Almost felt guilty listening to friends talk about the hell they were going through while I was looking at this:

While I was on the island, I tried to get some reading in. I'm not much of a fiction reader. Cryptonoicon by Neal Stephenson is one of my favorites, but that tomb of a book almost killed me.

I've been reading Zero Day by Mark Russinovich. It's a story about the real possible threats of cyber terrorism, told with a technical edge of realism.

I've known Mark for over 25 years. When I ran the L0rds of R1ng Zer0 we came across each other when he was at Winternals Software writing SysInternals, and I was writing kernel mode drivers for host-based intrusion prevention in Windows NT.

I never get around to reading his books, and when I see him on the Microsoft campus, I am reminded of that. MS bought his company back in 2006, and he's now the CTO for Microsoft Azure. I felt now was the time to give it a try before the next MVP Summit.

The book is pretty good. Similar to Cryptonomicon, there are several stories being weaved in and out of the narrative. I think non-techies might find it a bit heavy on the tech; techies may roll their eyes from time to time at the obvious points Mark tries to (over)explain.

But it's a decent read. He's actually got this in a series of 3 books, and I think I'll have to give his other ones a read.


Articles in August

So even though I hid out in the cool air, I did keep writing. Topics were all over the place as I was responding to people's interests shared with me in the inner circle.

1️⃣ You learned how to write vulnerability report titles that don’t suck! No one likes writing reports. It gets worse when they are barely looked at because the titles aren't compelling.

2️⃣ You were given instructions on how to set up your own wiretaps on compromised web servers to remotely collect sensitive data for use in API privesc. I've had people in the community already reach out after applying this technique to share some of their #wins now. Awesome!! πŸŽ‰

3️⃣ You were shown how to embrace failure as a hacker. We explored together how mistakes and setbacks can fuel innovation, refine skills, and deepen understanding in the world of API hacking.

4️⃣ You saw how to leverage command injection vulnerabilities found in APIs to gain a reverse shell to a server with nothing more than cURL. Always fun to learn how to live off the land to gain access to API servers and infrastructure during your security testing.

5️⃣ You followed me as I tried using Noir for API attack surface detection. It's always fun to try out new tools and see how they can improve our workflow.

Wishing I'd cover something else? Just hit "reply" on this email and let me know. It might be considered for a future article!


Pro Tip

I saw this tweet this week, and it reminded me that not everyone knows about changes like this in the new OWASP API Security Top 10:

Earlier this year, I wrote about Exploiting Server Side Request Forgery (SSRF) in an API. What you might not know though is that last year I wrote an even more interesting article on using OAST to detect vulnerabilities in an API.

Through Burp Suite's Collaborator client, you can better detect those more complex vulnerabilities in an API, including blind SSRF.

Both articles are worth the read, especially if you want to perfect your technique for manipulating code execution on the server side.


Industry News

πŸŽ“ APIsec University has officially released its new Certified API Security Analyst Exam (CASA). It consists of 100 questions curated by Corey Ball to test your expertise in API security threats, risks, and best practices.

🎬 Do you hack GraphQL APIs? Check out this Burp Suite Short that shows you how to use the new GraphQL Introspection capability in the crawler of Burp Suite to help you identify hidden attack surfaces on the GraphQL API endpoints you are testing.

πŸ“š I read an interesting article by one of the devs of cURL about their thoughts on what is wrong with CVEs. He's got an interesting point. It's kind of heavy-handed for security researchers to open CVEs without consulting with the vendor to take credit for issues, especially when the ratings may be in dispute.

πŸ€” There was a conspicuous absence of dedicated API security talks at Black Hat this year. Salt Security took notice and has some thoughts on The Quiet API Security Crisis.

πŸ“Š OK. Here is an interesting stat from Wallarm. There has been a 514% rise in detected API attacks YoY. And 40% of all web attacks are API-related now. Surprising? Not if you are part of this inner circle. You know there is an intensified API threat landscape. Check out their full report for even more insights into the latest API threat stats.

Hack hard!
Dana

😈 The API Hacker Inner Circle

by Dana Epp πŸ‘‹

Helping developers, testers, and hackers improve their approach to appsec and find vulnerabilities in their apps and APIs before their adversaries do. Interested to know more? Subscribe to my newsletter below!

Read more from 😈 The API Hacker Inner Circle

Hey friend πŸ‘‹, It's April already!! I hate April 1st. You can't trust anything you read on the Internet, and the pranks ruin good food... If I wanted something minty I'd get peppermint cookies... leave my Oreos alone!!! 🀒 Speaking of something that leaves a bitter taste in my mouth (ya, weird transition there... but stick with me), I've been reading an interesting book lately you need to know about. It's called Means of Control: How the Hidden Alliance of Tech and Government Is Creating a New...

22 days agoΒ β€’Β 4 min read

Hey friend πŸ‘‹, How is it that in a leap year, February has gone by so fast? One minute it's Valentine's Day, and the next thing you know Leap Day jumps right past us. OK, a day late. But anything relating to quantum can fix that, right? The extra day in February did let me keep up with my reading. I've been reading The Hacker and the State: Cyber Attacks and the New Normal of Geopolitics. The book explores the profound impact of cyber warfare on global politics, detailing how state-sponsored...

about 2 months agoΒ β€’Β 4 min read

Hey friend πŸ‘‹, Wow. January has come and gone in the blink of an eye. Did you try a "dry" January and skip the alcohol? They say it's good for the skin... Does Bailey's Irish Cream in the hot cocoa count? Whoops. Grogu I am not. I did catch up on some reading in January while drinking my adult cocoa. I've been reading Tracers in the Dark: The Global Hunt for the Crime Lords of Cryptocurrency. It's a fascinating read about the dark economy driven by cryptocurrency. And a clear lesson on how...

3 months agoΒ β€’Β 4 min read
Share this post