profile

😈 The API Hacker Inner Circle

🗓️ The API Hacker's Month in Review - July 2023 👀

Published 9 months ago • 3 min read

Can you believe it? July has come and gone in the blink of an eye. It feels like just yesterday we were celebrating the start of summer, and now here we are, already stepping into August.

Where did the time go?

Anyways, this month I was hanging out in Whistler, catching up on some work and relaxation.

I've been reading Four Battlegrounds: Power in the Age of Artificial Intelligence by Paul Scharre. Originally I picked up this book as I liked Paul's book on Army of None: Autonomous Weapons and the Future of War. But this new book on the race towards AI between nations just wasn't what I expected.

I'm not saying it's a bad book, but it's more focused on the geopolitical rules of how nations are embracing and leveraging artificial intelligence to get a foot up on their adversaries. I was expecting to see a deeper cybersecurity angle, but there really wasn't one in this book.

If you are into AI you will probably find the discussion on the struggles of the 4 battlegrounds of data, computing power, talent, and institutions. The one interesting outcome of reading the book was the realization that there are deep tensions between the US military and tech giants who control data, chips, and talent.

Will those tensions become shackles slowing down progress in protecting national interests due to the worry of AI weaponization? China and Russia aren't playing by the same rules. Only time will tell.


Articles in July

So even though I took some time for myself in the mountains of BC 🇨🇦, I continued writing. An unintentional theme popped out at the end of July, which was really around getting better at using Burp Suite.

1️⃣ I demonstrated how to use server-side prototype pollution (SSPP) to abuse an API written in NodeJS for privilege escalation and remote code execution. 😈

2️⃣ I taught you how to write your own Burp BCheck scripts to tap into the web vulnerability scanner to automate your API security testing. 👨🏻‍💻

3️⃣ I published a curated list of FREE resources you can use to master Burp Suite for web app and API security testing. 📚

4️⃣ I showed you how I get the most out of the reporting capabilities built into Burp Suite Professional when I have to write my own reports. 📄


This week's article

It didn't make a lot of sense to me to send out a separate newsletter for the week when the monthly review was also going out the same day. So I decided to combine them so you would only get one email from me.

I hope that's OK. 🙏🏻

The topic is timely. I heard from several of you from last week's article that you'd like to learn more about writing better vulnerability reports.

The best place to start is to call out the fact that your vulnerability report titles probably suck, and there is something you can do about it. And that's what I focused on in this week's article.

Enjoy the read!


Pro Tip

I do hope at some point, you had a chance to read my article on how to exploit APIs with cURL. It's one of my more popular articles, probably because we all like to build simple one-liner proof-of-concept (PoC) exploits that can demonstrate a vulnerability in an API.

Well, did you know you can have Burp Suite automatically generate a cURL command for you?

Just right-click on a request in the Repeater tool, or even the proxy history, and click the Copy as curl command (bash) menu item.

Your clipboard will now have a full cURL command you can run.

My recommendation? Clean up the request, removing unnecessary headers so you get down to the bare minimum cURL command.

You can check out my article for more details if that concept is new to you.

HTH!


Industry News

🎉 OWASP has officially released the new API Security Top 10 in July. The new site is a lot better than the old one.

🤔 I found an interesting article on 10 ways to exploit JSON Web Tokens (JWT).

☠️ Check out this MOVEit mass exploit timeline to learn how the file-transfer service attacks entangled victims.

🔑 Now this is a neat find. Browse millions of leaked API keys found with TruffleHog with Forager.

🌎 Have a look at ReshaperForBurp. It's a Burp Suite extension to trigger actions and modify HTTP request/response and WebSocket traffic using configurable rules.

😈 I really like the idea of using cURL for a reverse shell. So here is a curlshell for ya! It's a simple interactive HTTP server that provides a way to mux stdin/stdout and stderr of a remote reverse shell over that proxy with the help of curl.

Hack hard!
Dana

😈 The API Hacker Inner Circle

by Dana Epp 👋

Helping developers, testers, and hackers improve their approach to appsec and find vulnerabilities in their apps and APIs before their adversaries do. Interested to know more? Subscribe to my newsletter below!

Read more from 😈 The API Hacker Inner Circle

Hey friend 👋, It's April already!! I hate April 1st. You can't trust anything you read on the Internet, and the pranks ruin good food... If I wanted something minty I'd get peppermint cookies... leave my Oreos alone!!! 🤢 Speaking of something that leaves a bitter taste in my mouth (ya, weird transition there... but stick with me), I've been reading an interesting book lately you need to know about. It's called Means of Control: How the Hidden Alliance of Tech and Government Is Creating a New...

22 days ago • 4 min read

Hey friend 👋, How is it that in a leap year, February has gone by so fast? One minute it's Valentine's Day, and the next thing you know Leap Day jumps right past us. OK, a day late. But anything relating to quantum can fix that, right? The extra day in February did let me keep up with my reading. I've been reading The Hacker and the State: Cyber Attacks and the New Normal of Geopolitics. The book explores the profound impact of cyber warfare on global politics, detailing how state-sponsored...

about 2 months ago • 4 min read

Hey friend 👋, Wow. January has come and gone in the blink of an eye. Did you try a "dry" January and skip the alcohol? They say it's good for the skin... Does Bailey's Irish Cream in the hot cocoa count? Whoops. Grogu I am not. I did catch up on some reading in January while drinking my adult cocoa. I've been reading Tracers in the Dark: The Global Hunt for the Crime Lords of Cryptocurrency. It's a fascinating read about the dark economy driven by cryptocurrency. And a clear lesson on how...

3 months ago • 4 min read
Share this post