Can you believe it? July has come and gone in the blink of an eye. It feels like just yesterday we were celebrating the start of summer, and now here we are, already stepping into August.
Where did the time go?
Anyways, this month I was hanging out in Whistler, catching up on some work and relaxation.
I've been reading Four Battlegrounds: Power in the Age of Artificial Intelligence by Paul Scharre. Originally I picked up this book as I liked Paul's book on Army of None: Autonomous Weapons and the Future of War. But this new book on the race towards AI between nations just wasn't what I expected.
I'm not saying it's a bad book, but it's more focused on the geopolitical rules of how nations are embracing and leveraging artificial intelligence to get a foot up on their adversaries. I was expecting to see a deeper cybersecurity angle, but there really wasn't one in this book.
If you are into AI you will probably find the discussion on the struggles of the 4 battlegrounds of data, computing power, talent, and institutions. The one interesting outcome of reading the book was the realization that there are deep tensions between the US military and tech giants who control data, chips, and talent.
Will those tensions become shackles slowing down progress in protecting national interests due to the worry of AI weaponization? China and Russia aren't playing by the same rules. Only time will tell.
Articles in July
So even though I took some time for myself in the mountains of BC 🇨🇦, I continued writing. An unintentional theme popped out at the end of July, which was really around getting better at using Burp Suite.
1️⃣ I demonstrated how to use server-side prototype pollution (SSPP) to abuse an API written in NodeJS for privilege escalation and remote code execution. 😈
2️⃣ I taught you how to write your own Burp BCheck scripts to tap into the web vulnerability scanner to automate your API security testing. 👨🏻💻
3️⃣ I published a curated list of FREE resources you can use to master Burp Suite for web app and API security testing. 📚
4️⃣ I showed you how I get the most out of the reporting capabilities built into Burp Suite Professional when I have to write my own reports. 📄
This week's article
It didn't make a lot of sense to me to send out a separate newsletter for the week when the monthly review was also going out the same day. So I decided to combine them so you would only get one email from me.
I hope that's OK. 🙏🏻
The topic is timely. I heard from several of you from last week's article that you'd like to learn more about writing better vulnerability reports.
The best place to start is to call out the fact that your vulnerability report titles probably suck, and there is something you can do about it. And that's what I focused on in this week's article.
|READ THE ARTICLE|
Enjoy the read!
I do hope at some point, you had a chance to read my article on how to exploit APIs with cURL. It's one of my more popular articles, probably because we all like to build simple one-liner proof-of-concept (PoC) exploits that can demonstrate a vulnerability in an API.
Well, did you know you can have Burp Suite automatically generate a cURL command for you?
Just right-click on a request in the Repeater tool, or even the proxy history, and click the Copy as curl command (bash) menu item.
Your clipboard will now have a full cURL command you can run.
My recommendation? Clean up the request, removing unnecessary headers so you get down to the bare minimum cURL command.
You can check out my article for more details if that concept is new to you.
🎉 OWASP has officially released the new API Security Top 10 in July. The new site is a lot better than the old one.
🤔 I found an interesting article on 10 ways to exploit JSON Web Tokens (JWT).
☠️ Check out this MOVEit mass exploit timeline to learn how the file-transfer service attacks entangled victims.
🔑 Now this is a neat find. Browse millions of leaked API keys found with TruffleHog with Forager.
🌎 Have a look at ReshaperForBurp. It's a Burp Suite extension to trigger actions and modify HTTP request/response and WebSocket traffic using configurable rules.
😈 I really like the idea of using cURL for a reverse shell. So here is a curlshell for ya! It's a simple interactive HTTP server that provides a way to mux stdin/stdout and stderr of a remote reverse shell over that proxy with the help of curl.