June was a lot of fun. We held the OWASP AppSec Days Pacific Northwest conference in Portland, Oregon... and sold out the show. Met a lot of appsec peeps in the community, including several from the API Hacker Inner Circle.
Great to see those of you who came by! 👍🏼
Afterward, my wife and I took some time off to drive down the Oregon coast and just explore. What an amazing coastline.
Having the time to explore also gave me some time to catch up on reading too.
I've been reading The Perfect Weapon: War, Sabotage, and Fear in the Cyber Age by David Sanger. It tells the tale about the consequences of cyber warfare, especially against geo-political systems. It delves into the dark true past where superpowers are playing by different rules.
The sad reality is this isn't fiction. David shares real stories that show how this impacts us all.
Worth reading if you are into that kinda thing.
Articles in June
So here are the highlights of the articles I wrote in June:
- I showed you how to look for those old forgotten zombie APIs that can be a goldmine of vulnerabilities and security loopholes.
- I helped you level up your API security testing skills by learning how to use Gron to grep through the JSON payloads of the API endpoints you are hacking.
- I demonstrated a cool way for API discovery by leveraging CeWL to generate custom word lists from release notes, changelogs, and product roadmaps for use in bruteforce API scanning. I even showed you how I use it to find stuff in the Microsoft Graph API.
- I talked about how to use MITRE'S Common Attack Patterns Enumeration & Classification (CAPEC) to improve your API security testing methodology.
So thanks to everyone who participated in APIDay's Interface conference. There were some great talks, and I was happy to contribute to my session on reverse engineering undocumented APIs. I'm told all the presentations will eventually be published on YouTube. Once I get a link, I will share my session recording, as well as some of the more interesting API security related talks.
In other news, here's a troubling stat by our friends over at HelpNet Security. In 2022, 47.4% of all internet traffic came from bots. More interesting is the fact that 17% of all attacks on APIs came from bots.
Are Bad bots coming for APIs? Check out the article and then hit "reply" and let me know your thoughts.
Like mindmaps? Then you really should check out CyberGuy's GitHub repo of API pentesting mindmaps.
And to close out this month's review, I stumbled upon an interesting experiment called HackerIO you might want to check out. It is an exploration to create a game where the interface is an HTTP API. Brush up on yer hacking skills and see how you do. 😈