Helping developers, testers, and hackers improve their approach to appsec and find vulnerabilities in their apps and APIs before their adversaries do. Interested to know more? Subscribe to my newsletter below!
🗓️ The API Hacker's Month in Review - June 2023 👀
June was a lot of fun. We held the OWASP AppSec Days Pacific Northwest conference in Portland, Oregon... and sold out the show. Met a lot of appsec peeps in the community, including several from the API Hacker Inner Circle.
Great to see those of you who came by! 👍🏼
Afterward, my wife and I took some time off to drive down the Oregon coast and just explore. What an amazing coastline.
Having the time to explore also gave me some time to catch up on reading too.
I've been reading The Perfect Weapon: War, Sabotage, and Fear in the Cyber Age by David Sanger. It tells the tale about the consequences of cyber warfare, especially against geo-political systems. It delves into the dark true past where superpowers are playing by different rules.
The sad reality is this isn't fiction. David shares real stories that show how this impacts us all.
Worth reading if you are into that kinda thing.
Articles in June
So here are the highlights of the articles I wrote in June:
- I showed you how to look for those old forgotten zombie APIs that can be a goldmine of vulnerabilities and security loopholes.
- I helped you level up your API security testing skills by learning how to use Gron to grep through the JSON payloads of the API endpoints you are hacking.
- I demonstrated a cool way for API discovery by leveraging CeWL to generate custom word lists from release notes, changelogs, and product roadmaps for use in bruteforce API scanning. I even showed you how I use it to find stuff in the Microsoft Graph API.
- I talked about how to use MITRE'S Common Attack Patterns Enumeration & Classification (CAPEC) to improve your API security testing methodology.
Community News
So thanks to everyone who participated in APIDay's Interface conference. There were some great talks, and I was happy to contribute to my session on reverse engineering undocumented APIs. I'm told all the presentations will eventually be published on YouTube. Once I get a link, I will share my session recording, as well as some of the more interesting API security related talks.
In other news, here's a troubling stat by our friends over at HelpNet Security. In 2022, 47.4% of all internet traffic came from bots. More interesting is the fact that 17% of all attacks on APIs came from bots.
Are Bad bots coming for APIs? Check out the article and then hit "reply" and let me know your thoughts.
Like mindmaps? Then you really should check out CyberGuy's GitHub repo of API pentesting mindmaps.
And to close out this month's review, I stumbled upon an interesting experiment called HackerIO you might want to check out. It is an exploration to create a game where the interface is an HTTP API. Brush up on yer hacking skills and see how you do. 😈
Hack hard!
Dana
😈 The API Hacker Inner Circle
Helping developers, testers, and hackers improve their approach to appsec and find vulnerabilities in their apps and APIs before their adversaries do. Interested to know more? Subscribe to my newsletter below!
Hey friend 👋, WTF, where did June go? I swear I blinked, and it was gone. Apologies for this newsletter not arriving yesterday. It was Canada Day, and I was out being loud and proud. (Sorry... couldn't resist. 🇨🇦) In all honesty, I was sitting quietly eating cookies and catching up on some reading. And not some funky flavour of Oreos (albeit they have some great Maple Cream Oreos out there), but some patriotic Maple Leaf Peek Freans. IYKYK. Canadians prefer Birthday cookies (or Nanaimo bars...
Hey friend 👋, Wow, did May go by fast. I think these months need to start getting rate-limited so I can actually keep up. I have to admit though, members of the inner circle have kept me going. First, Stephen sent me this... I got a chuckle from that. And then Viktor shared with me a new flavor he came across... WTF? Who would eat that? I'm all for hacking late at night with a plate of cookies, but damn. Silliness aside, the last thing we want is kids seeing that. You just never know these...
Hey friend 👋, April has been a bit intense. Ya, it started with jokers putting toothpaste in our Oreos. 🤢 It ended with some well-deserved R&R on the beaches of the West Coast of Vancouver Island. I can't complain too much; I mean, I was also introduced to Churro Oreos... I can't believe these are a thing... ... and it ended with long walks along the beach... Walking along Cox Bay for a week isn't a bad way to decompress... While I was away, I got to finish reading Pegasus: How a Spy in Your...