Helping developers, testers, and hackers improve their approach to appsec and find vulnerabilities in their apps and APIs before their adversaries do. Interested to know more? Subscribe to my newsletter below!
ποΈ The API Hackers' Month in Review - April 2024 π
Published 9 months agoΒ β’Β 5 min read
Hey friend π,
April has been a bit intense. Ya, it started with jokers putting toothpaste in our Oreos. π€’
It ended with some well-deserved R&R on the beaches of the West Coast of Vancouver Island.
I can't complain too much; I mean, I was also introduced to Churro Oreos...
I can't believe these are a thing...
... and it ended with long walks along the beach...
Walking along Cox Bay for a week isn't a bad way to decompress...
While I was away, I got to finish reading Pegasus: How a Spy in Your Pocket Threatens the End of Privacy, Dignity, and Democracy. I've always been fascinated with how the NSO Group has weaponized our phones through zero-touch exploits. This book explored the experiences of brave journalists and technologists who went about unearthing the "intrusion as a service" that the NSO Group was selling to authoritarian regimes, and whose software is being aimed at civil society.
β
It's worth reading if you ever want to think deeper about how vulnerabilities in our cell phones can turn them into signal intelligence devices used by those who shouldn't.
Speaking of reading, I am merging this week's newsletter with the monthly review to help keep your inbox decluttered. So let's get right to it!
Latest Article
I spend a lot of time talking about the value of good API documentation.
If you ever encounter a target API developed by a team that publishes detailed API documentation following the OpenAPI Specification (OAS), youβre in the money baby.
In this week's article, I show you how to weaponize the tools developers use against them to find potential attack vectors in the very APIs they are building and documenting.
With the latest release of Burp Suite, you can now have it automatically filter out uninteresting headers in requests. This setting can be found in the User Interface settings for your User profile.
So what does it do?
By default, Burp shows all headers when you view HTTP requests in the message editor. To change this in the Pretty tab for HTTP requests across Burp, select Hide uninteresting headers by default. That's the little eye icon above the request.
This setting turns that on by default.
Burp hides a predefined list of headers that typically offer little insight into the target application's behavior or contain information that can't be exploited, such as Sec-Ch-Ua, Accept-Language, and Upgrade-Insecure-Requests.
By filtering uninteresting headers out, you can reduce clutter, making it easier for you to focus your analysis on more valuable information.
Thanks for the tip Christi!
Industry News
π€ SmartBear has revealed how it is elevating API development with its acquisition of Stoplight. They share how they have integrated Spectral into SwaggerHub, and how an upcoming release also integrated Prism for HTTP mocking and proxying.
π οΈ Have you heard about Compass Security's new JWT-scanner Burp extension? It automates the testing of JSON Web Token (JWT) implementations in web apps and APIs. I thought the JWT JWK injection testing was a nice touch. GitHub repo is here. It's also in the BApp store.
π Circular dependencies suck. Especially when it happens in an API that takes down the entire app like Tencent Cloud recently saw that took WeChat offline. Ouch.
π I read an interesting article on how API Design Is Pretty Bad β Hereβs How to Fix It. The fix-it part was interesting, as the article explains what developers SHOULD be doing. Of course, we can look at that with an offensive security engineering eye, and craft our methodologies accordingly.
π Truffle Security has an awesome article on how (The) Postman Carries Lots of Secrets. They estimate over 4,000 live credentials are currently leaking publicly on Postman for a variety of popular SaaS and cloud providers. The article also introduces the fact that trufflehog can now scan Postman workspaces to look for credential exposure.
π Did you check out Akamai's whitepaper on the 8 Do's & Don'ts of API Security? I found it kinda disappointing. Same old, same old. Why share it then? Because while it should be old hat to you by now... to some readers it's still rather new.
β οΈ Have you ever wanted to backdoor a dotNet application? This article shows you how. It also introduces dnSpyEx, an unofficial continuation of dnSpy which lets you edit and debug dotNet assemblies. Don't be evil. Fair game for redteamers with a foothold on a box.
π¨ββοΈ The US House of Representatives approved a bill that would limit the government's ability to purchase data from third parties. Called "The Fourth Amendment is Not For Sale", it makes it illegal for the US government to buy your data without a warrant. If you have read Means of Control, you know why this is important.
Well, that's it for this monthly review. With May now upon us, I know some of you will be out there wearing some Star Wars swag and telling everyone that "May the 4th be with you".
Helping developers, testers, and hackers improve their approach to appsec and find vulnerabilities in their apps and APIs before their adversaries do. Interested to know more? Subscribe to my newsletter below!