profile

😈 The API Hacker Inner Circle

πŸ—“οΈ The API Hackers' Month in Review - April 2024 πŸ‘€

Published about 1 month agoΒ β€’Β 5 min read

Hey friend πŸ‘‹,

April has been a bit intense. Ya, it started with jokers putting toothpaste in our Oreos. 🀒

It ended with some well-deserved R&R on the beaches of the West Coast of Vancouver Island.

I can't complain too much; I mean, I was also introduced to Churro Oreos...

... and it ended with long walks along the beach...

While I was away, I got to finish reading Pegasus: How a Spy in Your Pocket Threatens the End of Privacy, Dignity, and Democracy. I've always been fascinated with how the NSO Group has weaponized our phones through zero-touch exploits. This book explored the experiences of brave journalists and technologists who went about unearthing the "intrusion as a service" that the NSO Group was selling to authoritarian regimes, and whose software is being aimed at civil society.

It's worth reading if you ever want to think deeper about how vulnerabilities in our cell phones can turn them into signal intelligence devices used by those who shouldn't.

Speaking of reading, I am merging this week's newsletter with the monthly review to help keep your inbox decluttered. So let's get right to it!


Latest Article

I spend a lot of time talking about the value of good API documentation.

If you ever encounter a target API developed by a team that publishes detailed API documentation following the OpenAPI Specification (OAS), you’re in the money baby.

In this week's article, I show you how to weaponize the tools developers use against them to find potential attack vectors in the very APIs they are building and documenting.

You'll have to read the article to see how.


Articles in April

Here is a glimpse of the articles I wrote last month that you received through the weekly newsletters...

1️⃣ You were given The Beginners Guide to Writing API Security Tests in Postman, where you learned everything you need to know about how to get started writing API security tests in Javascript using Postman.

2️⃣ I showed you how to Break APIs with Naughty Strings, using nothing more than a nasty wordlist and the Postman Collection Runner.

3️⃣ You got to experience what I went through as I answered the question "Is Bruno a good Postman alternative for API hacking?" (spoiler - It's not... yet)

4️⃣ I shared with you five tips to help you pick your first target when starting bug bounty hunting against APIs.

Wishing I'd cover something else? Just hit "reply" on this email and let me know. It might be considered for a future article!


Pro Tip of the Week

This week's pro tip comes from Cristi over on X.

With the latest release of Burp Suite, you can now have it automatically filter out uninteresting headers in requests. This setting can be found in the User Interface settings for your User profile.

So what does it do?

By default, Burp shows all headers when you view HTTP requests in the message editor. To change this in the Pretty tab for HTTP requests across Burp, select Hide uninteresting headers by default. That's the little eye icon above the request.

This setting turns that on by default.

Burp hides a predefined list of headers that typically offer little insight into the target application's behavior or contain information that can't be exploited, such as Sec-Ch-Ua, Accept-Language, and Upgrade-Insecure-Requests.

By filtering uninteresting headers out, you can reduce clutter, making it easier for you to focus your analysis on more valuable information.

Thanks for the tip Christi!


Industry News

πŸ€” SmartBear has revealed how it is elevating API development with its acquisition of Stoplight. They share how they have integrated Spectral into SwaggerHub, and how an upcoming release also integrated Prism for HTTP mocking and proxying.

πŸ› οΈ Have you heard about Compass Security's new JWT-scanner Burp extension? It automates the testing of JSON Web Token (JWT) implementations in web apps and APIs. I thought the JWT JWK injection testing was a nice touch. GitHub repo is here. It's also in the BApp store.

πŸŒ€ Circular dependencies suck. Especially when it happens in an API that takes down the entire app like Tencent Cloud recently saw that took WeChat offline. Ouch.

πŸ“š I read an interesting article on how API Design Is Pretty Bad β€” Here’s How to Fix It. The fix-it part was interesting, as the article explains what developers SHOULD be doing. Of course, we can look at that with an offensive security engineering eye, and craft our methodologies accordingly.

πŸ“° Have you been following the news about CVE-2024-3400? Wallarm does a decent job of discussing how Palo Alto Networks' API Exploit is Causing Critical Infrastructure and Enterprise Epidemics. Time to upgrade and patch if you are running Palo Alto Networks PAN-OS software.

πŸ“– Truffle Security has an awesome article on how (The) Postman Carries Lots of Secrets. They estimate over 4,000 live credentials are currently leaking publicly on Postman for a variety of popular SaaS and cloud providers. The article also introduces the fact that trufflehog can now scan Postman workspaces to look for credential exposure.

🎬 The API Kitchen has a fun video on Mastering the OWASP ASVS (with Tanya Janca). Always interesting to see people talking about API stuff in the kitchen 🀣

πŸ“Š Did you check out Akamai's whitepaper on the 8 Do's & Don'ts of API Security? I found it kinda disappointing. Same old, same old. Why share it then? Because while it should be old hat to you by now... to some readers it's still rather new.

☠️ Have you ever wanted to backdoor a dotNet application? This article shows you how. It also introduces dnSpyEx, an unofficial continuation of dnSpy which lets you edit and debug dotNet assemblies. Don't be evil. Fair game for redteamers with a foothold on a box.

πŸ‘¨β€βš–οΈ The US House of Representatives approved a bill that would limit the government's ability to purchase data from third parties. Called "The Fourth Amendment is Not For Sale", it makes it illegal for the US government to buy your data without a warrant. If you have read Means of Control, you know why this is important.


Well, that's it for this monthly review. With May now upon us, I know some of you will be out there wearing some Star Wars swag and telling everyone that "May the 4th be with you".

It is Star Wars Day after all.

I have another idea for May 4th. Grab some milk. Maybe those Churro Oreos. Or perhaps gingerbread is more your thing...

"May the milk be with you... always"

Talk to you in the next newsletter. *burp*

Hack hard!
Dana

How was this week's newsletter?


YOU DID GREAT

DO BETTER

ABOUT

You're reading the API Hackers Inner Circle Newsletter created by Dana Epp (he/him).

🧠 I help teach developers, testers, and hackers how to improve their API hacking tradecraft. Thanks for reading. πŸ™

⏩ Enjoy the newsletter? Please forward this to a friend who would find these articles and insights useful!

πŸ‘‹ Did a pal share this with you? Sign up for your own copy here. I send out the newsletter every Tuesday.

​

β˜•οΈ Want to support this free newsletter and my work? Buy me a coffee.

🀯 Want some expert advice? Book a 1:1 session with me.

​

Is this newsletter not right for you? You can unsubscribe here.

😈 The API Hacker Inner Circle

by Dana Epp πŸ‘‹

Helping developers, testers, and hackers improve their approach to appsec and find vulnerabilities in their apps and APIs before their adversaries do. Interested to know more? Subscribe to my newsletter below!

Read more from 😈 The API Hacker Inner Circle

Hey friend πŸ‘‹, Wow, did May go by fast. I think these months need to start getting rate-limited so I can actually keep up. I have to admit though, members of the inner circle have kept me going. First, Stephen sent me this... I got a chuckle from that. And then Viktor shared with me a new flavor he came across... WTF? Who would eat that? I'm all for hacking late at night with a plate of cookies, but damn. Silliness aside, the last thing we want is kids seeing that. You just never know these...

12 days agoΒ β€’Β 4 min read

Hey friend πŸ‘‹, It's April already!! I hate April 1st. You can't trust anything you read on the Internet, and the pranks ruin good food... If I wanted something minty I'd get peppermint cookies... leave my Oreos alone!!! 🀒 Speaking of something that leaves a bitter taste in my mouth (ya, weird transition there... but stick with me), I've been reading an interesting book lately you need to know about. It's called Means of Control: How the Hidden Alliance of Tech and Government Is Creating a New...

2 months agoΒ β€’Β 4 min read

Hey friend πŸ‘‹, How is it that in a leap year, February has gone by so fast? One minute it's Valentine's Day, and the next thing you know Leap Day jumps right past us. OK, a day late. But anything relating to quantum can fix that, right? The extra day in February did let me keep up with my reading. I've been reading The Hacker and the State: Cyber Attacks and the New Normal of Geopolitics. The book explores the profound impact of cyber warfare on global politics, detailing how state-sponsored...

3 months agoΒ β€’Β 4 min read
Share this post