πŸ—“οΈ The API Hackers' Month in Review - April 2024 πŸ‘€


Hey friend πŸ‘‹,

April has been a bit intense. Ya, it started with jokers putting toothpaste in our Oreos. 🀒

It ended with some well-deserved R&R on the beaches of the West Coast of Vancouver Island.

I can't complain too much; I mean, I was also introduced to Churro Oreos...

... and it ended with long walks along the beach...

While I was away, I got to finish reading Pegasus: How a Spy in Your Pocket Threatens the End of Privacy, Dignity, and Democracy. I've always been fascinated with how the NSO Group has weaponized our phones through zero-touch exploits. This book explored the experiences of brave journalists and technologists who went about unearthing the "intrusion as a service" that the NSO Group was selling to authoritarian regimes, and whose software is being aimed at civil society.

It's worth reading if you ever want to think deeper about how vulnerabilities in our cell phones can turn them into signal intelligence devices used by those who shouldn't.

Speaking of reading, I am merging this week's newsletter with the monthly review to help keep your inbox decluttered. So let's get right to it!


Latest Article

I spend a lot of time talking about the value of good API documentation.

If you ever encounter a target API developed by a team that publishes detailed API documentation following the OpenAPI Specification (OAS), you’re in the money baby.

In this week's article, I show you how to weaponize the tools developers use against them to find potential attack vectors in the very APIs they are building and documenting.

You'll have to read the article to see how.


Articles in April

Here is a glimpse of the articles I wrote last month that you received through the weekly newsletters...

1️⃣ You were given The Beginners Guide to Writing API Security Tests in Postman, where you learned everything you need to know about how to get started writing API security tests in Javascript using Postman.

2️⃣ I showed you how to Break APIs with Naughty Strings, using nothing more than a nasty wordlist and the Postman Collection Runner.

3️⃣ You got to experience what I went through as I answered the question "Is Bruno a good Postman alternative for API hacking?" (spoiler - It's not... yet)

4️⃣ I shared with you five tips to help you pick your first target when starting bug bounty hunting against APIs.

Wishing I'd cover something else? Just hit "reply" on this email and let me know. It might be considered for a future article!


Pro Tip of the Week

This week's pro tip comes from Cristi over on X.

With the latest release of Burp Suite, you can now have it automatically filter out uninteresting headers in requests. This setting can be found in the User Interface settings for your User profile.

So what does it do?

By default, Burp shows all headers when you view HTTP requests in the message editor. To change this in the Pretty tab for HTTP requests across Burp, select Hide uninteresting headers by default. That's the little eye icon above the request.

This setting turns that on by default.

Burp hides a predefined list of headers that typically offer little insight into the target application's behavior or contain information that can't be exploited, such as Sec-Ch-Ua, Accept-Language, and Upgrade-Insecure-Requests.

By filtering uninteresting headers out, you can reduce clutter, making it easier for you to focus your analysis on more valuable information.

Thanks for the tip Christi!


Industry News

πŸ€” SmartBear has revealed how it is elevating API development with its acquisition of Stoplight. They share how they have integrated Spectral into SwaggerHub, and how an upcoming release also integrated Prism for HTTP mocking and proxying.

πŸ› οΈ Have you heard about Compass Security's new JWT-scanner Burp extension? It automates the testing of JSON Web Token (JWT) implementations in web apps and APIs. I thought the JWT JWK injection testing was a nice touch. GitHub repo is here. It's also in the BApp store.

πŸŒ€ Circular dependencies suck. Especially when it happens in an API that takes down the entire app like Tencent Cloud recently saw that took WeChat offline. Ouch.

πŸ“š I read an interesting article on how API Design Is Pretty Bad β€” Here’s How to Fix It. The fix-it part was interesting, as the article explains what developers SHOULD be doing. Of course, we can look at that with an offensive security engineering eye, and craft our methodologies accordingly.

πŸ“° Have you been following the news about CVE-2024-3400? Wallarm does a decent job of discussing how Palo Alto Networks' API Exploit is Causing Critical Infrastructure and Enterprise Epidemics. Time to upgrade and patch if you are running Palo Alto Networks PAN-OS software.

πŸ“– Truffle Security has an awesome article on how (The) Postman Carries Lots of Secrets. They estimate over 4,000 live credentials are currently leaking publicly on Postman for a variety of popular SaaS and cloud providers. The article also introduces the fact that trufflehog can now scan Postman workspaces to look for credential exposure.

🎬 The API Kitchen has a fun video on Mastering the OWASP ASVS (with Tanya Janca). Always interesting to see people talking about API stuff in the kitchen 🀣

πŸ“Š Did you check out Akamai's whitepaper on the 8 Do's & Don'ts of API Security? I found it kinda disappointing. Same old, same old. Why share it then? Because while it should be old hat to you by now... to some readers it's still rather new.

☠️ Have you ever wanted to backdoor a dotNet application? This article shows you how. It also introduces dnSpyEx, an unofficial continuation of dnSpy which lets you edit and debug dotNet assemblies. Don't be evil. Fair game for redteamers with a foothold on a box.

πŸ‘¨β€βš–οΈ The US House of Representatives approved a bill that would limit the government's ability to purchase data from third parties. Called "The Fourth Amendment is Not For Sale", it makes it illegal for the US government to buy your data without a warrant. If you have read Means of Control, you know why this is important.


Well, that's it for this monthly review. With May now upon us, I know some of you will be out there wearing some Star Wars swag and telling everyone that "May the 4th be with you".

It is Star Wars Day after all.

I have another idea for May 4th. Grab some milk. Maybe those Churro Oreos. Or perhaps gingerbread is more your thing...

"May the milk be with you... always"

Talk to you in the next newsletter. *burp*

Hack hard!
Dana

How was this week's newsletter?


YOU DID GREAT

DO BETTER

ABOUT

You're reading the API Hackers Inner Circle Newsletter created by Dana Epp (he/him).

🧠 I help teach developers, testers, and hackers how to improve their API hacking tradecraft. Thanks for reading. πŸ™

⏩ Enjoy the newsletter? Please forward this to a friend who would find these articles and insights useful!

πŸ‘‹ Did a pal share this with you? Sign up for your own copy here. I send out the newsletter every Tuesday.

​

β˜•οΈ Want to support this free newsletter and my work? Buy me a coffee.

🀯 Want some expert advice? Book a 1:1 session with me.

​

Is this newsletter not right for you? You can unsubscribe here.

😈 The API Hacker Inner Circle

Helping developers, testers, and hackers improve their approach to appsec and find vulnerabilities in their apps and APIs before their adversaries do. Interested to know more? Subscribe to my newsletter below!

Read more from 😈 The API Hacker Inner Circle

Hey friend πŸ‘‹, Wow. It sure felt like we fell into fall pretty fast. Say that three times fast. πŸ‚ 🍁 With September behind us, its time to look back and review what has been done. Before I do that though, remember in last week's newsletter when I mentioned the NSA's new podcast called No Such Podcast? A few of you sent me notes that you loved learning about it. Some of you have already listened to all of the episodes. But I've got something better for you. I've recently been reading Code...

Hey friend πŸ‘‹, Well, I said I was talking most of August off. And I did. So this month in review doesn't include a lot of new articles. But lots of stuff did happen. First, we moved into our new oceanfront villa. That's been a game changer. I haven't had such long and deep sleeps in years. It's so calm and quiet here. And, who doesn't want a home office view like this? πŸ‘‰πŸ» It gave me lots of time to just sit, think, and read. In fact, I read a fascinating book on that deck in just a couple of...

Hey friend πŸ‘‹, Summer is in full swing. Sunburns are in full effect. Wild fires are fully engulfing our forests. And the hottest thing yet... the latest Deadpool movie finally hit theatres. I get it. You probably have been really busy in July. I know I was. Five articles. Three presentations. And one research paper that included a new custom Burp extension that I'm not allowed to talk about. (Ya, it's that dark. And pure Kotlin code). Speaking of "dark", I read a really interesting book in...