Helping developers, testers, and hackers improve their approach to appsec and find vulnerabilities in their apps and APIs before their adversaries do. Interested to know more? Subscribe to my newsletter below!
Share
ποΈ The API Hackers' Month in Review - April 2024 π
Published 3 months agoΒ β’Β 5 min read
Hey friend π,
April has been a bit intense. Ya, it started with jokers putting toothpaste in our Oreos. π€’
It ended with some well-deserved R&R on the beaches of the West Coast of Vancouver Island.
I can't complain too much; I mean, I was also introduced to Churro Oreos...
I can't believe these are a thing...
... and it ended with long walks along the beach...
Walking along Cox Bay for a week isn't a bad way to decompress...
While I was away, I got to finish reading Pegasus: How a Spy in Your Pocket Threatens the End of Privacy, Dignity, and Democracy. I've always been fascinated with how the NSO Group has weaponized our phones through zero-touch exploits. This book explored the experiences of brave journalists and technologists who went about unearthing the "intrusion as a service" that the NSO Group was selling to authoritarian regimes, and whose software is being aimed at civil society.
β
It's worth reading if you ever want to think deeper about how vulnerabilities in our cell phones can turn them into signal intelligence devices used by those who shouldn't.
Speaking of reading, I am merging this week's newsletter with the monthly review to help keep your inbox decluttered. So let's get right to it!
Latest Article
I spend a lot of time talking about the value of good API documentation.
If you ever encounter a target API developed by a team that publishes detailed API documentation following the OpenAPI Specification (OAS), youβre in the money baby.
In this week's article, I show you how to weaponize the tools developers use against them to find potential attack vectors in the very APIs they are building and documenting.
With the latest release of Burp Suite, you can now have it automatically filter out uninteresting headers in requests. This setting can be found in the User Interface settings for your User profile.
So what does it do?
By default, Burp shows all headers when you view HTTP requests in the message editor. To change this in the Pretty tab for HTTP requests across Burp, select Hide uninteresting headers by default. That's the little eye icon above the request.
This setting turns that on by default.
Burp hides a predefined list of headers that typically offer little insight into the target application's behavior or contain information that can't be exploited, such as Sec-Ch-Ua, Accept-Language, and Upgrade-Insecure-Requests.
By filtering uninteresting headers out, you can reduce clutter, making it easier for you to focus your analysis on more valuable information.
Thanks for the tip Christi!
Industry News
π€ SmartBear has revealed how it is elevating API development with its acquisition of Stoplight. They share how they have integrated Spectral into SwaggerHub, and how an upcoming release also integrated Prism for HTTP mocking and proxying.
π οΈ Have you heard about Compass Security's new JWT-scanner Burp extension? It automates the testing of JSON Web Token (JWT) implementations in web apps and APIs. I thought the JWT JWK injection testing was a nice touch. GitHub repo is here. It's also in the BApp store.
π Circular dependencies suck. Especially when it happens in an API that takes down the entire app like Tencent Cloud recently saw that took WeChat offline. Ouch.
π I read an interesting article on how API Design Is Pretty Bad β Hereβs How to Fix It. The fix-it part was interesting, as the article explains what developers SHOULD be doing. Of course, we can look at that with an offensive security engineering eye, and craft our methodologies accordingly.
π Truffle Security has an awesome article on how (The) Postman Carries Lots of Secrets. They estimate over 4,000 live credentials are currently leaking publicly on Postman for a variety of popular SaaS and cloud providers. The article also introduces the fact that trufflehog can now scan Postman workspaces to look for credential exposure.
π Did you check out Akamai's whitepaper on the 8 Do's & Don'ts of API Security? I found it kinda disappointing. Same old, same old. Why share it then? Because while it should be old hat to you by now... to some readers it's still rather new.
β οΈ Have you ever wanted to backdoor a dotNet application? This article shows you how. It also introduces dnSpyEx, an unofficial continuation of dnSpy which lets you edit and debug dotNet assemblies. Don't be evil. Fair game for redteamers with a foothold on a box.
π¨ββοΈ The US House of Representatives approved a bill that would limit the government's ability to purchase data from third parties. Called "The Fourth Amendment is Not For Sale", it makes it illegal for the US government to buy your data without a warrant. If you have read Means of Control, you know why this is important.
Well, that's it for this monthly review. With May now upon us, I know some of you will be out there wearing some Star Wars swag and telling everyone that "May the 4th be with you".
Helping developers, testers, and hackers improve their approach to appsec and find vulnerabilities in their apps and APIs before their adversaries do. Interested to know more? Subscribe to my newsletter below!
Hey friend π, WTF, where did June go? I swear I blinked, and it was gone. Apologies for this newsletter not arriving yesterday. It was Canada Day, and I was out being loud and proud. (Sorry... couldn't resist. π¨π¦) In all honesty, I was sitting quietly eating cookies and catching up on some reading. And not some funky flavour of Oreos (albeit they have some great Maple Cream Oreos out there), but some patriotic Maple Leaf Peek Freans. IYKYK. Canadians prefer Birthday cookies (or Nanaimo bars...
Hey friend π, Wow, did May go by fast. I think these months need to start getting rate-limited so I can actually keep up. I have to admit though, members of the inner circle have kept me going. First, Stephen sent me this... I got a chuckle from that. And then Viktor shared with me a new flavor he came across... WTF? Who would eat that? I'm all for hacking late at night with a plate of cookies, but damn. Silliness aside, the last thing we want is kids seeing that. You just never know these...
Hey friend π, It's April already!! I hate April 1st. You can't trust anything you read on the Internet, and the pranks ruin good food... If I wanted something minty I'd get peppermint cookies... leave my Oreos alone!!! π€’ Speaking of something that leaves a bitter taste in my mouth (ya, weird transition there... but stick with me), I've been reading an interesting book lately you need to know about. It's called Means of Control: How the Hidden Alliance of Tech and Government Is Creating a New...