πŸ—“οΈ The API Hackers' Month in Review - August 2024 πŸ‘€


Hey friend πŸ‘‹,

Well, I said I was talking most of August off.

And I did.

So this month in review doesn't include a lot of new articles. But lots of stuff did happen.

First, we moved into our new oceanfront villa. That's been a game changer. I haven't had such long and deep sleeps in years. It's so calm and quiet here. And, who doesn't want a home office view like this? πŸ‘‰πŸ»

It gave me lots of time to just sit, think, and read.

In fact, I read a fascinating book on that deck in just a couple of days. Titled Your Face Belongs to Us: A Secretive Startup's Quest to End Privacy as We Know It, it provided a chilling tale of the rise of facial recognition technology and its far-reaching implications for privacy. I was floored hearing just where Clearview AI came from, its history, and the the unsettling power dynamics at play. And the beautiful story telling to weave in the clout that came from US politics, oh geez. *sigh*

It's a must-read for anyone concerned about the intersection of technology, privacy, and ethics.

Speaking of technology, settling back into things I've written an article that is being released today that can help you find new API endpoints before your competitors (or adversaries) do.

Let's get right to it.


Article

One of the complaints I hear from new bug bounty hunters is that they often don’t know where to look for security vulnerabilities in APIs. I get that. It can be a daunting task.Β 

What if I told you that one of the best ways is to capture evidence of endpoint additions and changes that are probably much more brittle and unknown to other hunters, and test those first? Would that be helpful to know how to do?

Of course it would.

In this week's article, I show you a technique for finding new API endpoints in design-first APIs by weaponizing the metadata generated. You can automate this task and get your systems informing you about new or changed endpoints before competing bug bounty hunters even know its been released. I've found several low hanging security vulns this way that should have been dupes, but weren't because I got there first.


Industry News

πŸ“– Akamai's latest report shows Why (and How) APIs and Web Applications Are Under Siege. One of the bigger findings? Application and API attacks surged by 49% from Q1 2023 to Q1 2024. That includes over 108 billion API attacks were observed during the reporting period.

πŸ€” Those stats tickle your fancy? It helps to explain why Akamai is doubling down on API security, and why they bought Noname Security. Interesting how they explain how they will weave Noname into their offerings.

πŸ“Š Wallarm's latest ThreatStat's report is out. 284 new CVEs published in Q2 were API related. Are we surprised?

πŸ‘€ I love it when data is visualized. So when I saw A Visual Exploration of Exploits in the Wild: The Inaugural Study of EPSS Data and Performance, I was a happy camper. This was a great way to demonstrate the value of EPSS and how everyone's risk tolerance will differ. I really appreciate how they clearly show how more effective v3 has been on predicting exploitation activity.

πŸ› οΈ Someone recently pointed out Burp2Swagger to me. It's a Burp extention that apparently can automatically generate OpenAPI Json for Swagger from proxy traffic. I haven't tried it yet to see how good it is. Might be an easier option than using mitmproxy2swagger all the time. Have you tried it yet?

πŸ“š I stumbled upon a great article Revealing the Inner Structure of AWS Session Tokens. It's very detailed, and well written. The reverse engineering was brilliant. I learnt lots. You will too.

πŸ§ͺ Nordic APIs have a great article on contract testing, and how it differs from schema testing. Testing the contract is useful in helping to find weaknesses that can lead to security vulnerabilities. The author gets that, and helps clarify its value and use case.

😬 Have you heard of the HTTP API Testing Framework called Dredd? Dredd is a language-agnostic command-line tool for validating API description document against backend implementation of the API. It supports OAS.

βš”οΈ The security research coming out of PortSwigger is always awesome. Their latest work on web cache poisoning and exploitation hits it out the park. They showcased it at BlackHat this year. In case you missed it, you can download the full research paper here.


Well, that's it for this month in review. As I get back into the swing of things you can look forward to some deeper technical content in the coming months. Gimme a few articles to get there.

In the meantime, I think I kinda wanna get a hoodie with this saying... what do you think?

Hope my latest article has you thinking the same way.

Cya in the next newsletter!

Hack hard!
Dana

How was this week's newsletter?


YOU DID GREAT

DO BETTER

ABOUT

You're reading the API Hackers Inner Circle Newsletter created by Dana Epp (he/him).

🧠 I help teach developers, testers, and hackers how to improve their API hacking tradecraft. Thanks for reading. πŸ™

⏩ Enjoy the newsletter? Please forward this to a friend who would find these articles and insights useful!

πŸ‘‹ Did a pal share this with you? Sign up for your own copy here. I send out the newsletter every Tuesday.

​

β˜•οΈ Want to support this free newsletter and my work? Buy me a coffee.

🀯 Want some expert advice? Book a 1:1 session with me.

​

Is this newsletter not right for you? You can unsubscribe here.

😈 The API Hacker Inner Circle

Helping developers, testers, and hackers improve their approach to appsec and find vulnerabilities in their apps and APIs before their adversaries do. Interested to know more? Subscribe to my newsletter below!

Read more from 😈 The API Hacker Inner Circle

Hey friend πŸ‘‹, Wow. It sure felt like we fell into fall pretty fast. Say that three times fast. πŸ‚ 🍁 With September behind us, its time to look back and review what has been done. Before I do that though, remember in last week's newsletter when I mentioned the NSA's new podcast called No Such Podcast? A few of you sent me notes that you loved learning about it. Some of you have already listened to all of the episodes. But I've got something better for you. I've recently been reading Code...

Hey friend πŸ‘‹, Summer is in full swing. Sunburns are in full effect. Wild fires are fully engulfing our forests. And the hottest thing yet... the latest Deadpool movie finally hit theatres. I get it. You probably have been really busy in July. I know I was. Five articles. Three presentations. And one research paper that included a new custom Burp extension that I'm not allowed to talk about. (Ya, it's that dark. And pure Kotlin code). Speaking of "dark", I read a really interesting book in...

Hey friend πŸ‘‹, WTF, where did June go? I swear I blinked, and it was gone. Apologies for this newsletter not arriving yesterday. It was Canada Day, and I was out being loud and proud. (Sorry... couldn't resist. πŸ‡¨πŸ‡¦) In all honesty, I was sitting quietly eating cookies and catching up on some reading. And not some funky flavour of Oreos (albeit they have some great Maple Cream Oreos out there), but some patriotic Maple Leaf Peek Freans. IYKYK. Canadians prefer Birthday cookies (or Nanaimo bars...