\n

It wouldn't be uncommon for developers to block/filter characters like <, >, and maybe even /.

\n

So as an attacker, you encode it, converting those characters to their hex values of 3C, 3E, and 2F, respectively.

\n

Your payload looks something like this:

\n
%3Cscript%3Ealert('XSS')%3C%2Fscript%3E
\n

Seems reasonable.

\n

Except developers have gotten wise to this. Their buddies have told them on StackOverflow that they should always URL decode input coming from the user.

\n

And this is where double encoding comes in. You can further obfuscate the payload by encoding the % sign itself, which has a hex value of 25.

\n

Your final malicious payload ends up looking like this:

\n
%253Cscript%253Ealert('XSS')%253C%252Fscript%253E
\n

So the next time you find an API rejecting your payload with some sort of input validation filter, try to double-encode it.

\n

And don't forget, you can use the Burp Suite Decoder to help with this...

\n
\n
\n

Industry News

\n

πŸ“‹ James Kettle has shared the Top 10 web hacking techniques of 2023. This is PortSwigger's annual community-powered effort to identify the most innovative must-read web security research published in the last year. My favorite is Exploiting Hardened .NET Deserialization, but I am a bit biased.

\n

πŸ› οΈ Have you checked out the Spectral OWASP API Security Ruleset? It can scan an OpenAPI document and detect security issues automatically for you, mapped to the common vulnerabilities defined in the OWASP API Security Top 10.

\n

πŸ“š I read an interesting article from Galeal Zino, in which he believes APIs are like snowflakes. They are each unique. The result is that many API attacks are effectively zero-day attacks–novel attacks that exploit recent and unique changes to specific APIs. His answer? Make public APIs private. Can't say that will matter... we will still find them. 😈

\n

🀦 The Register reports that Fortinet's FortiSIEM product is vulnerable to two maximum-severity security vulnerabilities that allow for remote code execution, or at least according to two freshly published CVEs. It appears some newly found OS Command injection vulnerabilities exist in their APIs.

\n

πŸ“š It was interesting to read about how the head of the NSA's Tailored Access Operation (TAO) was at a conference explaining how to keep him and his crew out of our systems. Its unusual for people in TAO to be talking publicly... albeit a lot of their laundry was already aired out by Snowden.

\n

🧠 There have been a bunch of additions and updates to the MindAPI mind map worth checking out. Curious about what's new? Check out the commit history in GitHub.

\n

🎬 There is a great playlist called Everything API Hacking on YouTube that's worth checking out. It's basically a collection of all of InsiderPHD's vids focused on API hacking.

\n

πŸ“„ Have you ever read Inon Shkedy's 31days of API Security Tips? Some wise (yet easy to consume) API security tips are there for you to consume.

\n

πŸ€” Here are some interesting API hacking pentips stored in a Gitbook. It's basically a brain dump of the notes taking while learning to hack APIs by CSbyGB.

\n
\n

Well, that's it for this monthly review. March madness is here. Earlier I mentioned that 2024 is just flying by.

\n

I asked ChatGPT what it thought \"time flies\" meant. It drew this for me...

\n
\n
Image generated by Dalle in ChatGPT
\n

AI is getting crazy cool and creative these days.

\n

Talk to you in the next newsletter!

\n

Hack hard!
Dana

\n
\n
\n

How was this week's newsletter?

\n
\n\n\n\n\n\n
\n\n
\nYOU DID GREAT\n
\n\n
\nDO BETTER\n
\n
\n\n\n\n
\n\n\n\n\n
\n

ABOUT

\n

You're reading the API Hackers Inner Circle Newsletter created by Dana Epp (he/him).

\n

🧠 I help teach developers, testers, and hackers how to improve their API hacking tradecraft. Thanks for reading. πŸ™

\n

⏩ Enjoy the newsletter? Please forward this to a friend who would find these articles and insights useful!

\n

πŸ‘‹ Did a pal share this with you? Sign up for your own copy here. I send out the newsletter every Tuesday.

\n

​

\n

β˜•οΈ Want to support this free newsletter and my work? Buy me a coffee.

\n

​

\n

Is this newsletter not right for you? You can unsubscribe here.

\n
\n
\n
\n\n\n\n","recentPosts":[{"id":5215313,"title":"πŸ—“οΈ The API Hackers' Month in Review - March 2024 πŸ‘€","slug":"the-api-hackers-month-in-review-march-2024","status":"published","readingTime":4,"campaignCompletedAt":"2024-04-02T16:10:24.000Z","publishedAt":"2024-04-02T16:10:24.000Z","orderByDate":"2024-04-02T16:10:24.000Z","timeAgo":"22 days","thumbnailUrl":"https://embed.filekitcdn.com/e/jM67WEBJFuTCZxS6PVEjy6/tLtijtmaiay8sgPsb6yY55","thumbnailAlt":null,"path":"posts/the-api-hackers-month-in-review-march-2024","url":"https://apihacker.blog/posts/the-api-hackers-month-in-review-march-2024","isPaid":null,"introContent":"Hey friend πŸ‘‹, It's April already!! I hate April 1st. You can't trust anything you read on the Internet, and the pranks ruin good food... If I wanted something minty I'd get peppermint cookies... leave my Oreos alone!!! 🀒 Speaking of something that leaves a bitter taste in my mouth (ya, weird transition there... but stick with me), I've been reading an interesting book lately you need to know about. It's called Means of Control: How the Hidden Alliance of Tech and Government Is Creating a New...","campaignId":14818278,"publicationId":11343092},{"id":4695757,"title":"πŸ—“οΈ The API Hackers' Month in Review - January 2024 πŸ‘€","slug":"the-api-hackers-month-in-review-january-2024","status":"published","readingTime":4,"campaignCompletedAt":"2024-02-01T21:40:49.000Z","publishedAt":"2024-02-01T21:40:49.000Z","orderByDate":"2024-02-01T21:40:49.000Z","timeAgo":"3 months","thumbnailUrl":"https://embed.filekitcdn.com/e/jM67WEBJFuTCZxS6PVEjy6/gqpoh3AcFZ4B3hicEBMhde","thumbnailAlt":null,"path":"posts/the-api-hackers-month-in-review-january-2024","url":"https://apihacker.blog/posts/the-api-hackers-month-in-review-january-2024","isPaid":null,"introContent":"Hey friend πŸ‘‹, Wow. January has come and gone in the blink of an eye. Did you try a \"dry\" January and skip the alcohol? They say it's good for the skin... Does Bailey's Irish Cream in the hot cocoa count? Whoops. Grogu I am not. I did catch up on some reading in January while drinking my adult cocoa. I've been reading Tracers in the Dark: The Global Hunt for the Crime Lords of Cryptocurrency. It's a fascinating read about the dark economy driven by cryptocurrency. And a clear lesson on how...","campaignId":14185484,"publicationId":10703299},{"id":4420251,"title":"πŸ—“οΈ The API Hackers' Year in Review - 2023 πŸŽ„πŸ₯³","slug":"the-api-hackers-year-in-review-2023","status":"published","readingTime":3,"campaignCompletedAt":"2024-01-02T17:10:37.000Z","publishedAt":"2024-01-02T17:10:37.000Z","orderByDate":"2024-01-02T17:10:37.000Z","timeAgo":"4 months","thumbnailUrl":"https://embed.filekitcdn.com/e/jM67WEBJFuTCZxS6PVEjy6/kQNULH6JywaLjTgkB4c2VA","thumbnailAlt":"","path":"posts/the-api-hackers-year-in-review-2023","url":"https://apihacker.blog/posts/the-api-hackers-year-in-review-2023","isPaid":null,"introContent":"Happy New Year! πŸŽ‰ I trust you had a great holiday season and brought in the New Year with a bang. I don't know about you, but 2023 felt like it went by so quickly. Over the holidays I had time to read The Language of Deception: Weaponizing Next Generation AI. It's a penetrating look at the dark side of emerging AI technologies. The book delves into how AI, especially in the realm of language models, can be used to manipulate, deceive, and influence public opinion, raising significant concerns...","campaignId":13851708,"publicationId":10342782}],"newsletter":{"formId":3446181,"productId":null,"productUrl":null,"featuredPostId":null,"subscribersOnly":false},"isPaidSubscriber":false,"isSubscriber":false,"originUrl":"https://apihacker.blog/posts/the-api-hackers-month-in-review-feb-2024","creatorProfileName":"😈 The API Hacker Inner Circle","creatorProfileId":75656}πŸ—“οΈ The API Hackers' Month in Review - Feb 2024 πŸ‘€
profile

😈 The API Hacker Inner Circle

πŸ—“οΈ The API Hackers' Month in Review - Feb 2024 πŸ‘€

Published about 2 months agoΒ β€’Β 4 min read

Hey friend πŸ‘‹,

How is it that in a leap year, February has gone by so fast?

One minute it's Valentine's Day, and the next thing you know Leap Day jumps right past us.

The extra day in February did let me keep up with my reading. I've been reading The Hacker and the State: Cyber Attacks and the New Normal of Geopolitics. The book explores the profound impact of cyber warfare on global politics, detailing how state-sponsored hackers are reshaping the international landscape by challenging traditional notions of sovereignty, security, and power.

With the upcoming election in the USA (and even in Canada soon), I shudder at the thought of the political upheaval that is being driven through cyber ops right now by Russia and China.

The book is a chilling tail of what we know has happened by state actors of yester years. Worth reading if you are into that kinda thing.


Articles in February

Here is a glimpse of the articles I wrote last month that you received through the newsletter...

1️⃣ You learned how to detect API endpoints and extract source code from web app frontends using JS Miner, a FREE Burp Suite Professional extension.

2️⃣ I shared with you the differences between API endpoints and routes and how to think about it as an API hacker during your security testing.

3️⃣ You were taught how to leverage curlconverter to write API exploits in Python using payloads you generated in Burp Suite.

4️⃣ You got an idea of the five mistakes beginners make during their app recon that limit their ability to find vulns during their API security testing.

Wishing I'd cover something else? Just hit "reply" on this email and let me know. It might be considered for a future article!


Pro Tip

This month, I want to share with you a common payload evasion technique called double encoding. This is registered in MITRE's Common Attack Pattern Enumeration & Classification database as CAPEC-120.

Here is how it works and why it can be important to you as an API hacker.

This attack technique consists of encoding user request parameters twice in hexadecimal format in order to bypass security controls or cause unexpected behavior from the application. It’s possible because the webserver accepts and processes client requests in many encoded forms.

That attack description is taken straight from OWASP.

So why is it important?

Input validation is difficult for developers. Even when they apply validation filters that may decode payloads you send across the wire, they probably won't know to double-decode it. As they typically use more of a blacklist approach to input validation over whitelisting, it means if you can beat their first-order validation, your payloads may get through.

Let me give you an example.

Consider a simple XSS payload. Maybe something like:

<script>alert('XSS')</script>

It wouldn't be uncommon for developers to block/filter characters like <, >, and maybe even /.

So as an attacker, you encode it, converting those characters to their hex values of 3C, 3E, and 2F, respectively.

Your payload looks something like this:

%3Cscript%3Ealert('XSS')%3C%2Fscript%3E

Seems reasonable.

Except developers have gotten wise to this. Their buddies have told them on StackOverflow that they should always URL decode input coming from the user.

And this is where double encoding comes in. You can further obfuscate the payload by encoding the % sign itself, which has a hex value of 25.

Your final malicious payload ends up looking like this:

%253Cscript%253Ealert('XSS')%253C%252Fscript%253E

So the next time you find an API rejecting your payload with some sort of input validation filter, try to double-encode it.

And don't forget, you can use the Burp Suite Decoder to help with this...


Industry News

πŸ“‹ James Kettle has shared the Top 10 web hacking techniques of 2023. This is PortSwigger's annual community-powered effort to identify the most innovative must-read web security research published in the last year. My favorite is Exploiting Hardened .NET Deserialization, but I am a bit biased.

πŸ› οΈ Have you checked out the Spectral OWASP API Security Ruleset? It can scan an OpenAPI document and detect security issues automatically for you, mapped to the common vulnerabilities defined in the OWASP API Security Top 10.

πŸ“š I read an interesting article from Galeal Zino, in which he believes APIs are like snowflakes. They are each unique. The result is that many API attacks are effectively zero-day attacks–novel attacks that exploit recent and unique changes to specific APIs. His answer? Make public APIs private. Can't say that will matter... we will still find them. 😈

🀦 The Register reports that Fortinet's FortiSIEM product is vulnerable to two maximum-severity security vulnerabilities that allow for remote code execution, or at least according to two freshly published CVEs. It appears some newly found OS Command injection vulnerabilities exist in their APIs.

πŸ“š It was interesting to read about how the head of the NSA's Tailored Access Operation (TAO) was at a conference explaining how to keep him and his crew out of our systems. Its unusual for people in TAO to be talking publicly... albeit a lot of their laundry was already aired out by Snowden.

🧠 There have been a bunch of additions and updates to the MindAPI mind map worth checking out. Curious about what's new? Check out the commit history in GitHub.

🎬 There is a great playlist called Everything API Hacking on YouTube that's worth checking out. It's basically a collection of all of InsiderPHD's vids focused on API hacking.

πŸ“„ Have you ever read Inon Shkedy's 31days of API Security Tips? Some wise (yet easy to consume) API security tips are there for you to consume.

πŸ€” Here are some interesting API hacking pentips stored in a Gitbook. It's basically a brain dump of the notes taking while learning to hack APIs by CSbyGB.


Well, that's it for this monthly review. March madness is here. Earlier I mentioned that 2024 is just flying by.

I asked ChatGPT what it thought "time flies" meant. It drew this for me...

AI is getting crazy cool and creative these days.

Talk to you in the next newsletter!

Hack hard!
Dana

How was this week's newsletter?


YOU DID GREAT

DO BETTER

ABOUT

You're reading the API Hackers Inner Circle Newsletter created by Dana Epp (he/him).

🧠 I help teach developers, testers, and hackers how to improve their API hacking tradecraft. Thanks for reading. πŸ™

⏩ Enjoy the newsletter? Please forward this to a friend who would find these articles and insights useful!

πŸ‘‹ Did a pal share this with you? Sign up for your own copy here. I send out the newsletter every Tuesday.

​

β˜•οΈ Want to support this free newsletter and my work? Buy me a coffee.

​

Is this newsletter not right for you? You can unsubscribe here.

😈 The API Hacker Inner Circle

by Dana Epp πŸ‘‹

Helping developers, testers, and hackers improve their approach to appsec and find vulnerabilities in their apps and APIs before their adversaries do. Interested to know more? Subscribe to my newsletter below!

Read more from 😈 The API Hacker Inner Circle

Hey friend πŸ‘‹, It's April already!! I hate April 1st. You can't trust anything you read on the Internet, and the pranks ruin good food... If I wanted something minty I'd get peppermint cookies... leave my Oreos alone!!! 🀒 Speaking of something that leaves a bitter taste in my mouth (ya, weird transition there... but stick with me), I've been reading an interesting book lately you need to know about. It's called Means of Control: How the Hidden Alliance of Tech and Government Is Creating a New...

22 days agoΒ β€’Β 4 min read

Hey friend πŸ‘‹, Wow. January has come and gone in the blink of an eye. Did you try a "dry" January and skip the alcohol? They say it's good for the skin... Does Bailey's Irish Cream in the hot cocoa count? Whoops. Grogu I am not. I did catch up on some reading in January while drinking my adult cocoa. I've been reading Tracers in the Dark: The Global Hunt for the Crime Lords of Cryptocurrency. It's a fascinating read about the dark economy driven by cryptocurrency. And a clear lesson on how...

3 months agoΒ β€’Β 4 min read

Happy New Year! πŸŽ‰ I trust you had a great holiday season and brought in the New Year with a bang. I don't know about you, but 2023 felt like it went by so quickly. Over the holidays I had time to read The Language of Deception: Weaponizing Next Generation AI. It's a penetrating look at the dark side of emerging AI technologies. The book delves into how AI, especially in the realm of language models, can be used to manipulate, deceive, and influence public opinion, raising significant concerns...

4 months agoΒ β€’Β 3 min read
Share this post