\n
It wouldn't be uncommon for developers to block/filter characters like <, >, and maybe even /.
\nSo as an attacker, you encode it, converting those characters to their hex values of 3C, 3E, and 2F, respectively.
\nYour payload looks something like this:
\nSeems reasonable.
\nExcept developers have gotten wise to this. Their buddies have told them on StackOverflow that they should always URL decode input coming from the user.
\nAnd this is where double encoding comes in. You can further obfuscate the payload by encoding the % sign itself, which has a hex value of 25.
\nYour final malicious payload ends up looking like this:
\nSo the next time you find an API rejecting your payload with some sort of input validation filter, try to double-encode it.
\nAnd don't forget, you can use the Burp Suite Decoder to help with this...
\nπ James Kettle has shared the Top 10 web hacking techniques of 2023. This is PortSwigger's annual community-powered effort to identify the most innovative must-read web security research published in the last year. My favorite is Exploiting Hardened .NET Deserialization, but I am a bit biased.
\nπ οΈ Have you checked out the Spectral OWASP API Security Ruleset? It can scan an OpenAPI document and detect security issues automatically for you, mapped to the common vulnerabilities defined in the OWASP API Security Top 10.
\nπ I read an interesting article from Galeal Zino, in which he believes APIs are like snowflakes. They are each unique. The result is that many API attacks are effectively zero-day attacksβnovel attacks that exploit recent and unique changes to specific APIs. His answer? Make public APIs private. Can't say that will matter... we will still find them. π
\nπ€¦ The Register reports that Fortinet's FortiSIEM product is vulnerable to two maximum-severity security vulnerabilities that allow for remote code execution, or at least according to two freshly published CVEs. It appears some newly found OS Command injection vulnerabilities exist in their APIs.
\nπ It was interesting to read about how the head of the NSA's Tailored Access Operation (TAO) was at a conference explaining how to keep him and his crew out of our systems. Its unusual for people in TAO to be talking publicly... albeit a lot of their laundry was already aired out by Snowden.
\nπ§ There have been a bunch of additions and updates to the MindAPI mind map worth checking out. Curious about what's new? Check out the commit history in GitHub.
\n㪠There is a great playlist called Everything API Hacking on YouTube that's worth checking out. It's basically a collection of all of InsiderPHD's vids focused on API hacking.
\nπ Have you ever read Inon Shkedy's 31days of API Security Tips? Some wise (yet easy to consume) API security tips are there for you to consume.
\nπ€ Here are some interesting API hacking pentips stored in a Gitbook. It's basically a brain dump of the notes taking while learning to hack APIs by CSbyGB.
\nWell, that's it for this monthly review. March madness is here. Earlier I mentioned that 2024 is just flying by.
\nI asked ChatGPT what it thought \"time flies\" meant. It drew this for me...
\nAI is getting crazy cool and creative these days.
\nTalk to you in the next newsletter!
\nHack hard!
Dana
\n |
| \n\n |
|
Helping developers, testers, and hackers improve their approach to appsec and find vulnerabilities in their apps and APIs before their adversaries do. Interested to know more? Subscribe to my newsletter below!
Hey friend π, WTF, where did June go? I swear I blinked, and it was gone. Apologies for this newsletter not arriving yesterday. It was Canada Day, and I was out being loud and proud. (Sorry... couldn't resist. π¨π¦) In all honesty, I was sitting quietly eating cookies and catching up on some reading. And not some funky flavour of Oreos (albeit they have some great Maple Cream Oreos out there), but some patriotic Maple Leaf Peek Freans. IYKYK. Canadians prefer Birthday cookies (or Nanaimo bars...
Hey friend π, Wow, did May go by fast. I think these months need to start getting rate-limited so I can actually keep up. I have to admit though, members of the inner circle have kept me going. First, Stephen sent me this... I got a chuckle from that. And then Viktor shared with me a new flavor he came across... WTF? Who would eat that? I'm all for hacking late at night with a plate of cookies, but damn. Silliness aside, the last thing we want is kids seeing that. You just never know these...
Hey friend π, April has been a bit intense. Ya, it started with jokers putting toothpaste in our Oreos. π€’ It ended with some well-deserved R&R on the beaches of the West Coast of Vancouver Island. I can't complain too much; I mean, I was also introduced to Churro Oreos... I can't believe these are a thing... ... and it ended with long walks along the beach... Walking along Cox Bay for a week isn't a bad way to decompress... While I was away, I got to finish reading Pegasus: How a Spy in Your...