😈 The API Hacker Inner Circle

🗓️ The API Hackers' Month in Review - January 2024 👀

Published 4 months ago • 4 min read

Hey friend 👋,

Wow. January has come and gone in the blink of an eye.

Did you try a "dry" January and skip the alcohol? They say it's good for the skin...

Does Bailey's Irish Cream in the hot cocoa count? Whoops.

Grogu I am not.

I did catch up on some reading in January while drinking my adult cocoa. I've been reading Tracers in the Dark: The Global Hunt for the Crime Lords of Cryptocurrency. It's a fascinating read about the dark economy driven by cryptocurrency. And a clear lesson on how even dirty cops can quickly turn to the dark side when digital money is dangled in front of them.

I've always wondered why people thought BitCoin would allow for anonymous transactions when the whole point of the blockchain is to ensure verified transactions. Andy Greenberg does an excellent job of telling the story of how law enforcement was able to trace transactions back to the originating party and find how digital currency flows in the dark underbelly of the Internet.

It's worth reading if watching an astonishing saga of criminal empires built and destroyed unveiled in front of your eyes is interesting to you.

Articles in January

I've been getting back into the swing of things for the articles in January. Here is a glimpse of what you were sent last month...

1️⃣ You learned how to exploit an API using Structured Format Injection (SFI) through Server Side Parameter Pollution (SSPP).

2️⃣ I shared my predictions on what API security might look like in 2024, as part of the #apifutures project.

3️⃣ You were given a simple guide to learn how to use NoSQL injection to bypass the authentication in the APIs you are testing.

4️⃣ You were shown how to test the limits of APIs that have rate-limiting security controls to prevent disasters and how foregoing this testing is in itself a disaster.

5️⃣ You were taught how to write Bambda filters in Burp Suite that can automatically detect uncommon headers in the APIs you are testing.

Wishing I'd cover something else? Just hit "reply" on this email and let me know. It might be considered for a future article!

Pro Tip

Do you hack while using multiple monitors? Have you ever had a need to look at more than one of Burp Suite's tools at the same time?

Yep. Me too.

There is a powerful windows/view management feature in Burp Suite you should know about that can help here.

Right-click on any tool tab, and select "Detach tab"...

You can then move that tab to a separate monitor while you continue to use the rest of Burp Suite on the other monitor.

When you want to reattach it, you just need to click the icon on the detached window...

I usually work with three monitors, where I can have Burp's Chromium browser on one monitor, the main Burp Suite app on a second, and the current tool I am working in (usually Repeater or Intruder) on the third monitor. This concept of docking and undocking tool tabs like this is really helpful.

YMMV of course.

Give it a try and see how much more productive you might be! 🎉

Industry News

🤔 Over on Mastodon, there is a conversation going on about Postman being used as a watering hole for leaked credentials. Because of its new model to save everything in the cloud and make it way too sharable, it's literally a concentrator for accidental token exposure. What do you think?

⚔️ I love this description of attack paths in Azure using weaknesses in API permissions. I've always found application app perms in Azure AD (Sorry, Entra ID ... stupid naming) a huge hole that allows far too much privilege and backdoors into tenants... especially when using multitenant application manifests.

⚙️ Have you checked out MicroBurst? It's a collection of scripts for assessing Microsoft Azure security. Pay attention to the various blog posts they link to that showcase how to use the scripts against different threat scenarios. Automating Managed Identity Token Extraction in Azure Container Registries is a good example.

🛠️ Have you ever wanted to graphically visualize JSON objects? Then you really need to check out JSON Crack. It works to graph XML, YAML, and CSV too.

📚 Reversing Labs has a good article on the 5 lessons learned from the Hugging Face API token breach. I loved this quote at the end: "You should always assume that every end user is an attacker." So true.

📄 Nordic API shares Why Teamwork Is Crucial to Keep APIs Secure. It's nice to see them call out that the security team needs to be part of the equation early in the development cycle.

💰 I sometimes get emails from you guys about which bug bounty programs include APIs in their scope. Well, apparently BitMart now has an API Bug Bounty Program you can check out. P1 crits are worth $10,000.

🔒 Ever find yourself working with platforms that require you to provide your third-party API keys so they can act on your behalf? You are trusting them to keep your API keys safe and that they do not misuse them. Check out Lockbox if you want to keep control of your API keys. It's a forward proxy for making third-party API calls.

📚 F5 talks about The Case for Integrated App and API Security Strategies. They believe that APIs have grown up and become a separate entity with their own security needs. Do you agree?

Well, that's about it for this monthly review. February is upon us now, and it is time to look forward to a shorter month, even if it is a leap year.

Talk to you in the next newsletter!

Hack hard!

How was this week's newsletter?




You're reading the API Hackers Inner Circle Newsletter created by Dana Epp (he/him).

🧠 I help teach developers, testers, and hackers how to improve their API hacking tradecraft. Thanks for reading. 🙏

⏩ Enjoy the newsletter? Please forward this to a friend who would find these articles and insights useful!

👋 Did a pal share this with you? Sign up for your own copy here. I send out the newsletter every Tuesday.

☕️ Want to support this free newsletter and my work? Buy me a coffee.

Is this newsletter not right for you? You can unsubscribe here.

😈 The API Hacker Inner Circle

by Dana Epp 👋

Helping developers, testers, and hackers improve their approach to appsec and find vulnerabilities in their apps and APIs before their adversaries do. Interested to know more? Subscribe to my newsletter below!

Read more from 😈 The API Hacker Inner Circle

Hey friend 👋, Wow, did May go by fast. I think these months need to start getting rate-limited so I can actually keep up. I have to admit though, members of the inner circle have kept me going. First, Stephen sent me this... I got a chuckle from that. And then Viktor shared with me a new flavor he came across... WTF? Who would eat that? I'm all for hacking late at night with a plate of cookies, but damn. Silliness aside, the last thing we want is kids seeing that. You just never know these...

12 days ago • 4 min read

Hey friend 👋, April has been a bit intense. Ya, it started with jokers putting toothpaste in our Oreos. 🤢 It ended with some well-deserved R&R on the beaches of the West Coast of Vancouver Island. I can't complain too much; I mean, I was also introduced to Churro Oreos... I can't believe these are a thing... ... and it ended with long walks along the beach... Walking along Cox Bay for a week isn't a bad way to decompress... While I was away, I got to finish reading Pegasus: How a Spy in Your...

about 1 month ago • 5 min read

Hey friend 👋, It's April already!! I hate April 1st. You can't trust anything you read on the Internet, and the pranks ruin good food... If I wanted something minty I'd get peppermint cookies... leave my Oreos alone!!! 🤢 Speaking of something that leaves a bitter taste in my mouth (ya, weird transition there... but stick with me), I've been reading an interesting book lately you need to know about. It's called Means of Control: How the Hidden Alliance of Tech and Government Is Creating a New...

2 months ago • 4 min read
Share this post