😈 The API Hacker Inner Circle

🗓️ The API Hackers' Month in Review - January 2024 👀

Published 28 days ago • 4 min read

Hey friend 👋,

Wow. January has come and gone in the blink of an eye.

Did you try a "dry" January and skip the alcohol? They say it's good for the skin...

Does Bailey's Irish Cream in the hot cocoa count? Whoops.

Grogu I am not.

I did catch up on some reading in January while drinking my adult cocoa. I've been reading Tracers in the Dark: The Global Hunt for the Crime Lords of Cryptocurrency. It's a fascinating read about the dark economy driven by cryptocurrency. And a clear lesson on how even dirty cops can quickly turn to the dark side when digital money is dangled in front of them.

I've always wondered why people thought BitCoin would allow for anonymous transactions when the whole point of the blockchain is to ensure verified transactions. Andy Greenberg does an excellent job of telling the story of how law enforcement was able to trace transactions back to the originating party and find how digital currency flows in the dark underbelly of the Internet.

It's worth reading if watching an astonishing saga of criminal empires built and destroyed unveiled in front of your eyes is interesting to you.

Articles in January

I've been getting back into the swing of things for the articles in January. Here is a glimpse of what you were sent last month...

1️⃣ You learned how to exploit an API using Structured Format Injection (SFI) through Server Side Parameter Pollution (SSPP).

2️⃣ I shared my predictions on what API security might look like in 2024, as part of the #apifutures project.

3️⃣ You were given a simple guide to learn how to use NoSQL injection to bypass the authentication in the APIs you are testing.

4️⃣ You were shown how to test the limits of APIs that have rate-limiting security controls to prevent disasters and how foregoing this testing is in itself a disaster.

5️⃣ You were taught how to write Bambda filters in Burp Suite that can automatically detect uncommon headers in the APIs you are testing.

Wishing I'd cover something else? Just hit "reply" on this email and let me know. It might be considered for a future article!

Pro Tip

Do you hack while using multiple monitors? Have you ever had a need to look at more than one of Burp Suite's tools at the same time?

Yep. Me too.

There is a powerful windows/view management feature in Burp Suite you should know about that can help here.

Right-click on any tool tab, and select "Detach tab"...

You can then move that tab to a separate monitor while you continue to use the rest of Burp Suite on the other monitor.

When you want to reattach it, you just need to click the icon on the detached window...

I usually work with three monitors, where I can have Burp's Chromium browser on one monitor, the main Burp Suite app on a second, and the current tool I am working in (usually Repeater or Intruder) on the third monitor. This concept of docking and undocking tool tabs like this is really helpful.

YMMV of course.

Give it a try and see how much more productive you might be! 🎉

Industry News

🤔 Over on Mastodon, there is a conversation going on about Postman being used as a watering hole for leaked credentials. Because of its new model to save everything in the cloud and make it way too sharable, it's literally a concentrator for accidental token exposure. What do you think?

⚔️ I love this description of attack paths in Azure using weaknesses in API permissions. I've always found application app perms in Azure AD (Sorry, Entra ID ... stupid naming) a huge hole that allows far too much privilege and backdoors into tenants... especially when using multitenant application manifests.

⚙️ Have you checked out MicroBurst? It's a collection of scripts for assessing Microsoft Azure security. Pay attention to the various blog posts they link to that showcase how to use the scripts against different threat scenarios. Automating Managed Identity Token Extraction in Azure Container Registries is a good example.

🛠️ Have you ever wanted to graphically visualize JSON objects? Then you really need to check out JSON Crack. It works to graph XML, YAML, and CSV too.

📚 Reversing Labs has a good article on the 5 lessons learned from the Hugging Face API token breach. I loved this quote at the end: "You should always assume that every end user is an attacker." So true.

📄 Nordic API shares Why Teamwork Is Crucial to Keep APIs Secure. It's nice to see them call out that the security team needs to be part of the equation early in the development cycle.

💰 I sometimes get emails from you guys about which bug bounty programs include APIs in their scope. Well, apparently BitMart now has an API Bug Bounty Program you can check out. P1 crits are worth $10,000.

🔒 Ever find yourself working with platforms that require you to provide your third-party API keys so they can act on your behalf? You are trusting them to keep your API keys safe and that they do not misuse them. Check out Lockbox if you want to keep control of your API keys. It's a forward proxy for making third-party API calls.

📚 F5 talks about The Case for Integrated App and API Security Strategies. They believe that APIs have grown up and become a separate entity with their own security needs. Do you agree?

Well, that's about it for this monthly review. February is upon us now, and it is time to look forward to a shorter month, even if it is a leap year.

Talk to you in the next newsletter!

Hack hard!

How was this week's newsletter?




You're reading the API Hackers Inner Circle Newsletter created by Dana Epp (he/him).

🧠 I help teach developers, testers, and hackers how to improve their API hacking tradecraft. Thanks for reading. 🙏

⏩ Enjoy the newsletter? Please forward this to a friend who would find these articles and insights useful!

👋 Did a pal share this with you? Sign up for your own copy here. I send out the newsletter every Tuesday.

☕️ Want to support this free newsletter and my work? Buy me a coffee.

Is this newsletter not right for you? You can unsubscribe here.

😈 The API Hacker Inner Circle

by Dana Epp 👋

Helping developers, testers, and hackers improve their approach to appsec and find vulnerabilities in their apps and APIs before their adversaries do. Interested to know more? Subscribe to my newsletter below!

Read more from 😈 The API Hacker Inner Circle

Happy New Year! 🎉 I trust you had a great holiday season and brought in the New Year with a bang. I don't know about you, but 2023 felt like it went by so quickly. Over the holidays I had time to read The Language of Deception: Weaponizing Next Generation AI. It's a penetrating look at the dark side of emerging AI technologies. The book delves into how AI, especially in the realm of language models, can be used to manipulate, deceive, and influence public opinion, raising significant...

about 2 months ago • 3 min read

Hey friend 👋, Wow. November whisked by so fast. I swear we were all just parked in a pumpkin patch gorging on candy. And now we're on December's doorstep, getting ready for Christmas. 🎄 I dunno about you, but I took some time off in November to recharge and get ready for the holiday season. My wife and I went storm watching on Vancouver Island and enjoyed this view for a week: Storm watching on Vancouver Island in November When we weren't outside in the chilling cold, we stayed inside and...

3 months ago • 4 min read

This is awkward. You just had a newsletter delivered yesterday... and now you are getting this one. The monthly review doesn't usually fall right after the weekly one... so apologies for hitting your inbox so soon. But it's that time. The era of "pumpkin everything" is ending... and the days of "peppermint everything" are upon us. 🎃 ❄️ I always love this time of the year. The change in season always makes me happy. The leaves turn to crimson and gold, and I can start drinking hot chocolate...

4 months ago • 3 min read
Share this post