Hey friend 👋,

Wow. January has come and gone in the blink of an eye.

Did you try a "dry" January and skip the alcohol? They say it's good for the skin...

Does Bailey's Irish Cream in the hot cocoa count? Whoops.

Grogu I am not.

I did catch up on some reading in January while drinking my adult cocoa. I've been reading Tracers in the Dark: The Global Hunt for the Crime Lords of Cryptocurrency. It's a fascinating read about the dark economy driven by cryptocurrency. And a clear lesson on how even dirty cops can quickly turn to the dark side when digital money is dangled in front of them.

I've always wondered why people thought BitCoin would allow for anonymous transactions when the whole point of the blockchain is to ensure verified transactions. Andy Greenberg does an excellent job of telling the story of how law enforcement was able to trace transactions back to the originating party and find how digital currency flows in the dark underbelly of the Internet.

It's worth reading if watching an astonishing saga of criminal empires built and destroyed unveiled in front of your eyes is interesting to you.

---

Articles in January

I've been getting back into the swing of things for the articles in January. Here is a glimpse of what you were sent last month...

1️⃣ You learned how to exploit an API using Structured Format Injection (SFI) through Server Side Parameter Pollution (SSPP).

2️⃣ I shared my predictions on what API security might look like in 2024, as part of the #apifutures project.

3️⃣ You were given a simple guide to learn how to use NoSQL injection to bypass the authentication in the APIs you are testing.

4️⃣ You were shown how to test the limits of APIs that have rate-limiting security controls to prevent disasters and how foregoing this testing is in itself a disaster.

5️⃣ You were taught how to write Bambda filters in Burp Suite that can automatically detect uncommon headers in the APIs you are testing.

Wishing I'd cover something else? Just hit "reply" on this email and let me know. It might be considered for a future article!

---

Pro Tip

Do you hack while using multiple monitors? Have you ever had a need to look at more than one of Burp Suite's tools at the same time?

Yep. Me too.

There is a powerful windows/view management feature in Burp Suite you should know about that can help here.

Right-click on any tool tab, and select "Detach tab"...

You can then move that tab to a separate monitor while you continue to use the rest of Burp Suite on the other monitor.

When you want to reattach it, you just need to click the icon on the detached window...

I usually work with three monitors, where I can have Burp's Chromium browser on one monitor, the main Burp Suite app on a second, and the current tool I am working in (usually Repeater or Intruder) on the third monitor. This concept of docking and undocking tool tabs like this is really helpful.

YMMV of course.

Give it a try and see how much more productive you might be! 🎉

---

Industry News

🤔 Over on Mastodon, there is a conversation going on about Postman being used as a watering hole for leaked credentials. Because of its new model to save everything in the cloud and make it way too sharable, it's literally a concentrator for accidental token exposure. What do you think?

⚔️ I love this description of attack paths in Azure using weaknesses in API permissions. I've always found application app perms in Azure AD (Sorry, Entra ID ... stupid naming) a huge hole that allows far too much privilege and backdoors into tenants... especially when using multitenant application manifests.

⚙️ Have you checked out MicroBurst? It's a collection of scripts for assessing Microsoft Azure security. Pay attention to the various blog posts they link to that showcase how to use the scripts against different threat scenarios. Automating Managed Identity Token Extraction in Azure Container Registries is a good example.

🛠️ Have you ever wanted to graphically visualize JSON objects? Then you really need to check out JSON Crack. It works to graph XML, YAML, and CSV too.

📚 Reversing Labs has a good article on the 5 lessons learned from the Hugging Face API token breach. I loved this quote at the end: "You should always assume that every end user is an attacker." So true.

📄 Nordic API shares Why Teamwork Is Crucial to Keep APIs Secure. It's nice to see them call out that the security team needs to be part of the equation early in the development cycle.

💰 I sometimes get emails from you guys about which bug bounty programs include APIs in their scope. Well, apparently BitMart now has an API Bug Bounty Program you can check out. P1 crits are worth $10,000.

🔒 Ever find yourself working with platforms that require you to provide your third-party API keys so they can act on your behalf? You are trusting them to keep your API keys safe and that they do not misuse them. Check out Lockbox if you want to keep control of your API keys. It's a forward proxy for making third-party API calls.

📚 F5 talks about The Case for Integrated App and API Security Strategies. They believe that APIs have grown up and become a separate entity with their own security needs. Do you agree?

---

Well, that's about it for this monthly review. February is upon us now, and it is time to look forward to a shorter month, even if it is a leap year.

Talk to you in the next newsletter!

Hack hard!
Dana

How was this week's newsletter? YOU DID GREAT DO BETTER