🗓️ The API Hackers' Month in Review - January 2024 👀


Hey friend 👋,

Wow. January has come and gone in the blink of an eye.

Did you try a "dry" January and skip the alcohol? They say it's good for the skin...

Does Bailey's Irish Cream in the hot cocoa count? Whoops.

Grogu I am not.

I did catch up on some reading in January while drinking my adult cocoa. I've been reading Tracers in the Dark: The Global Hunt for the Crime Lords of Cryptocurrency. It's a fascinating read about the dark economy driven by cryptocurrency. And a clear lesson on how even dirty cops can quickly turn to the dark side when digital money is dangled in front of them.

I've always wondered why people thought BitCoin would allow for anonymous transactions when the whole point of the blockchain is to ensure verified transactions. Andy Greenberg does an excellent job of telling the story of how law enforcement was able to trace transactions back to the originating party and find how digital currency flows in the dark underbelly of the Internet.

It's worth reading if watching an astonishing saga of criminal empires built and destroyed unveiled in front of your eyes is interesting to you.


Articles in January

I've been getting back into the swing of things for the articles in January. Here is a glimpse of what you were sent last month...

1️⃣ You learned how to exploit an API using Structured Format Injection (SFI) through Server Side Parameter Pollution (SSPP).

2️⃣ I shared my predictions on what API security might look like in 2024, as part of the #apifutures project.

3️⃣ You were given a simple guide to learn how to use NoSQL injection to bypass the authentication in the APIs you are testing.

4️⃣ You were shown how to test the limits of APIs that have rate-limiting security controls to prevent disasters and how foregoing this testing is in itself a disaster.

5️⃣ You were taught how to write Bambda filters in Burp Suite that can automatically detect uncommon headers in the APIs you are testing.

Wishing I'd cover something else? Just hit "reply" on this email and let me know. It might be considered for a future article!


Pro Tip

Do you hack while using multiple monitors? Have you ever had a need to look at more than one of Burp Suite's tools at the same time?

Yep. Me too.

There is a powerful windows/view management feature in Burp Suite you should know about that can help here.

Right-click on any tool tab, and select "Detach tab"...

You can then move that tab to a separate monitor while you continue to use the rest of Burp Suite on the other monitor.

When you want to reattach it, you just need to click the icon on the detached window...

I usually work with three monitors, where I can have Burp's Chromium browser on one monitor, the main Burp Suite app on a second, and the current tool I am working in (usually Repeater or Intruder) on the third monitor. This concept of docking and undocking tool tabs like this is really helpful.

YMMV of course.

Give it a try and see how much more productive you might be! 🎉


Industry News

🤔 Over on Mastodon, there is a conversation going on about Postman being used as a watering hole for leaked credentials. Because of its new model to save everything in the cloud and make it way too sharable, it's literally a concentrator for accidental token exposure. What do you think?

⚔️ I love this description of attack paths in Azure using weaknesses in API permissions. I've always found application app perms in Azure AD (Sorry, Entra ID ... stupid naming) a huge hole that allows far too much privilege and backdoors into tenants... especially when using multitenant application manifests.

⚙️ Have you checked out MicroBurst? It's a collection of scripts for assessing Microsoft Azure security. Pay attention to the various blog posts they link to that showcase how to use the scripts against different threat scenarios. Automating Managed Identity Token Extraction in Azure Container Registries is a good example.

🛠️ Have you ever wanted to graphically visualize JSON objects? Then you really need to check out JSON Crack. It works to graph XML, YAML, and CSV too.

📚 Reversing Labs has a good article on the 5 lessons learned from the Hugging Face API token breach. I loved this quote at the end: "You should always assume that every end user is an attacker." So true.

📄 Nordic API shares Why Teamwork Is Crucial to Keep APIs Secure. It's nice to see them call out that the security team needs to be part of the equation early in the development cycle.

💰 I sometimes get emails from you guys about which bug bounty programs include APIs in their scope. Well, apparently BitMart now has an API Bug Bounty Program you can check out. P1 crits are worth $10,000.

🔒 Ever find yourself working with platforms that require you to provide your third-party API keys so they can act on your behalf? You are trusting them to keep your API keys safe and that they do not misuse them. Check out Lockbox if you want to keep control of your API keys. It's a forward proxy for making third-party API calls.

📚 F5 talks about The Case for Integrated App and API Security Strategies. They believe that APIs have grown up and become a separate entity with their own security needs. Do you agree?


Well, that's about it for this monthly review. February is upon us now, and it is time to look forward to a shorter month, even if it is a leap year.

Talk to you in the next newsletter!

Hack hard!
Dana

How was this week's newsletter?


YOU DID GREAT

DO BETTER

ABOUT

You're reading the API Hackers Inner Circle Newsletter created by Dana Epp (he/him).

🧠 I help teach developers, testers, and hackers how to improve their API hacking tradecraft. Thanks for reading. 🙏

⏩ Enjoy the newsletter? Please forward this to a friend who would find these articles and insights useful!

👋 Did a pal share this with you? Sign up for your own copy here. I send out the newsletter every Tuesday.

☕️ Want to support this free newsletter and my work? Buy me a coffee.

Is this newsletter not right for you? You can unsubscribe here.

😈 The API Hacker Inner Circle

Helping developers, testers, and hackers improve their approach to appsec and find vulnerabilities in their apps and APIs before their adversaries do. Interested to know more? Subscribe to my newsletter below!

Read more from 😈 The API Hacker Inner Circle

Hey friend 👋, Wow. It sure felt like we fell into fall pretty fast. Say that three times fast. 🍂 🍁 With September behind us, its time to look back and review what has been done. Before I do that though, remember in last week's newsletter when I mentioned the NSA's new podcast called No Such Podcast? A few of you sent me notes that you loved learning about it. Some of you have already listened to all of the episodes. But I've got something better for you. I've recently been reading Code...

Hey friend 👋, Well, I said I was talking most of August off. And I did. So this month in review doesn't include a lot of new articles. But lots of stuff did happen. First, we moved into our new oceanfront villa. That's been a game changer. I haven't had such long and deep sleeps in years. It's so calm and quiet here. And, who doesn't want a home office view like this? 👉🏻 It gave me lots of time to just sit, think, and read. In fact, I read a fascinating book on that deck in just a couple of...

Hey friend 👋, Summer is in full swing. Sunburns are in full effect. Wild fires are fully engulfing our forests. And the hottest thing yet... the latest Deadpool movie finally hit theatres. I get it. You probably have been really busy in July. I know I was. Five articles. Three presentations. And one research paper that included a new custom Burp extension that I'm not allowed to talk about. (Ya, it's that dark. And pure Kotlin code). Speaking of "dark", I read a really interesting book in...