profile

😈 The API Hacker Inner Circle

πŸ—“οΈ The API Hackers' Month in Review - January 2025 πŸ‘€

Published 4 days agoΒ β€’Β 4 min read

Hey friend πŸ‘‹,

Is it just me, or did it just feel like January would never end? You know it's slow when you've debugged your entire life in between sips of coffee - and realize you still haven't hit February yet.

But February is now upon us. It's the best month since you can buy chocolate for half off... on February 15th, and get wasted.

(Don't tell my trainer... *lol*)

In all honesty, part of January's seemingly slow doldrum comes from some of the reading and research I've been up to.

I've been reading "Big Data Surveillance and Security Intelligence: The Canadian Case", which explores how government and private sector actors in Canada leverage big data tech to facilitate unprecedented monitoring capabilities. Through some interesting case studies and policy analysis, it unpacks the tension between national security and individual privacy, making a compelling argument around strong accountability and oversight in this digital age.

This book isn't for everyone. However, if you have interest in the profound shift to "big data" practices that security agencies have made in recent years to deal with their methodology for gathering intelligence, there are clear insights on the challenges countries in the the Five Eyes like Canada face.

I've also been digging into all the CVE data of 2024 looking at the vulnerabilities that have been affecting critical systems in Canada and the United States as of late. During that effort, I came across some interesting work I felt needs to be summarized and shared...

CVE growth in 2024 and how it affects you as a hacker

Jerry Gamblin did an awesome review of the same 2024 CVE data I've been looking at.

In case you don't want to go read his excellent research (which you should), here is a list of the top 15 Common Weakness Enumerations (CWE) that can be extrapolated from all the CVE data that came out of the vulnerabilities reported in 2024.

  1. CWE-79 (XSS)
  2. CWE-89 (SQL injection)
  3. CWE-862 (Missing auth)
  4. CWE-352 (CSRF)
  5. CWE-416 (Use after free)
  6. CWE-125 (OOB read)
  7. CWE-787 (OOB write)
  8. CWE-22 (Path traversal)
  9. CWE-476 (NULL pointer dereference)
  10. CWE-121 (Stack-based buffer overflow)
  11. CWE-78 (Cmd injection)
  12. CWE-200 (Sensitive data exposure)
  13. CWE-20 (Improper input validation)
  14. CWE-434 (Unrestricted file upload with dangerous type)
  15. CWE-120 (Classic buffer overflow)

What does this mean? Read my articles on using CWEs to influence your attack vectors and how to level up your vulnerability reports with CWEs. You can start to piece together a more formalized methodology for approaching your targets during API security testing engagements using this information as inputs to influence your work.

Vibe Check

So I didn't write any new articles in January while I was working on some of my own security research. I'm thinking about where to put my limited time when writing future articles and newsletters.

What are your thoughts?

Industry News

πŸ€– I found this article on how to build an offensive AI security agent very interesting. It's a neat approach to using AI to help analyze JS for API endpoints and then interrogate those endpoints for potential vulns.

βš™οΈ PortSwigger has a great blog post on it's high-powered extensibility to customize and enhance your API testing.

🧠 Ever wish there was a place to get started in learning AI? Maybe check out this AI crash course. Tons of useful resources that help you to catch up to the public frontier of AI research in 2 weeks.

βš”οΈ Have you heard of LitterBox? It's a sandbox approach for malware developers and red teamers to test payloads against detection mechanisms before deployment.

πŸͺ I love this research from PortSwigger on Stealing HttpOnly cookies with the cookie sandwich technique. I love these abuse techniques to extract sensitive data.

πŸ•΅οΈβ€β™‚οΈ OWASP Noir recently released an update that now includes AI-based functionality and LLM integration. Not familiar with Noir? Check out my article on API Attack Surface Detection using Noir.

πŸ€‘ Holy market growth batman. According to Precedence Research, network API market size is expected to accelerate at a CAGR of 47.02% to over $72 billion by 2034. Anyone that tells you that API security testing doesn't matter doesn't account for this sort of growth and expansion. Talk about a target rich environment.

☠️ Have you tried out JS-Snitch yet? It can scan remote JavaScript files with Trufflehog and Semgrep to detect leaked secrets.

πŸ“±Nothing like a 15yr old kid reminding you how the curious can make the world tumble. Check out this unique 0-click deanonymization attack targeting Signal, Discord and hundreds of platform. Impressive writeup.

πŸ“š Are you into Quantum computing and its security? You might want to check out Palo Alto's QRNG Open API. They are sharing a way to simplify the ability to obtain high quality entropy from an external Quantum Random Number Generator (QRNG) API. Interesting stuff.

πŸ€” Hmmmm. Who saw this coming? Critical Vulnerability in ChatGPT API Enables Reflective DDoS Attacks.

🀯 Well, this is interesting... FTC Takes Action Against GoDaddy for Alleged Lax Data Security for its website hosting services. Look closely at what FTC is pointing out as failures... "inventory and manage assets and software updates; assess risks in hosted services; lack of logging and monitoring; lack of segmentation in hosted environments". All areas that can easily be abused.

Before I end the monthly newsletter I wanted to call out some special research. Gareth knocked it out of the park this month when he released his insights on Bypassing character blocklists with unicode overflows. It is so simple, which is why it makes it so effective.

When I wrote about attacking APIs using JSON injection I included a way to confuse JSON parsers with Unicode special characters and overflows. Gareth is taking that to the next level by using Unicode codepoint truncation (aka Unicode overflows) that can drop in special ASCII characters. Make sure you read his research to understand this for yourself.

Until next time...

Hack hard!
Dana

How was this week's newsletter?


YOU DID GREAT
DO BETTER

ABOUT

You're reading the API Hackers Inner Circle Newsletter created by Dana Epp (he/him).

🧠 I help teach developers, testers, and hackers how to improve their API hacking tradecraft. Thanks for reading. πŸ™

⏩ Enjoy the newsletter? Please forward this to a friend who would find these articles and insights useful!

πŸ‘‹ Did a pal share this with you? Sign up for your own copy here.

​

β˜•οΈ Want to support this free newsletter and my work? Buy me a coffee.

🀯 Want some expert advice? Book a 1:1 session with me.

​

Is this newsletter not right for you? You can unsubscribe here.

😈 The API Hacker Inner Circle

by Dana Epp πŸ‘‹

Helping developers, testers, and hackers improve their approach to appsec and find vulnerabilities in their apps and APIs before their adversaries do. Interested to know more? Subscribe to my newsletter below!

Share this page