Arrow Left
profile

😈 The API Hacker Inner Circle

🗓️ The API Hackers' Month in Review - July 2024 👀

Published about 2 months ago • 3 min read

Hey friend 👋,

Summer is in full swing. Sunburns are in full effect. Wild fires are fully engulfing our forests. And the hottest thing yet... the latest Deadpool movie finally hit theatres.

I get it. You probably have been really busy in July. I know I was. Five articles. Three presentations. And one research paper that included a new custom Burp extension that I'm not allowed to talk about. (Ya, it's that dark. And pure Kotlin code).

Speaking of "dark", I read a really interesting book in July. Called "Dark Wire", it covers a fascinating true story of the largest worldwide sting operation that actually started in my backyard here in Vancouver, Canada.

It's all about encrypted phones, privacy, and how the criminal element trust technology far too much... which led law enforcement agencies from around the world to band together and stop everything from drug deals to murders. How? By creating their own fake company that offered encrypted phones and network... all backdoored with APIs that let law enforcement mirror and read all the encrypted data.

I don't want to spoil it for you, but let's just say there is a bunch of interesting twists in the story. And some interesting insights into how some agencies long play investigations and evidence collection.

It's a good read. Highly recommended if you are into that kinda thing. It will get you rethinking trust in everything from Signal to iPhone E2E encryption. Get out your tinfoil hats... and start worrying about everything "covert".

Speaking of covert, a few articles in July may fit the bill. Let's take a look at them...

Articles in July

Here is a glimpse of the articles I wrote last month that you received through the weekly newsletters...

1️⃣ I showed you how to weaponize API discovery metadata to improve your recon of the APIs you are hacking or conducting security testing on.

2️⃣ You learned how to use Param Miner to find hidden parameters that may help manipulate an API in unintended ways, revealing potential security flaws.

3️⃣ You were taught how to fuzz JSON to find security vulnerabilities in the APIs you are hacking with the help of a custom wordlist and Param Miner.

4️⃣ I shared with you some of my research on how to conduct covert data exfiltration within JSON payloads of an API response.

5️⃣ You were given a way to map MITRE CAPEC attack patterns to STRIDE threat model categories and improve your approach to security testing.

Wishing I'd cover something else? Just hit "reply" on this email and let me know. It might be considered for a future article!

Industry News

💰 Imperva reports that 68% of organizations surveyed experienced an API security breach that cost over $1 million. It forces the question as to Why API Security Is a Growing Concern for CISOs in 2024.

🤔 PortSwigger just keeps making Burp Suite better. They've unlocked enhanced API scanning in the latest version. One of the more interesting new capabilities is the ability to scan APIs that require endpoint authentication. Unfortunately, it requires Burp Suite Enterprise.

🛠️ Have you checked out how to deploy a production API and gateway with APIOps using Argo CD and ngrok? Ngrok's API gateway keeps adding capabilities. Interesting stuff for testing when you need to expose an API temporarily.

🤐 You need to read this writeup from Salt Security on the Life360 breach. This quote made me laugh... "When attempting to login to a life360 account on Android, the login endpoint would return the first name and phone number of the user; this existed only in the API response and was not visible to the user"

📖 Eric asks that for API security, Is Authorization the Biggest Threat? There is a reason why broken object-level authorization (BOLA) is #1 on the OWASP API Security Top 10. It is.

☠️ Now this is interesting. Attackers are abusing older versions of Selenium WebDriver APIs exposed on the Internet for illicit cryptocurrency mining. Nothing like turning the tables on an automated testing framework and weaponizing it. Imagine the damage potential that COULD be abused beyond crypto-mining.

📰 StackHawk announced that they have enhanced API discovery with HawkAI to revolutionize security testing for modern applications. HawkAI basically prioritizes your apps and APIs for security testing and keeps you up to date on your attack surface coverage as code changes.

💣 Have you heard about Cross Fork Object Reference (CFOR)? Truffle Security has published some research that shows a design flaw in GitHub repositories that allows indefinite access to data from deleted and private repositories. F*ck.

🤯 Wow. Docker fixes a critical 5-year old authentication bypass flaw... that's a regression. Ouch! Lesson to learn here is to regularly run your regression testing against old security vulns that have been fixed.

Well, that's it for this monthly review. Before I let you go, I know as cinephiles we may not always agree as to what the best movies are.

But, could we agree on this...

OK, maybe not. Watch both. Squint, think hard, and then let me know your thoughts. 🤣

Cya in the next newsletter!

Hack hard!
Dana

How was this week's newsletter?


YOU DID GREAT
DO BETTER

ABOUT

You're reading the API Hackers Inner Circle Newsletter created by Dana Epp (he/him).

🧠 I help teach developers, testers, and hackers how to improve their API hacking tradecraft. Thanks for reading. 🙏

⏩ Enjoy the newsletter? Please forward this to a friend who would find these articles and insights useful!

👋 Did a pal share this with you? Sign up for your own copy here. I send out the newsletter every Tuesday.

☕️ Want to support this free newsletter and my work? Buy me a coffee.

🤯 Want some expert advice? Book a 1:1 session with me.

Is this newsletter not right for you? You can unsubscribe here.

😈 The API Hacker Inner Circle

by Dana Epp 👋

Helping developers, testers, and hackers improve their approach to appsec and find vulnerabilities in their apps and APIs before their adversaries do. Interested to know more? Subscribe to my newsletter below!

Read more from 😈 The API Hacker Inner Circle

Hey friend 👋, Well, I said I was talking most of August off. And I did. So this month in review doesn't include a lot of new articles. But lots of stuff did happen. First, we moved into our new oceanfront villa. That's been a game changer. I haven't had such long and deep sleeps in years. It's so calm and quiet here. And, who doesn't want a home office view like this? 👉🏻 It gave me lots of time to just sit, think, and read. In fact, I read a fascinating book on that deck in just a couple of...

13 days ago • 3 min read

Hey friend 👋, WTF, where did June go? I swear I blinked, and it was gone. Apologies for this newsletter not arriving yesterday. It was Canada Day, and I was out being loud and proud. (Sorry... couldn't resist. 🇨🇦) In all honesty, I was sitting quietly eating cookies and catching up on some reading. And not some funky flavour of Oreos (albeit they have some great Maple Cream Oreos out there), but some patriotic Maple Leaf Peek Freans. IYKYK. Canadians prefer Birthday cookies (or Nanaimo bars...

3 months ago • 5 min read

Hey friend 👋, Wow, did May go by fast. I think these months need to start getting rate-limited so I can actually keep up. I have to admit though, members of the inner circle have kept me going. First, Stephen sent me this... I got a chuckle from that. And then Viktor shared with me a new flavor he came across... WTF? Who would eat that? I'm all for hacking late at night with a plate of cookies, but damn. Silliness aside, the last thing we want is kids seeing that. You just never know these...

4 months ago • 4 min read