Hey friend 👋,
Summer is in full swing. Sunburns are in full effect. Wild fires are fully engulfing our forests. And the hottest thing yet... the latest Deadpool movie finally hit theatres.
I get it. You probably have been really busy in July. I know I was. Five articles. Three presentations. And one research paper that included a new custom Burp extension that I'm not allowed to talk about. (Ya, it's that dark. And pure Kotlin code).
Speaking of "dark", I read a really interesting book in July. Called "Dark Wire", it covers a fascinating true story of the largest worldwide sting operation that actually started in my backyard here in Vancouver, Canada.
It's all about encrypted phones, privacy, and how the criminal element trust technology far too much... which led law enforcement agencies from around the world to band together and stop everything from drug deals to murders. How? By creating their own fake company that offered encrypted phones and network... all backdoored with APIs that let law enforcement mirror and read all the encrypted data.
I don't want to spoil it for you, but let's just say there is a bunch of interesting twists in the story. And some interesting insights into how some agencies long play investigations and evidence collection.
It's a good read. Highly recommended if you are into that kinda thing. It will get you rethinking trust in everything from Signal to iPhone E2E encryption. Get out your tinfoil hats... and start worrying about everything "covert".
Speaking of covert, a few articles in July may fit the bill. Let's take a look at them...
Articles in July
Here is a glimpse of the articles I wrote last month that you received through the weekly newsletters...
1️⃣ I showed you how to weaponize API discovery metadata to improve your recon of the APIs you are hacking or conducting security testing on.
2️⃣ You learned how to use Param Miner to find hidden parameters that may help manipulate an API in unintended ways, revealing potential security flaws.
3️⃣ You were taught how to fuzz JSON to find security vulnerabilities in the APIs you are hacking with the help of a custom wordlist and Param Miner.
4️⃣ I shared with you some of my research on how to conduct covert data exfiltration within JSON payloads of an API response.
5️⃣ You were given a way to map MITRE CAPEC attack patterns to STRIDE threat model categories and improve your approach to security testing.
Wishing I'd cover something else? Just hit "reply" on this email and let me know. It might be considered for a future article!
Industry News
💰 Imperva reports that 68% of organizations surveyed experienced an API security breach that cost over $1 million. It forces the question as to Why API Security Is a Growing Concern for CISOs in 2024.
🤔 PortSwigger just keeps making Burp Suite better. They've unlocked enhanced API scanning in the latest version. One of the more interesting new capabilities is the ability to scan APIs that require endpoint authentication. Unfortunately, it requires Burp Suite Enterprise.
🛠️ Have you checked out how to deploy a production API and gateway with APIOps using Argo CD and ngrok? Ngrok's API gateway keeps adding capabilities. Interesting stuff for testing when you need to expose an API temporarily.
🤐 You need to read this writeup from Salt Security on the Life360 breach. This quote made me laugh... "When attempting to login to a life360 account on Android, the login endpoint would return the first name and phone number of the user; this existed only in the API response and was not visible to the user"
📖 Eric asks that for API security, Is Authorization the Biggest Threat? There is a reason why broken object-level authorization (BOLA) is #1 on the OWASP API Security Top 10. It is.
☠️ Now this is interesting. Attackers are abusing older versions of Selenium WebDriver APIs exposed on the Internet for illicit cryptocurrency mining. Nothing like turning the tables on an automated testing framework and weaponizing it. Imagine the damage potential that COULD be abused beyond crypto-mining.
📰 StackHawk announced that they have enhanced API discovery with HawkAI to revolutionize security testing for modern applications. HawkAI basically prioritizes your apps and APIs for security testing and keeps you up to date on your attack surface coverage as code changes.
💣 Have you heard about Cross Fork Object Reference (CFOR)? Truffle Security has published some research that shows a design flaw in GitHub repositories that allows indefinite access to data from deleted and private repositories. F*ck.
🤯 Wow. Docker fixes a critical 5-year old authentication bypass flaw... that's a regression. Ouch! Lesson to learn here is to regularly run your regression testing against old security vulns that have been fixed.
Well, that's it for this monthly review. Before I let you go, I know as cinephiles we may not always agree as to what the best movies are.
But, could we agree on this...
OK, maybe not. Watch both. Squint, think hard, and then let me know your thoughts. 🤣
Cya in the next newsletter!
Hack hard!
Dana
How was this week's newsletter?
YOU DID GREAT
|
DO BETTER
|
|