Helping developers, testers, and hackers improve their approach to appsec and find vulnerabilities in their apps and APIs before their adversaries do. Interested to know more? Subscribe to my newsletter below!
๐๏ธ The API Hackers' Month in Review - June 2024 ๐
Published 6 months agoย โขย 5 min read
Hey friend ๐,
WTF, where did June go? I swear I blinked, and it was gone.
Apologies for this newsletter not arriving yesterday. It was Canada Day, and I was out being loud and proud.
(Sorry... couldn't resist. ๐จ๐ฆ)
In all honesty, I was sitting quietly eating cookies and catching up on some reading. And not some funky flavour of Oreos (albeit they have some great Maple Cream Oreos out there), but some patriotic Maple Leaf Peek Freans. IYKYK.
What I have been reading lately is probably more interesting to you than my sophisticated palette for cookies.
Recently friends in the API security community have been out madly writing books to help us all. Colin Domoney recently released "Defending APIs", and Confidence Staveley published "API Security for White Hat Hackers".
Both books are great. For different reasons.
Colinโs book is a must-read for anyone building APIs. Itโs packed with practical tips and real-world examples that make securing APIs straightforward and approachable. He breaks down complex security concepts into easy-to-understand advice that you can apply right away.
Whether youโre a developer, tester, or security pro, this book will boost your confidence and skills in protecting your APIs. Itโs not just informative; itโs an enjoyable read.
Of course, my favourite part was the section on Attacking APIs. Yeah, I'm biased. And I do appreciate Colin mentioning some of my work. Thanks Colin!
Confidence's book gave me similar vibes.
Her book is a fantastic guide for anyone passionate about API hacking and securing APIs. Her writing is engaging and accessible, making complex security topics easy to grasp. The book is filled with practical insights and hands-on techniques that you can immediately put to use.
Of course her section on Offensive API Hacking was my jam. Are you surprised? ๐
The only problem with both books is that it left me wanting more. Don't get me wrong, these are important texts to get people into API security. But I felt there may have been too much to cover, leaving the content simplistic and not covered enough in depth.
I dunno. People keep telling me I need to write a book on it. What do you think? Would you buy a book dedicated to Offensive API Hacking from me? If so, respond to this email and let me know.
Speaking of writing... time to get back to the newsletter...
Latest Article
API discovery is a thing.ย
Articles on API security often highlight that finding and documenting APIs is crucial for understanding an organizationโs attack surface.
Developers have spent years arguing about the best methods to implement this. No one standard has been widely adoptedโฆ yet.
I say we shouldnโt wait for API builders and evangelists to figure out the โright wayโ to do it.
In this week's article, I demonstrate how I used two popular specifications for API discovery metadata to detect and catalog APIs and then weaponized the information for my own recon process during security testing.
P.S. I have open sourced the API Discovery Burp Suite extension I wrote to detect API discovery metadata. Feel free to contribute new code to improve it!!
(It can use all the help you can give)
Articles in June
Here is a glimpse of the articles I wrote last month that you received through the weekly newsletters...
1๏ธโฃ I shared with you the concept of Human Application Security Testing (HAST), and why it's an important part of your work as an API hacker. While SAST and DAST are indeed important, talking about "manual testing" doesn't do the service of what HAST can provide.
2๏ธโฃ You were taught about the 7 Deadly Sins of API Security Testing, and even got a chance to see the presentation I did at APISEC|CON about it.
Wishing I'd cover something else? Just hit "reply" on this email and let me know. It might be considered for a future article!
Industry News
๐ I really liked how Matthew wrote about the API Insecurity: Lessons from the Cox Modem Breach. He explored Sam Curry's post about finding vulnerabilities in Cox modems, and highlights four API security lessons we can all learn from the research.
โ๏ธ Do you ever work with Ruby projects? Then GitHub has a blog post for you. You will want to learn how unsafe deserialization vulns work in Ruby, and how you can execute commands by sending JSON.
๐ ๏ธ Here is an interesting article on Tools to Discover Shadow APIs. Lots of different ways to do it. That's why API discovery metadata will eventually become a thing. Which was what my article this week was all about.
๐ธ When investors hear AI and API in the same sentence, they seem to have a Pavlovian response. Case in point, 2 high school teens raised a $500K seed round for their API startup (yes, itโs AI). Codenamed APIGen, they are working on a platform that will build custom APIs from natural language prompts. *sigh* Guess it is job security for us.
๐ฐ Speaking of funding, did you hear that PortSwigger raised $112 million to fund growth? While they have been cash flow positive for some time, the market is expanding and they want to as well. Don't blame them. Just hope they don't water down Burp Suite with unnecessary features to meet edge case demands of the market.
๐ฅ Got an Asus router? You will want to check out this article and see if your model is vulnerable to several critical security vulnerabilities that allow an attacker to remotely take over your device. Patch yer stuff people!
Well, that's about it for this week. To my fellow Canadians, hope you had a great and relaxing Canada Day celebration.
For my American friends who will be celebrating July 4th in a few days, Happy Independence Day. I do hope you can relax and enjoy the holiday...
... you just won't be able to do it with a REAL Canadian hammock or beer. ๐คฃ ๐บ
(BTW, please give us back our Stanley Cup!!)
To everyone else in the inner circle from around the world, have a great week too! Cheers! ๐ป
Hack hard! Dana
How was this week's newsletter?
YOU DID GREAT
DO BETTER
ABOUT
You're reading the API Hackers Inner Circle Newsletter created by Dana Epp (he/him).
๐ง I help teach developers, testers, and hackers how to improve their API hacking tradecraft. Thanks for reading. ๐
โฉ Enjoy the newsletter? Please forward this to a friend who would find these articles and insights useful!
Helping developers, testers, and hackers improve their approach to appsec and find vulnerabilities in their apps and APIs before their adversaries do. Interested to know more? Subscribe to my newsletter below!