๐Ÿ—“๏ธ The API Hackers' Month in Review - June 2024 ๐Ÿ‘€


Hey friend ๐Ÿ‘‹,

WTF, where did June go? I swear I blinked, and it was gone.

Apologies for this newsletter not arriving yesterday. It was Canada Day, and I was out being loud and proud.

(Sorry... couldn't resist. ๐Ÿ‡จ๐Ÿ‡ฆ)

In all honesty, I was sitting quietly eating cookies and catching up on some reading. And not some funky flavour of Oreos (albeit they have some great Maple Cream Oreos out there), but some patriotic Maple Leaf Peek Freans. IYKYK.

What I have been reading lately is probably more interesting to you than my sophisticated palette for cookies.

Recently friends in the API security community have been out madly writing books to help us all. Colin Domoney recently released "Defending APIs", and Confidence Staveley published "API Security for White Hat Hackers".

Both books are great. For different reasons.

Colinโ€™s book is a must-read for anyone building APIs. Itโ€™s packed with practical tips and real-world examples that make securing APIs straightforward and approachable. He breaks down complex security concepts into easy-to-understand advice that you can apply right away.

Whether youโ€™re a developer, tester, or security pro, this book will boost your confidence and skills in protecting your APIs. Itโ€™s not just informative; itโ€™s an enjoyable read.

Of course, my favourite part was the section on Attacking APIs. Yeah, I'm biased. And I do appreciate Colin mentioning some of my work. Thanks Colin!

Confidence's book gave me similar vibes.

Her book is a fantastic guide for anyone passionate about API hacking and securing APIs. Her writing is engaging and accessible, making complex security topics easy to grasp. The book is filled with practical insights and hands-on techniques that you can immediately put to use.

Of course her section on Offensive API Hacking was my jam. Are you surprised? ๐Ÿ˜ˆ

The only problem with both books is that it left me wanting more. Don't get me wrong, these are important texts to get people into API security. But I felt there may have been too much to cover, leaving the content simplistic and not covered enough in depth.

I dunno. People keep telling me I need to write a book on it. What do you think? Would you buy a book dedicated to Offensive API Hacking from me? If so, respond to this email and let me know.

Speaking of writing... time to get back to the newsletter...


Latest Article

API discovery is a thing.ย 

Articles on API security often highlight that finding and documenting APIs is crucial for understanding an organizationโ€™s attack surface.

Developers have spent years arguing about the best methods to implement this. No one standard has been widely adoptedโ€ฆ yet.

I say we shouldnโ€™t wait for API builders and evangelists to figure out the โ€œright wayโ€ to do it.

In this week's article, I demonstrate how I used two popular specifications for API discovery metadata to detect and catalog APIs and then weaponized the information for my own recon process during security testing.

P.S. I have open sourced the API Discovery Burp Suite extension I wrote to detect API discovery metadata. Feel free to contribute new code to improve it!!

(It can use all the help you can give)


Articles in June

Here is a glimpse of the articles I wrote last month that you received through the weekly newsletters...

1๏ธโƒฃ I shared with you the concept of Human Application Security Testing (HAST), and why it's an important part of your work as an API hacker. While SAST and DAST are indeed important, talking about "manual testing" doesn't do the service of what HAST can provide.

2๏ธโƒฃ You were taught about the 7 Deadly Sins of API Security Testing, and even got a chance to see the presentation I did at APISEC|CON about it.

3๏ธโƒฃ You got to explore 3 ways to improve appsec code auditing with graudit and learned how to quickly conduct static code analysis to find the most impactful security vulnerabilities.

4๏ธโƒฃ You learned why HTTPie is a great replacement for curl and how to use it when conducting your own API security testing.

Wishing I'd cover something else? Just hit "reply" on this email and let me know. It might be considered for a future article!


Industry News

๐Ÿ“š I really liked how Matthew wrote about the API Insecurity: Lessons from the Cox Modem Breach. He explored Sam Curry's post about finding vulnerabilities in Cox modems, and highlights four API security lessons we can all learn from the research.

โš”๏ธ Do you ever work with Ruby projects? Then GitHub has a blog post for you. You will want to learn how unsafe deserialization vulns work in Ruby, and how you can execute commands by sending JSON.

๐Ÿ“– Marco over at Kong shares Top 9 API Security Vulnerabilities: How to Defend Against Them. He explores some of the most common API vulnerabilities seen today, how theyโ€™re being targeted by cybercriminals, and how they can be addressed.

๐Ÿ› ๏ธ Here is an interesting article on Tools to Discover Shadow APIs. Lots of different ways to do it. That's why API discovery metadata will eventually become a thing. Which was what my article this week was all about.

๐Ÿ’ธ When investors hear AI and API in the same sentence, they seem to have a Pavlovian response. Case in point, 2 high school teens raised a $500K seed round for their API startup (yes, itโ€™s AI). Codenamed APIGen, they are working on a platform that will build custom APIs from natural language prompts. *sigh* Guess it is job security for us.

๐Ÿ’ฐ Speaking of funding, did you hear that PortSwigger raised $112 million to fund growth? While they have been cash flow positive for some time, the market is expanding and they want to as well. Don't blame them. Just hope they don't water down Burp Suite with unnecessary features to meet edge case demands of the market.

๐Ÿค– Nordic APIs writes about Using Hacking APIs GPT for API Security Testing. When Corey first announced he was building his own bot, I wondered how long it would take vendors to jump on the bandwagon. I like Jason's Haddix's approach to his Offensive Security Arcanum CyberSecurity bot, but that might just because he showed me what was under the cover with his prompts.

๐Ÿค” The folks at Critical Thinking have a great Twitter thread on using Match and Replace in your next hunt. Some good gems in there to think about.

๐Ÿ’ฅ Got an Asus router? You will want to check out this article and see if your model is vulnerable to several critical security vulnerabilities that allow an attacker to remotely take over your device. Patch yer stuff people!


Well, that's about it for this week. To my fellow Canadians, hope you had a great and relaxing Canada Day celebration.

For my American friends who will be celebrating July 4th in a few days, Happy Independence Day. I do hope you can relax and enjoy the holiday...

... you just won't be able to do it with a REAL Canadian hammock or beer. ๐Ÿคฃ ๐Ÿบ

(BTW, please give us back our Stanley Cup!!)

To everyone else in the inner circle from around the world, have a great week too! Cheers! ๐Ÿป

Hack hard!
Dana

How was this week's newsletter?


YOU DID GREAT

DO BETTER

ABOUT

You're reading the API Hackers Inner Circle Newsletter created by Dana Epp (he/him).

๐Ÿง  I help teach developers, testers, and hackers how to improve their API hacking tradecraft. Thanks for reading. ๐Ÿ™

โฉ Enjoy the newsletter? Please forward this to a friend who would find these articles and insights useful!

๐Ÿ‘‹ Did a pal share this with you? Sign up for your own copy here. I send out the newsletter every Tuesday.

โ€‹

โ˜•๏ธ Want to support this free newsletter and my work? Buy me a coffee.

๐Ÿคฏ Want some expert advice? Book a 1:1 session with me.

โ€‹

Is this newsletter not right for you? You can unsubscribe here.

๐Ÿ˜ˆ The API Hacker Inner Circle

Helping developers, testers, and hackers improve their approach to appsec and find vulnerabilities in their apps and APIs before their adversaries do. Interested to know more? Subscribe to my newsletter below!

Read more from ๐Ÿ˜ˆ The API Hacker Inner Circle

Hey friend ๐Ÿ‘‹, Wow, did May go by fast. I think these months need to start getting rate-limited so I can actually keep up. I have to admit though, members of the inner circle have kept me going. First, Stephen sent me this... I got a chuckle from that. And then Viktor shared with me a new flavor he came across... WTF? Who would eat that? I'm all for hacking late at night with a plate of cookies, but damn. Silliness aside, the last thing we want is kids seeing that. You just never know these...

Hey friend ๐Ÿ‘‹, April has been a bit intense. Ya, it started with jokers putting toothpaste in our Oreos. ๐Ÿคข It ended with some well-deserved R&R on the beaches of the West Coast of Vancouver Island. I can't complain too much; I mean, I was also introduced to Churro Oreos... I can't believe these are a thing... ... and it ended with long walks along the beach... Walking along Cox Bay for a week isn't a bad way to decompress... While I was away, I got to finish reading Pegasus: How a Spy in Your...

Hey friend ๐Ÿ‘‹, It's April already!! I hate April 1st. You can't trust anything you read on the Internet, and the pranks ruin good food... If I wanted something minty I'd get peppermint cookies... leave my Oreos alone!!! ๐Ÿคข Speaking of something that leaves a bitter taste in my mouth (ya, weird transition there... but stick with me), I've been reading an interesting book lately you need to know about. It's called Means of Control: How the Hidden Alliance of Tech and Government Is Creating a New...