profile

😈 The API Hacker Inner Circle

πŸ—“οΈ The API Hackers' Month in Review - March 2024 πŸ‘€

Published 22 days agoΒ β€’Β 4 min read

Hey friend πŸ‘‹,

It's April already!!

I hate April 1st. You can't trust anything you read on the Internet, and the pranks ruin good food...

If I wanted something minty I'd get peppermint cookies... leave my Oreos alone!!!

🀒

Speaking of something that leaves a bitter taste in my mouth (ya, weird transition there... but stick with me), I've been reading an interesting book lately you need to know about.

It's called Means of Control: How the Hidden Alliance of Tech and Government Is Creating a New American Surveillance State. It’s a creepy reality check about how big tech and the US government are finding ways to get around privacy laws in a post-Snowden world.

I can't stress enough how important this topic is.

I've known for some time that there were data brokers selling location data. But I never clued into the use case where the US government was funding companies to update their SDKs in a way that allows them to turn your favorite mobile apps into SIGINT sensors, which can be cross-referenced with other data sources like ad-tech to map where you are and who you associate with.

Time to turn on some good Weird Al and make a tinfoil hat. Or maybe Party in the CIA.

Read the book. You'll thank me later.

Speaking of reading, I am merging the weekly newsletter with the monthly review since they pretty much fall on the same day. So let's get right to it!


Latest Article

I get asked quite a bit about how I go about building API security tests. Some people don't even realize that Postman includes a powerful sandbox that allows you to write API security tests in Javascript and execute them directly against your targets.

I thought I could address this, so I wrote The Beginners Guide to Writing API Security Tests in Postman. It includes practical, real-world advice on how to build and organize your own security tests right in the tool. It even discusses how to leverage the Postman Collection Runner to run full test plans and how to use Newman to automate all this so you can establish continuous security testing.

Check out the beginners' guide and let me know what you think!


Articles in March

Here is a glimpse of the articles I wrote last month that you received through the weekly newsletters...

1️⃣ You learned how Nuclei can be used for more than vulnerability scanning, and how to leverage it as a tool for your API hacking.

2️⃣ I shared with you 5 more Burp extensions for API hacking. From bypassing WAFs to generating wordlists, it all can help.

3️⃣ You were taught how to improve your recon process with the use of apkleaks to find hidden API servers, secrets, and endpoints embedded in mobile apps.

4️⃣ I showed you how to improve your port scans against API servers through the use of Project Discovery’s Naabu scanner.

Wishing I'd cover something else? Just hit "reply" on this email and let me know. It might be considered for a future article!


Pro Tip of the Week

In my article on the 5 mistakes beginners make during app recon, I talked about the fact you should record your walk-through of the app and try to save it as an HTTP archive (HAR) so you can review it later.

A HAR is more valuable than you can imagine. You can use the recorded data to generate your own rogue API docs - which is useful if your target doesn't publish up-to-date API documentation.

But how do you produce a HAR file from within Burp Suite?

With the help of the Logger++ extension of course!

Before you walk the app, make sure you have the extension installed from the BApp store so you can properly log all the traffic.

Then, all you need to do is go to the Logger++ tab, highlight the requests you want to export, right-click on the log pane, and select Export entries as... > Export # entries as HAR.

The extension will do all the work to produce a HAR v1.2 compatible export for you.

From there, you can use the HAR file with tools like mitmproxy2swagger to automagically reverse-engineer your target REST APIs via captured traffic in Burp Suite... outputting the results into an OAS3-compatible API spec doc.

Have fun with it!


Industry News

πŸ“– Anthony writes about Shadowy {Operations} from the API underworld.

πŸ› οΈ ngrok has introduced JWT validation to their developer-defined API gateway. I'm not sure I'd be offloading API protection to ngrok’s global network. But it's interesting to see them add this to their toolchain anyway.

πŸͺ„ Have you tried out the Prototype Pollution Gadgets Finder? As the name implies, it's a Burp extension that helps detect and exploit server-side prototype pollution. There is a good writeup about it here. You can also check out my article on How to exploit an API using prototype pollution and try the extension against that PoC vulnerable API I wrote.

πŸ“„ The folks over at 42crunch ask "So, your API has been Breached, Now What?" Although a bit light on content, I like how they are exploring this.

πŸ‘€ Is there a place for β€˜private’ APIs? Good question. What do you think?

πŸ€” Did you check out JNV yet? It's designed for navigating JSON, offering an interactive JSON viewer and jq filter editor in a nice small package. It's pretty slick.

βš™οΈ Here is an interesting resource on Deobfuscating / Unminifying Obfuscated Web App Code. Hat tip to Clint Gibler for sharing this.

πŸ“° It appears that StackHawk is now available directly in the Azure Marketplace.

🧐 Wallarm published some guidance on the Top 4 Essential Strategies for Securing APIs To Block Compromised Tokens.

πŸ“„ I wish more developers followed this guidance, as it would make security testing so much easier... Document your API like a pro: Postman Collection best practices​


Well, that's it for this monthly review. With April upon us, let’s keep an eye on our Oreos, lest they taste more 'minty' than chocolatey. Here's to a month of sweet security research.

Talk to you in the next newsletter.

Hack hard!
Dana

How was this week's newsletter?


YOU DID GREAT

DO BETTER

ABOUT

You're reading the API Hackers Inner Circle Newsletter created by Dana Epp (he/him).

🧠 I help teach developers, testers, and hackers how to improve their API hacking tradecraft. Thanks for reading. πŸ™

⏩ Enjoy the newsletter? Please forward this to a friend who would find these articles and insights useful!

πŸ‘‹ Did a pal share this with you? Sign up for your own copy here. I send out the newsletter every Tuesday.

​

β˜•οΈ Want to support this free newsletter and my work? Buy me a coffee.

🀯 Want some expert advice? Book a 1:1 session with me.

​

Is this newsletter not right for you? You can unsubscribe here.

😈 The API Hacker Inner Circle

by Dana Epp πŸ‘‹

Helping developers, testers, and hackers improve their approach to appsec and find vulnerabilities in their apps and APIs before their adversaries do. Interested to know more? Subscribe to my newsletter below!

Read more from 😈 The API Hacker Inner Circle

Hey friend πŸ‘‹, How is it that in a leap year, February has gone by so fast? One minute it's Valentine's Day, and the next thing you know Leap Day jumps right past us. OK, a day late. But anything relating to quantum can fix that, right? The extra day in February did let me keep up with my reading. I've been reading The Hacker and the State: Cyber Attacks and the New Normal of Geopolitics. The book explores the profound impact of cyber warfare on global politics, detailing how state-sponsored...

about 2 months agoΒ β€’Β 4 min read

Hey friend πŸ‘‹, Wow. January has come and gone in the blink of an eye. Did you try a "dry" January and skip the alcohol? They say it's good for the skin... Does Bailey's Irish Cream in the hot cocoa count? Whoops. Grogu I am not. I did catch up on some reading in January while drinking my adult cocoa. I've been reading Tracers in the Dark: The Global Hunt for the Crime Lords of Cryptocurrency. It's a fascinating read about the dark economy driven by cryptocurrency. And a clear lesson on how...

3 months agoΒ β€’Β 4 min read

Happy New Year! πŸŽ‰ I trust you had a great holiday season and brought in the New Year with a bang. I don't know about you, but 2023 felt like it went by so quickly. Over the holidays I had time to read The Language of Deception: Weaponizing Next Generation AI. It's a penetrating look at the dark side of emerging AI technologies. The book delves into how AI, especially in the realm of language models, can be used to manipulate, deceive, and influence public opinion, raising significant concerns...

4 months agoΒ β€’Β 3 min read
Share this post