Helping developers, testers, and hackers improve their approach to appsec and find vulnerabilities in their apps and APIs before their adversaries do. Interested to know more? Subscribe to my newsletter below!
Share
ποΈ The API Hackers' Month in Review - March 2024 π
Published 4 months agoΒ β’Β 4 min read
Hey friend π,
It's April already!!
I hate April 1st. You can't trust anything you read on the Internet, and the pranks ruin good food...
β
If I wanted something minty I'd get peppermint cookies... leave my Oreos alone!!!
π€’
Speaking of something that leaves a bitter taste in my mouth (ya, weird transition there... but stick with me), I've been reading an interesting book lately you need to know about.
I can't stress enough how important this topic is.
I've known for some time that there were data brokers selling location data. But I never clued into the use case where the US government was funding companies to update their SDKs in a way that allows them to turn your favorite mobile apps into SIGINT sensors, which can be cross-referenced with other data sources like ad-tech to map where you are and who you associate with.
Speaking of reading, I am merging the weekly newsletter with the monthly review since they pretty much fall on the same day. So let's get right to it!
Latest Article
I get asked quite a bit about how I go about building API security tests. Some people don't even realize that Postman includes a powerful sandbox that allows you to write API security tests in Javascript and execute them directly against your targets.
I thought I could address this, so I wrote The Beginners Guide to Writing API Security Tests in Postman. It includes practical, real-world advice on how to build and organize your own security tests right in the tool. It even discusses how to leverage the Postman Collection Runner to run full test plans and how to use Newman to automate all this so you can establish continuous security testing.
Check out the beginners' guide and let me know what you think!
Wishing I'd cover something else? Just hit "reply" on this email and let me know. It might be considered for a future article!
Pro Tip of the Week
In my article on the 5 mistakes beginners make during app recon, I talked about the fact you should record your walk-through of the app and try to save it as an HTTP archive (HAR) so you can review it later.
A HAR is more valuable than you can imagine. You can use the recorded data to generate your own rogue API docs - which is useful if your target doesn't publish up-to-date API documentation.
But how do you produce a HAR file from within Burp Suite?
Before you walk the app, make sure you have the extension installed from the BApp store so you can properly log all the traffic.
Then, all you need to do is go to the Logger++ tab, highlight the requests you want to export, right-click on the log pane, and select Export entries as... > Export # entries as HAR.
The extension will do all the work to produce a HAR v1.2 compatible export for you.
Exporting requests/responses from BurpSuite into a HAR file
From there, you can use the HAR file with tools like mitmproxy2swagger to automagically reverse-engineer your target REST APIs via captured traffic in Burp Suite... outputting the results into an OAS3-compatible API spec doc.
π οΈ ngrok has introduced JWT validation to their developer-defined API gateway. I'm not sure I'd be offloading API protection to ngrokβs global network. But it's interesting to see them add this to their toolchain anyway.
π€ Did you check out JNV yet? It's designed for navigating JSON, offering an interactive JSON viewer and jq filter editor in a nice small package. It's pretty slick.
Well, that's it for this monthly review. With April upon us, letβs keep an eye on our Oreos, lest they taste more 'minty' than chocolatey. Here's to a month of sweet security research.
Talk to you in the next newsletter.
Hack hard! Dana
How was this week's newsletter?
YOU DID GREAT
DO BETTER
ABOUT
You're reading the API Hackers Inner Circle Newsletter created by Dana Epp (he/him).
π§ I help teach developers, testers, and hackers how to improve their API hacking tradecraft. Thanks for reading. π
Helping developers, testers, and hackers improve their approach to appsec and find vulnerabilities in their apps and APIs before their adversaries do. Interested to know more? Subscribe to my newsletter below!
Hey friend π, WTF, where did June go? I swear I blinked, and it was gone. Apologies for this newsletter not arriving yesterday. It was Canada Day, and I was out being loud and proud. (Sorry... couldn't resist. π¨π¦) In all honesty, I was sitting quietly eating cookies and catching up on some reading. And not some funky flavour of Oreos (albeit they have some great Maple Cream Oreos out there), but some patriotic Maple Leaf Peek Freans. IYKYK. Canadians prefer Birthday cookies (or Nanaimo bars...
Hey friend π, Wow, did May go by fast. I think these months need to start getting rate-limited so I can actually keep up. I have to admit though, members of the inner circle have kept me going. First, Stephen sent me this... I got a chuckle from that. And then Viktor shared with me a new flavor he came across... WTF? Who would eat that? I'm all for hacking late at night with a plate of cookies, but damn. Silliness aside, the last thing we want is kids seeing that. You just never know these...
Hey friend π, April has been a bit intense. Ya, it started with jokers putting toothpaste in our Oreos. π€’ It ended with some well-deserved R&R on the beaches of the West Coast of Vancouver Island. I can't complain too much; I mean, I was also introduced to Churro Oreos... I can't believe these are a thing... ... and it ended with long walks along the beach... Walking along Cox Bay for a week isn't a bad way to decompress... While I was away, I got to finish reading Pegasus: How a Spy in Your...