Hey friend 👋,
Wow, did May go by fast. I think these months need to start getting rate-limited so I can actually keep up.
I have to admit though, members of the inner circle have kept me going. First, Stephen sent me this...
I got a chuckle from that.
And then Viktor shared with me a new flavor he came across...
WTF? Who would eat that? I'm all for hacking late at night with a plate of cookies, but damn. Silliness aside, the last thing we want is kids seeing that. You just never know these days.
Keep them coming. I love seeing the funny memes and weird Oreo flavors. You can reply to any of my newsletters and send over what you find. I love to read them.
Speaking of reading, May was a bit different for me. At this year's BSides Vancouver, Micah Lee was keynoting, and I decided to grab his book entitled "Hacks, Leaks, and Revelations. The Art of Analyzing Hacked and Leaked Data" before the conference.
I wasn't sure what to expect.
I was pleasantly surprised.
Drawing from his extensive experience, Lee provides some great insights into safeguarding sources and securely handling sensitive information, making this a must-read for anyone looking to navigate the complex world of digital investigative journalism.
The practical Python, tied in with real-world case studies, made it interesting. A word of warning, though: the book is a tomb — over 500 pages — not a short read.
Speaking of short reads, let's get to the monthly review of the articles and research I've been working on...
Articles in May
Here is a glimpse of the articles I wrote last month that you received through the weekly newsletters...
1️⃣ I shared my feelings on How Bug Hunter Arrogance and Apathy Hurts Us All. This whole VDP vs. BBP debate is just ridiculous.
2️⃣ You were taught how to reverse engineer an Electron app to find artifacts like source code and API endpoints. I even showed you how to capture live traffic from an Electron app using Burp Suite.
3️⃣ I shared some of my research on using artificial intelligence (AI) to discover sensitive data in the APIs you are hacking with the help of Microsoft Presidio. You even received some Python code that can be applied across all your HTTP archive (HAR) files to get results from your recon after the fact.
4️⃣ You learned how to write modern Burp Suite extensions using Kotlin and the new Montoya API in Visual Studio Code (VS Code). This replaces my old methodology of hammering out HUGE single-file Jython extensions that are limited to older versions of Python.
Wishing I'd cover something else? Just hit "reply" on this email and let me know. It might be considered for a future article!
Pro Tip of the Week
Saw a great tip on X.com this week in a #burpsuiteshorts on using millions of payloads in Intruder without impacting performance.
It works like this...
Do you know how, when configuring an Intruder attack, loading a huge wordlist or payload database directly in the UI using a "simple list" can consume a lot of memory?
Portswigger has you covered with the payload type of "Runtime file"...
When selected, it streams payloads directly from the file you selected during the attack, bypassing the preload and memory constraints.
I use this all the time. Works well.
Industry News
🙃 You gotta check out FlowMate if you haven't yet. It's a BurpSuite extension that brings taint analysis to web applications by tracking all parameters sent to a target application and matching their occurrences in the responses. Check out this video to see it in action.
🛠️ Did you know that ZAP now has a gRPC add-on? If you work with APIs that use gRPC, it's worth checking out.
📄 Lee Holmes writes about the Security Risks of Postman. I've covered this before, but it's interesting to see I'm not the only one uncomfortable with Postman's cloud-native play.
🎬 There was a great session at Microsoft Build this month on Navigating the depths of API security testing. Lots of great stuff to take away from the session.
📚 I stumbled upon this slidedeck from an OWASP conference a few years back on Common API Security Pitfalls. I love how well Philip covered this. Wish I could have seen his talk. I swear many slides feel like I wrote them.
🤔 Deepfence has added new capabilities into their ThreatStryker product to act as an eBPF to inspect encrypted API payloads to respond to threats in real time for GenAI frameworks. Packet filtering LLM. Wait until the AI becomes self-aware and strikes back *sigh*
📰 It appears that Check Point has updated its Web Application Firewall with an API Discovery feature to help its clients inventory their APIs used in the cloud. Here is their press release about it.
🤬 You just HAVE to read Kevin Beaumont's Microsoft Recall FAQ. He makes it clear he has working code that automates exploiting the Recall database to exfiltrate data. One of his points really hit home for me... even if I delete a message in Signal to prevent archival Recall would still have a copy of it in its own database. And since it's using Azure AI to do OCR on the screenshots, that means all my Signal messages can be searched even after I destroyed them. F*ck.
🤦🏼♂️ You'd think Fortinet would be experts in input validation when it comes to potential Command Injection in their codebase considering past exploited vulns. But no, there is a new nasty critical RCE bug in their SIEM. Check out this toot on Mastodon by Will:
BTW, you do know you could follow me on Mastodon if you aren't a Musk fan, right? My address is @danaepp@infosec.exchange.
Well, that's it for this monthly review. June is here, which means the AppSec Days PNW conference is just around the corner.
I'm giving a half-day workshop on "The Art of Finding Security Vulnerabilities in Code." If you are in the Vancouver area on June 15th and 16th, you should come.
My palms will be sweaty. Knees weak. Arms heavy.
I won't be "wearing" my mom's spaghetti though. No matter how much you try, if I had "one opportunity" I wouldn't capture it and eat these...
🤢 🤣
Talk to you next week.
Hack hard!
Dana
How was this week's newsletter?
YOU DID GREAT
|
DO BETTER
|
|