🗓️ The API Hackers' Month in Review - May 2024 👀


Hey friend 👋,

Wow, did May go by fast. I think these months need to start getting rate-limited so I can actually keep up.

I have to admit though, members of the inner circle have kept me going. First, Stephen sent me this...

I got a chuckle from that.

And then Viktor shared with me a new flavor he came across...

WTF? Who would eat that? I'm all for hacking late at night with a plate of cookies, but damn. Silliness aside, the last thing we want is kids seeing that. You just never know these days.

Keep them coming. I love seeing the funny memes and weird Oreo flavors. You can reply to any of my newsletters and send over what you find. I love to read them.

Speaking of reading, May was a bit different for me. At this year's BSides Vancouver, Micah Lee was keynoting, and I decided to grab his book entitled "Hacks, Leaks, and Revelations. The Art of Analyzing Hacked and Leaked Data" before the conference.

I wasn't sure what to expect.

I was pleasantly surprised.

Drawing from his extensive experience, Lee provides some great insights into safeguarding sources and securely handling sensitive information, making this a must-read for anyone looking to navigate the complex world of digital investigative journalism.

The practical Python, tied in with real-world case studies, made it interesting. A word of warning, though: the book is a tomb — over 500 pages — not a short read.

Speaking of short reads, let's get to the monthly review of the articles and research I've been working on...


Articles in May

Here is a glimpse of the articles I wrote last month that you received through the weekly newsletters...

1️⃣ I shared my feelings on How Bug Hunter Arrogance and Apathy Hurts Us All. This whole VDP vs. BBP debate is just ridiculous.

2️⃣ You were taught how to reverse engineer an Electron app to find artifacts like source code and API endpoints. I even showed you how to capture live traffic from an Electron app using Burp Suite.

3️⃣ I shared some of my research on using artificial intelligence (AI) to discover sensitive data in the APIs you are hacking with the help of Microsoft Presidio. You even received some Python code that can be applied across all your HTTP archive (HAR) files to get results from your recon after the fact.

4️⃣ You learned how to write modern Burp Suite extensions using Kotlin and the new Montoya API in Visual Studio Code (VS Code). This replaces my old methodology of hammering out HUGE single-file Jython extensions that are limited to older versions of Python.

Wishing I'd cover something else? Just hit "reply" on this email and let me know. It might be considered for a future article!


Pro Tip of the Week

Saw a great tip on X.com this week in a #burpsuiteshorts on using millions of payloads in Intruder without impacting performance.

It works like this...

Do you know how, when configuring an Intruder attack, loading a huge wordlist or payload database directly in the UI using a "simple list" can consume a lot of memory?

Portswigger has you covered with the payload type of "Runtime file"...

When selected, it streams payloads directly from the file you selected during the attack, bypassing the preload and memory constraints.

I use this all the time. Works well.


Industry News

🙃 You gotta check out FlowMate if you haven't yet. It's a BurpSuite extension that brings taint analysis to web applications by tracking all parameters sent to a target application and matching their occurrences in the responses. Check out this video to see it in action.

🛠️ Did you know that ZAP now has a gRPC add-on? If you work with APIs that use gRPC, it's worth checking out.

📄 Lee Holmes writes about the Security Risks of Postman. I've covered this before, but it's interesting to see I'm not the only one uncomfortable with Postman's cloud-native play.

🎬 There was a great session at Microsoft Build this month on Navigating the depths of API security testing. Lots of great stuff to take away from the session.

📚 I stumbled upon this slidedeck from an OWASP conference a few years back on Common API Security Pitfalls. I love how well Philip covered this. Wish I could have seen his talk. I swear many slides feel like I wrote them.

🤔 Deepfence has added new capabilities into their ThreatStryker product to act as an eBPF to inspect encrypted API payloads to respond to threats in real time for GenAI frameworks. Packet filtering LLM. Wait until the AI becomes self-aware and strikes back *sigh*

📰 It appears that Check Point has updated its Web Application Firewall with an API Discovery feature to help its clients inventory their APIs used in the cloud. Here is their press release about it.

🤬 You just HAVE to read Kevin Beaumont's Microsoft Recall FAQ. He makes it clear he has working code that automates exploiting the Recall database to exfiltrate data. One of his points really hit home for me... even if I delete a message in Signal to prevent archival Recall would still have a copy of it in its own database. And since it's using Azure AI to do OCR on the screenshots, that means all my Signal messages can be searched even after I destroyed them. F*ck.

🤦🏼‍♂️ You'd think Fortinet would be experts in input validation when it comes to potential Command Injection in their codebase considering past exploited vulns. But no, there is a new nasty critical RCE bug in their SIEM. Check out this toot on Mastodon by Will:

BTW, you do know you could follow me on Mastodon if you aren't a Musk fan, right? My address is @danaepp@infosec.exchange.


Well, that's it for this monthly review. June is here, which means the AppSec Days PNW conference is just around the corner.

I'm giving a half-day workshop on "The Art of Finding Security Vulnerabilities in Code." If you are in the Vancouver area on June 15th and 16th, you should come.

My palms will be sweaty. Knees weak. Arms heavy.

I won't be "wearing" my mom's spaghetti though. No matter how much you try, if I had "one opportunity" I wouldn't capture it and eat these...

🤢 🤣

Talk to you next week.

Hack hard!
Dana

How was this week's newsletter?


YOU DID GREAT

DO BETTER

ABOUT

You're reading the API Hackers Inner Circle Newsletter created by Dana Epp (he/him).

🧠 I help teach developers, testers, and hackers how to improve their API hacking tradecraft. Thanks for reading. 🙏

⏩ Enjoy the newsletter? Please forward this to a friend who would find these articles and insights useful!

👋 Did a pal share this with you? Sign up for your own copy here. I send out the newsletter every Tuesday.

☕️ Want to support this free newsletter and my work? Buy me a coffee.

🤯 Want some expert advice? Book a 1:1 session with me.

Is this newsletter not right for you? You can unsubscribe here.

😈 The API Hacker Inner Circle

Helping developers, testers, and hackers improve their approach to appsec and find vulnerabilities in their apps and APIs before their adversaries do. Interested to know more? Subscribe to my newsletter below!

Read more from 😈 The API Hacker Inner Circle

Hey friend 👋, WTF, where did June go? I swear I blinked, and it was gone. Apologies for this newsletter not arriving yesterday. It was Canada Day, and I was out being loud and proud. (Sorry... couldn't resist. 🇨🇦) In all honesty, I was sitting quietly eating cookies and catching up on some reading. And not some funky flavour of Oreos (albeit they have some great Maple Cream Oreos out there), but some patriotic Maple Leaf Peek Freans. IYKYK. Canadians prefer Birthday cookies (or Nanaimo bars...

Hey friend 👋, April has been a bit intense. Ya, it started with jokers putting toothpaste in our Oreos. 🤢 It ended with some well-deserved R&R on the beaches of the West Coast of Vancouver Island. I can't complain too much; I mean, I was also introduced to Churro Oreos... I can't believe these are a thing... ... and it ended with long walks along the beach... Walking along Cox Bay for a week isn't a bad way to decompress... While I was away, I got to finish reading Pegasus: How a Spy in Your...

Hey friend 👋, It's April already!! I hate April 1st. You can't trust anything you read on the Internet, and the pranks ruin good food... If I wanted something minty I'd get peppermint cookies... leave my Oreos alone!!! 🤢 Speaking of something that leaves a bitter taste in my mouth (ya, weird transition there... but stick with me), I've been reading an interesting book lately you need to know about. It's called Means of Control: How the Hidden Alliance of Tech and Government Is Creating a New...