profile

😈 The API Hacker Inner Circle

πŸ—“οΈ The API Hackers' Month in Review - November 2023 πŸ‘€

Published 6 months agoΒ β€’Β 4 min read

Hey friend πŸ‘‹,

Wow. November whisked by so fast. I swear we were all just parked in a pumpkin patch gorging on candy. And now we're on December's doorstep, getting ready for Christmas. πŸŽ„

I dunno about you, but I took some time off in November to recharge and get ready for the holiday season. My wife and I went storm watching on Vancouver Island and enjoyed this view for a week:

When we weren't outside in the chilling cold, we stayed inside and stared out at the sea, snuggled up by the fire enjoying hot cocoa and a few good books.

I've been reading Cult of the Dead Cow: How the Original Hacking Supergroup Might Just Save the World lately.

The book brilliantly unveils the captivating journey of the original hacking supergroup, offering a riveting exploration of their impact on cyberspace, digital activism, and the potential for tech-savvy rebels to reshape the world for the better (and worse).

No matter what your feelings are for cDc as a group, the book shares some interesting backstories on how we as a society got here over the years. It's well worth reading, especially if you chewed some of the same digital ground as these guys back in the 90s like I did. I think I still have several cDc textfiles on some old floppies somewhere around here.


Articles in November

Even though I spent a great deal of time chasing storms throughout November looking for the perfect angry wave, I still kept up with my writing. Here is a glimpse at what you were sent last month...

1️⃣ You explored five ways to improve your GraphQL hacking skills and learned how to practice your newly found skills in a safe way.

2️⃣ You were taught how to bypass API rate limiting security controls using IP rotation in Burp Suite via Amazon API Gateway.

3️⃣ You learned how to uncover elusive dev, test, and production instances of an API hidden behind virtual hosting through VHOST discovery.

4️⃣ You were shown how to use chaos engineering to break an API on purpose to find new types of vulnerabilities that you don’t normally find in testing.

Wishing I'd cover something else? Just hit "reply" on this email and let me know. It might be considered for a future article!


Pro Tip

The Postman Collection Runner is an incredibly powerful tool for API testers and hackers.

With it, you can easily load malicious payloads into your requests and see how the API responds. This allows you to quickly and easily find injection points in APIs.

If that interests you, you should check out The API Hacker’s Guide to Payload Injection with Postman.

You might also want to check out the article I wrote on how to hack the Microsoft Graph with Postman. Oh, the fun you can have with Postman. 😈


Industry News

πŸ€” Hmmm... interesting. According to this, the API market is set to grow more than the entire UK economy. This all comes from the Kong 2023 API Impact Report, so you have to take the stat with an open mind. But the trend is clear... lots of opportunities for us as API hackers.

πŸ—οΈ We all know that API keys do not offer robust security. This article explains Why Your API Keys Are Leaving You Vulnerable to Attack.

πŸ“š I stumbled upon a free digital magazine called CyberEd.io that I'd never heard of before. In the fall issue, there is an interesting article on Overcoming the Inertia of Assessing and Securing APIs. You can find the article on page 11.

πŸ’° When the C-suite starts talking about investing in API security, we all win. This article explains Why CFOs Should Prioritize API Security.

⛓️ Check out these 5 ways APIs can be the weak link in supply chain security.

πŸŽ“ Ever wanted to know how to write your own Metasploit exploit, and maybe how to publish your own Metasploit module? Check out this guide from Kevin Joensen on how to do it.

πŸ€– Hacking AI models? You might want to check out Adversarial Attacks on LLMs.

🎬 I'm really bummed I couldn't get down to BlueHat this year. The good news is that Microsoft has published a playlist on YouTube with all the videos from BlueHat 2023.

πŸ› οΈ Have you used Arsenal yet? It's a quick inventory, reminder, and launcher for pentest commands. I love how it helps construct the right parameters for the commands you want to use.

🀬 So Mark recently wrote about Five Questionable Things About Top Ten Security Lists. I can feel his pain. I was not happy with how the most recent OWASP API Security Top 10 shaped up, and the lack of unbiased feedback that was internalized and ignored. Mark explains why, and how it has all come to be. Should we ignore the OWASP Top 10 lists? Of course not. But we should be suspicious of the motivation behind some of it.


As we bid farewell to the month of November, let's embrace the beauty of its sunset moments and look forward to the opportunities and adventures that await in the coming December days.

Speaking of which, here's a glimpse of the sunsets we caught last month while storm watching.

Hack hard!
Dana

How was this week's newsletter?


YOU DID GREAT

DO BETTER

ABOUT

You're reading the API Hackers Inner Circle Newsletter created by Dana Epp (he/him).

🧠 I help teach developers, testers, and hackers how to improve their API hacking tradecraft. Thanks for reading. πŸ™

⏩ Enjoy the newsletter? Please forward this to a friend who would find these articles and insights useful!

πŸ‘‹ Did a pal share this with you? Sign up for your own copy here. I send out the newsletter every Tuesday.

​

Is this newsletter not right for you? You can unsubscribe here.

😈 The API Hacker Inner Circle

by Dana Epp πŸ‘‹

Helping developers, testers, and hackers improve their approach to appsec and find vulnerabilities in their apps and APIs before their adversaries do. Interested to know more? Subscribe to my newsletter below!

Read more from 😈 The API Hacker Inner Circle

Hey friend πŸ‘‹, Wow, did May go by fast. I think these months need to start getting rate-limited so I can actually keep up. I have to admit though, members of the inner circle have kept me going. First, Stephen sent me this... I got a chuckle from that. And then Viktor shared with me a new flavor he came across... WTF? Who would eat that? I'm all for hacking late at night with a plate of cookies, but damn. Silliness aside, the last thing we want is kids seeing that. You just never know these...

12 days agoΒ β€’Β 4 min read

Hey friend πŸ‘‹, April has been a bit intense. Ya, it started with jokers putting toothpaste in our Oreos. 🀒 It ended with some well-deserved R&R on the beaches of the West Coast of Vancouver Island. I can't complain too much; I mean, I was also introduced to Churro Oreos... I can't believe these are a thing... ... and it ended with long walks along the beach... Walking along Cox Bay for a week isn't a bad way to decompress... While I was away, I got to finish reading Pegasus: How a Spy in Your...

about 1 month agoΒ β€’Β 5 min read

Hey friend πŸ‘‹, It's April already!! I hate April 1st. You can't trust anything you read on the Internet, and the pranks ruin good food... If I wanted something minty I'd get peppermint cookies... leave my Oreos alone!!! 🀒 Speaking of something that leaves a bitter taste in my mouth (ya, weird transition there... but stick with me), I've been reading an interesting book lately you need to know about. It's called Means of Control: How the Hidden Alliance of Tech and Government Is Creating a New...

2 months agoΒ β€’Β 4 min read
Share this post