πŸ—“οΈ The API Hackers' Month in Review - November 2023 πŸ‘€


Hey friend πŸ‘‹,

Wow. November whisked by so fast. I swear we were all just parked in a pumpkin patch gorging on candy. And now we're on December's doorstep, getting ready for Christmas. πŸŽ„

I dunno about you, but I took some time off in November to recharge and get ready for the holiday season. My wife and I went storm watching on Vancouver Island and enjoyed this view for a week:

When we weren't outside in the chilling cold, we stayed inside and stared out at the sea, snuggled up by the fire enjoying hot cocoa and a few good books.

I've been reading Cult of the Dead Cow: How the Original Hacking Supergroup Might Just Save the World lately.

The book brilliantly unveils the captivating journey of the original hacking supergroup, offering a riveting exploration of their impact on cyberspace, digital activism, and the potential for tech-savvy rebels to reshape the world for the better (and worse).

No matter what your feelings are for cDc as a group, the book shares some interesting backstories on how we as a society got here over the years. It's well worth reading, especially if you chewed some of the same digital ground as these guys back in the 90s like I did. I think I still have several cDc textfiles on some old floppies somewhere around here.


Articles in November

Even though I spent a great deal of time chasing storms throughout November looking for the perfect angry wave, I still kept up with my writing. Here is a glimpse at what you were sent last month...

1️⃣ You explored five ways to improve your GraphQL hacking skills and learned how to practice your newly found skills in a safe way.

2️⃣ You were taught how to bypass API rate limiting security controls using IP rotation in Burp Suite via Amazon API Gateway.

3️⃣ You learned how to uncover elusive dev, test, and production instances of an API hidden behind virtual hosting through VHOST discovery.

4️⃣ You were shown how to use chaos engineering to break an API on purpose to find new types of vulnerabilities that you don’t normally find in testing.

Wishing I'd cover something else? Just hit "reply" on this email and let me know. It might be considered for a future article!


Pro Tip

The Postman Collection Runner is an incredibly powerful tool for API testers and hackers.

With it, you can easily load malicious payloads into your requests and see how the API responds. This allows you to quickly and easily find injection points in APIs.

If that interests you, you should check out The API Hacker’s Guide to Payload Injection with Postman.

You might also want to check out the article I wrote on how to hack the Microsoft Graph with Postman. Oh, the fun you can have with Postman. 😈


Industry News

πŸ€” Hmmm... interesting. According to this, the API market is set to grow more than the entire UK economy. This all comes from the Kong 2023 API Impact Report, so you have to take the stat with an open mind. But the trend is clear... lots of opportunities for us as API hackers.

πŸ—οΈ We all know that API keys do not offer robust security. This article explains Why Your API Keys Are Leaving You Vulnerable to Attack.

πŸ“š I stumbled upon a free digital magazine called CyberEd.io that I'd never heard of before. In the fall issue, there is an interesting article on Overcoming the Inertia of Assessing and Securing APIs. You can find the article on page 11.

πŸ’° When the C-suite starts talking about investing in API security, we all win. This article explains Why CFOs Should Prioritize API Security.

⛓️ Check out these 5 ways APIs can be the weak link in supply chain security.

πŸŽ“ Ever wanted to know how to write your own Metasploit exploit, and maybe how to publish your own Metasploit module? Check out this guide from Kevin Joensen on how to do it.

πŸ€– Hacking AI models? You might want to check out Adversarial Attacks on LLMs.

🎬 I'm really bummed I couldn't get down to BlueHat this year. The good news is that Microsoft has published a playlist on YouTube with all the videos from BlueHat 2023.

πŸ› οΈ Have you used Arsenal yet? It's a quick inventory, reminder, and launcher for pentest commands. I love how it helps construct the right parameters for the commands you want to use.

🀬 So Mark recently wrote about Five Questionable Things About Top Ten Security Lists. I can feel his pain. I was not happy with how the most recent OWASP API Security Top 10 shaped up, and the lack of unbiased feedback that was internalized and ignored. Mark explains why, and how it has all come to be. Should we ignore the OWASP Top 10 lists? Of course not. But we should be suspicious of the motivation behind some of it.


As we bid farewell to the month of November, let's embrace the beauty of its sunset moments and look forward to the opportunities and adventures that await in the coming December days.

Speaking of which, here's a glimpse of the sunsets we caught last month while storm watching.

Hack hard!
Dana

How was this week's newsletter?


YOU DID GREAT

DO BETTER

ABOUT

You're reading the API Hackers Inner Circle Newsletter created by Dana Epp (he/him).

🧠 I help teach developers, testers, and hackers how to improve their API hacking tradecraft. Thanks for reading. πŸ™

⏩ Enjoy the newsletter? Please forward this to a friend who would find these articles and insights useful!

πŸ‘‹ Did a pal share this with you? Sign up for your own copy here. I send out the newsletter every Tuesday.

​

Is this newsletter not right for you? You can unsubscribe here.

😈 The API Hacker Inner Circle

Helping developers, testers, and hackers improve their approach to appsec and find vulnerabilities in their apps and APIs before their adversaries do. Interested to know more? Subscribe to my newsletter below!

Read more from 😈 The API Hacker Inner Circle

Hey friend πŸ‘‹, Wow. It sure felt like we fell into fall pretty fast. Say that three times fast. πŸ‚ 🍁 With September behind us, its time to look back and review what has been done. Before I do that though, remember in last week's newsletter when I mentioned the NSA's new podcast called No Such Podcast? A few of you sent me notes that you loved learning about it. Some of you have already listened to all of the episodes. But I've got something better for you. I've recently been reading Code...

Hey friend πŸ‘‹, Well, I said I was talking most of August off. And I did. So this month in review doesn't include a lot of new articles. But lots of stuff did happen. First, we moved into our new oceanfront villa. That's been a game changer. I haven't had such long and deep sleeps in years. It's so calm and quiet here. And, who doesn't want a home office view like this? πŸ‘‰πŸ» It gave me lots of time to just sit, think, and read. In fact, I read a fascinating book on that deck in just a couple of...

Hey friend πŸ‘‹, Summer is in full swing. Sunburns are in full effect. Wild fires are fully engulfing our forests. And the hottest thing yet... the latest Deadpool movie finally hit theatres. I get it. You probably have been really busy in July. I know I was. Five articles. Three presentations. And one research paper that included a new custom Burp extension that I'm not allowed to talk about. (Ya, it's that dark. And pure Kotlin code). Speaking of "dark", I read a really interesting book in...