profile

😈 The API Hacker Inner Circle

πŸ—“οΈ The API Hackers' Month in Review - November 2023 πŸ‘€

Published 3 months agoΒ β€’Β 4 min read

Hey friend πŸ‘‹,

Wow. November whisked by so fast. I swear we were all just parked in a pumpkin patch gorging on candy. And now we're on December's doorstep, getting ready for Christmas. πŸŽ„

I dunno about you, but I took some time off in November to recharge and get ready for the holiday season. My wife and I went storm watching on Vancouver Island and enjoyed this view for a week:

When we weren't outside in the chilling cold, we stayed inside and stared out at the sea, snuggled up by the fire enjoying hot cocoa and a few good books.

I've been reading Cult of the Dead Cow: How the Original Hacking Supergroup Might Just Save the World lately.

The book brilliantly unveils the captivating journey of the original hacking supergroup, offering a riveting exploration of their impact on cyberspace, digital activism, and the potential for tech-savvy rebels to reshape the world for the better (and worse).

No matter what your feelings are for cDc as a group, the book shares some interesting backstories on how we as a society got here over the years. It's well worth reading, especially if you chewed some of the same digital ground as these guys back in the 90s like I did. I think I still have several cDc textfiles on some old floppies somewhere around here.


Articles in November

Even though I spent a great deal of time chasing storms throughout November looking for the perfect angry wave, I still kept up with my writing. Here is a glimpse at what you were sent last month...

1️⃣ You explored five ways to improve your GraphQL hacking skills and learned how to practice your newly found skills in a safe way.

2️⃣ You were taught how to bypass API rate limiting security controls using IP rotation in Burp Suite via Amazon API Gateway.

3️⃣ You learned how to uncover elusive dev, test, and production instances of an API hidden behind virtual hosting through VHOST discovery.

4️⃣ You were shown how to use chaos engineering to break an API on purpose to find new types of vulnerabilities that you don’t normally find in testing.

Wishing I'd cover something else? Just hit "reply" on this email and let me know. It might be considered for a future article!


Pro Tip

The Postman Collection Runner is an incredibly powerful tool for API testers and hackers.

With it, you can easily load malicious payloads into your requests and see how the API responds. This allows you to quickly and easily find injection points in APIs.

If that interests you, you should check out The API Hacker’s Guide to Payload Injection with Postman.

You might also want to check out the article I wrote on how to hack the Microsoft Graph with Postman. Oh, the fun you can have with Postman. 😈


Industry News

πŸ€” Hmmm... interesting. According to this, the API market is set to grow more than the entire UK economy. This all comes from the Kong 2023 API Impact Report, so you have to take the stat with an open mind. But the trend is clear... lots of opportunities for us as API hackers.

πŸ—οΈ We all know that API keys do not offer robust security. This article explains Why Your API Keys Are Leaving You Vulnerable to Attack.

πŸ“š I stumbled upon a free digital magazine called CyberEd.io that I'd never heard of before. In the fall issue, there is an interesting article on Overcoming the Inertia of Assessing and Securing APIs. You can find the article on page 11.

πŸ’° When the C-suite starts talking about investing in API security, we all win. This article explains Why CFOs Should Prioritize API Security.

⛓️ Check out these 5 ways APIs can be the weak link in supply chain security.

πŸŽ“ Ever wanted to know how to write your own Metasploit exploit, and maybe how to publish your own Metasploit module? Check out this guide from Kevin Joensen on how to do it.

πŸ€– Hacking AI models? You might want to check out Adversarial Attacks on LLMs.

🎬 I'm really bummed I couldn't get down to BlueHat this year. The good news is that Microsoft has published a playlist on YouTube with all the videos from BlueHat 2023.

πŸ› οΈ Have you used Arsenal yet? It's a quick inventory, reminder, and launcher for pentest commands. I love how it helps construct the right parameters for the commands you want to use.

🀬 So Mark recently wrote about Five Questionable Things About Top Ten Security Lists. I can feel his pain. I was not happy with how the most recent OWASP API Security Top 10 shaped up, and the lack of unbiased feedback that was internalized and ignored. Mark explains why, and how it has all come to be. Should we ignore the OWASP Top 10 lists? Of course not. But we should be suspicious of the motivation behind some of it.


As we bid farewell to the month of November, let's embrace the beauty of its sunset moments and look forward to the opportunities and adventures that await in the coming December days.

Speaking of which, here's a glimpse of the sunsets we caught last month while storm watching.

Hack hard!
Dana

How was this week's newsletter?


YOU DID GREAT

DO BETTER

ABOUT

You're reading the API Hackers Inner Circle Newsletter created by Dana Epp (he/him).

🧠 I help teach developers, testers, and hackers how to improve their API hacking tradecraft. Thanks for reading. πŸ™

⏩ Enjoy the newsletter? Please forward this to a friend who would find these articles and insights useful!

πŸ‘‹ Did a pal share this with you? Sign up for your own copy here. I send out the newsletter every Tuesday.

​

Is this newsletter not right for you? You can unsubscribe here.

😈 The API Hacker Inner Circle

by Dana Epp πŸ‘‹

Helping developers, testers, and hackers improve their approach to appsec and find vulnerabilities in their apps and APIs before their adversaries do. Interested to know more? Subscribe to my newsletter below!

Read more from 😈 The API Hacker Inner Circle

Hey friend πŸ‘‹, Wow. January has come and gone in the blink of an eye. Did you try a "dry" January and skip the alcohol? They say it's good for the skin... Does Bailey's Irish Cream in the hot cocoa count? Whoops. Grogu I am not. I did catch up on some reading in January while drinking my adult cocoa. I've been reading Tracers in the Dark: The Global Hunt for the Crime Lords of Cryptocurrency. It's a fascinating read about the dark economy driven by cryptocurrency. And a clear lesson on how...

28 days agoΒ β€’Β 4 min read

Happy New Year! πŸŽ‰ I trust you had a great holiday season and brought in the New Year with a bang. I don't know about you, but 2023 felt like it went by so quickly. Over the holidays I had time to read The Language of Deception: Weaponizing Next Generation AI. It's a penetrating look at the dark side of emerging AI technologies. The book delves into how AI, especially in the realm of language models, can be used to manipulate, deceive, and influence public opinion, raising significant...

about 2 months agoΒ β€’Β 3 min read

This is awkward. You just had a newsletter delivered yesterday... and now you are getting this one. The monthly review doesn't usually fall right after the weekly one... so apologies for hitting your inbox so soon. But it's that time. The era of "pumpkin everything" is ending... and the days of "peppermint everything" are upon us. πŸŽƒ ❄️ I always love this time of the year. The change in season always makes me happy. The leaves turn to crimson and gold, and I can start drinking hot chocolate...

4 months agoΒ β€’Β 3 min read
Share this post