Helping developers, testers, and hackers improve their approach to appsec and find vulnerabilities in their apps and APIs before their adversaries do. Interested to know more? Subscribe to my newsletter below!
ποΈ The API Hackers' Month in Review - November 2023 π
Hey friend π, Wow. November whisked by so fast. I swear we were all just parked in a pumpkin patch gorging on candy. And now we're on December's doorstep, getting ready for Christmas. π I dunno about you, but I took some time off in November to recharge and get ready for the holiday season. My wife and I went storm watching on Vancouver Island and enjoyed this view for a week: When we weren't outside in the chilling cold, we stayed inside and stared out at the sea, snuggled up by the fire enjoying hot cocoa and a few good books. I've been reading Cult of the Dead Cow: How the Original Hacking Supergroup Might Just Save the World lately. The book brilliantly unveils the captivating journey of the original hacking supergroup, offering a riveting exploration of their impact on cyberspace, digital activism, and the potential for tech-savvy rebels to reshape the world for the better (and worse). No matter what your feelings are for cDc as a group, the book shares some interesting backstories on how we as a society got here over the years. It's well worth reading, especially if you chewed some of the same digital ground as these guys back in the 90s like I did. I think I still have several cDc textfiles on some old floppies somewhere around here. Articles in NovemberEven though I spent a great deal of time chasing storms throughout November looking for the perfect angry wave, I still kept up with my writing. Here is a glimpse at what you were sent last month... 1οΈβ£ You explored five ways to improve your GraphQL hacking skills and learned how to practice your newly found skills in a safe way. 2οΈβ£ You were taught how to bypass API rate limiting security controls using IP rotation in Burp Suite via Amazon API Gateway. 3οΈβ£ You learned how to uncover elusive dev, test, and production instances of an API hidden behind virtual hosting through VHOST discovery. 4οΈβ£ You were shown how to use chaos engineering to break an API on purpose to find new types of vulnerabilities that you donβt normally find in testing. Wishing I'd cover something else? Just hit "reply" on this email and let me know. It might be considered for a future article! Pro TipThe Postman Collection Runner is an incredibly powerful tool for API testers and hackers. With it, you can easily load malicious payloads into your requests and see how the API responds. This allows you to quickly and easily find injection points in APIs. If that interests you, you should check out The API Hackerβs Guide to Payload Injection with Postman.
You might also want to check out the article I wrote on how to hack the Microsoft Graph with Postman. Oh, the fun you can have with Postman. π Industry Newsπ€ Hmmm... interesting. According to this, the API market is set to grow more than the entire UK economy. This all comes from the Kong 2023 API Impact Report, so you have to take the stat with an open mind. But the trend is clear... lots of opportunities for us as API hackers. ποΈ We all know that API keys do not offer robust security. This article explains Why Your API Keys Are Leaving You Vulnerable to Attack. π I stumbled upon a free digital magazine called CyberEd.io that I'd never heard of before. In the fall issue, there is an interesting article on Overcoming the Inertia of Assessing and Securing APIs. You can find the article on page 11. π° When the C-suite starts talking about investing in API security, we all win. This article explains Why CFOs Should Prioritize API Security. βοΈ Check out these 5 ways APIs can be the weak link in supply chain security. π Ever wanted to know how to write your own Metasploit exploit, and maybe how to publish your own Metasploit module? Check out this guide from Kevin Joensen on how to do it. π€ Hacking AI models? You might want to check out Adversarial Attacks on LLMs. π¬ I'm really bummed I couldn't get down to BlueHat this year. The good news is that Microsoft has published a playlist on YouTube with all the videos from BlueHat 2023. π οΈ Have you used Arsenal yet? It's a quick inventory, reminder, and launcher for pentest commands. I love how it helps construct the right parameters for the commands you want to use. π€¬ So Mark recently wrote about Five Questionable Things About Top Ten Security Lists. I can feel his pain. I was not happy with how the most recent OWASP API Security Top 10 shaped up, and the lack of unbiased feedback that was internalized and ignored. Mark explains why, and how it has all come to be. Should we ignore the OWASP Top 10 lists? Of course not. But we should be suspicious of the motivation behind some of it. As we bid farewell to the month of November, let's embrace the beauty of its sunset moments and look forward to the opportunities and adventures that await in the coming December days. Speaking of which, here's a glimpse of the sunsets we caught last month while storm watching. Hack hard! |
π The API Hacker Inner Circle
Helping developers, testers, and hackers improve their approach to appsec and find vulnerabilities in their apps and APIs before their adversaries do. Interested to know more? Subscribe to my newsletter below!
Hey friend π, WTF, where did June go? I swear I blinked, and it was gone. Apologies for this newsletter not arriving yesterday. It was Canada Day, and I was out being loud and proud. (Sorry... couldn't resist. π¨π¦) In all honesty, I was sitting quietly eating cookies and catching up on some reading. And not some funky flavour of Oreos (albeit they have some great Maple Cream Oreos out there), but some patriotic Maple Leaf Peek Freans. IYKYK. Canadians prefer Birthday cookies (or Nanaimo bars...
Hey friend π, Wow, did May go by fast. I think these months need to start getting rate-limited so I can actually keep up. I have to admit though, members of the inner circle have kept me going. First, Stephen sent me this... I got a chuckle from that. And then Viktor shared with me a new flavor he came across... WTF? Who would eat that? I'm all for hacking late at night with a plate of cookies, but damn. Silliness aside, the last thing we want is kids seeing that. You just never know these...
Hey friend π, April has been a bit intense. Ya, it started with jokers putting toothpaste in our Oreos. π€’ It ended with some well-deserved R&R on the beaches of the West Coast of Vancouver Island. I can't complain too much; I mean, I was also introduced to Churro Oreos... I can't believe these are a thing... ... and it ended with long walks along the beach... Walking along Cox Bay for a week isn't a bad way to decompress... While I was away, I got to finish reading Pegasus: How a Spy in Your...