profile

😈 The API Hacker Inner Circle

πŸ—“οΈ The API Hackers' Month in Review - November 2024 πŸ‘€

Published 20 days agoΒ β€’Β 3 min read

Hey friend πŸ‘‹,

Well... is it just me... or did November vanish faster than the Millennium Falcon making the Kessel Run in under 12 parsecs? I mean, I'm still getting over the sugar high from Halloween for chr*sts sake.

And now it's December.

I got a bunch of reading done in November, especially during those terrible storms. The big read was Pentesting APIs: A practical guide to discovering, fingerprinting, and exploiting APIs. I had mixed feelings about this book. As I have already reviewed it when I asked "Is the latest book on β€œPentesting APIs” any good?", I won't go into much detail here.

I will say though, that its great to see more content on the topic come to light.

Speaking of content, let's look at some of the content I wrote in November for you...

Articles in November

Here is a glimpse of the articles I wrote last month that you received through the weekly newsletters...

1️⃣ You learned how to use upstream residential and mobile proxies in Burp Suite to evade IP blocking during your API security testing.

2️⃣ I reviewed the latest book by Packt Publishing on β€œPentesting APIs” and determined if it’s worth putting on an API hacker’s bookshelf.

3️⃣ You were taught why shadow APIs sometimes provide a defenseless path for threat actors, and explored what YOU can do about it.

4️⃣ I showed you how to stay professionally detached from the vulnerabilities you discover and disclose as part of your security research.

Wishing I'd cover something else? Just hit "reply" on this email and let me know. It might be considered for a future article!

Vibe Check of the Week

So last week I asked you what the best Christmas movie was. You're my peeps... Die Hard #FTW!

Was funny, a few asked me why I had Gremlins on the list. *shocked*. Come on now...

... it's a Christmas classic... with Christmas carol singing and everything...

Industry News

πŸ™Š CVE-2024-42327 shows us how some vulns get compoundedly bad through APIs. A SQL injection vulnerability is further exploitable to any non-admin account that has API access, allowing for privilege escalation. With a CVSS score of 9.9, patch your sh*t if you have Zabbix.

πŸ› οΈ Have you tried out uproot-JS yet? It's a Burp Suite extension that lets you extract JavaScript files from a Burp Suite project with ease. Nice to see more extensions being written in Kotlin.

βš™οΈ Speaking of Burp, Federico over at HN Security has continued his series on extending Burp Suite for fun and profit, covering BChecks in part 8.

βš”οΈ Here is a great article on Breaking the most popular Web Application Firewalls in the market. It's a walk-through that shows how to bypass the SQLi and XSS rules for many different WAFs on the market today.

πŸ’° Wow. Kong secured $175M in funding at a $2 billion valuation. As an API gateway company generating $100M ARR and is profitable, its interesting to see the influx of investment in the space.

πŸ€– Did you hear that NVIDIA has launched Garak? It's an open-source vulnerability scanner for generative AI systems. It's apparently capable of evaluating LLMs for vulns like hallucinations, prompt injections, data leaks, and misinformation... and adapts itself over time. Crazy stuff.

πŸ“±You hear about the SMS Blaster attack? You buy a False Base Station [FBS] (or build one... the schematics and software are online for DIY IMEI catchers like stingray), downgrade nearby connections to 2G, and then spam your SMS payloads. This bypasses mobile carrier security controls and allows infiltration to the text message pipeline without them knowing you've sent messages to their client's devices.

🀬 It pisses me off that linpeas[.]sh is hosting a malicious fork. It seems someone thought it would be funny to inject some logging into the script so that it would quietly exfiltrate things like kernel info and environment variables off to a third party server. As Carlos points out, he doesn't control that domain, and we should always get linpeas from the official source on GitHub.

πŸ€” The Register has an interesting article on how the workplace has become a surveillance state. They cover how some research from Cracked Labs demonstrated how motion sensing and wireless network technology in buildings is being used to monitor the movement and behavior of office workers and visitors.

Well, that's it for this monthly review. As I mentioned in last week's newsletter, I will be taking December off to focus on some personal projects around the villa. I'll still be around if you have any questions.

Make sure you watch all those Xmas movies, especially Die Hard and Gremlins... it's that time of year. 🎬 🍿

It's been a fun ride... see you in 2025. πŸŽ„

Hack hard!
Dana

How was this week's newsletter?


YOU DID GREAT
DO BETTER

ABOUT

You're reading the API Hackers Inner Circle Newsletter created by Dana Epp (he/him).

🧠 I help teach developers, testers, and hackers how to improve their API hacking tradecraft. Thanks for reading. πŸ™

⏩ Enjoy the newsletter? Please forward this to a friend who would find these articles and insights useful!

πŸ‘‹ Did a pal share this with you? Sign up for your own copy here. I send out the newsletter every Tuesday.

​

β˜•οΈ Want to support this free newsletter and my work? Buy me a coffee.

🀯 Want some expert advice? Book a 1:1 session with me.

​

Is this newsletter not right for you? You can unsubscribe here.

😈 The API Hacker Inner Circle

by Dana Epp πŸ‘‹

Helping developers, testers, and hackers improve their approach to appsec and find vulnerabilities in their apps and APIs before their adversaries do. Interested to know more? Subscribe to my newsletter below!

Share this page