This is awkward. You just had a newsletter delivered yesterday... and now you are getting this one. The monthly review doesn't usually fall right after the weekly one... so apologies for hitting your inbox so soon.
But it's that time. The era of "pumpkin everything" is ending... and the days of "peppermint everything" are upon us. 🎃 ❄️
I always love this time of the year. The change in season always makes me happy. The leaves turn to crimson and gold, and I can start drinking hot chocolate while hacking on the deck in a hoodie without feeling guilty.
I've been trying to get into reading more fiction again, but I've been failing at it miserably. Lately, I've been reading Trojan Horse by Mark Russinovich. It's the second book in the Jeff Aiken series, and I just can't get into it. It's not a bad book, but I just don't like following so many different character story arcs at the same time.
I mean, a story about cyber espionage can't be all bad, right? If you can get past the slow start with so many story arcs it gets much better at the end when it all comes together.
Articles in October
October was relatively busy for me. I tried to write a few different articles from the norm to help you level up your core skills. Here is a glimpse at what you were sent last month...
1️⃣ You learned how to create mind maps that can help you improve your API hacking methodology during security testing and pentest engagements.
2️⃣ You were shown how to leverage the Exploit Prediction Scoring System (EPSS) to identify the vulnerabilities in your APIs that are most exploitable.
3️⃣ You explored how to prove API exploitability through the use of the Burp Collaborator for out-of-band application security testing (OAST).
4️⃣ You were taught how to use OWASP and MITRE to improve your adversarial thinking to better approach security testing of your web apps and APIs.
5️⃣ You were given a tutorial on how to use the AI in Eyeballer from BishopFox to help identify interesting targets during recon of your web apps & APIs.
Wishing I'd cover something else? Just hit "reply" on this email and let me know. It might be considered for a future article!
One of the reasons I recommend API hackers to buy Burp Suite Professional is so you can have access to the Project File feature.
Let me show you why project files are so useful.
When you conduct an attack using Intruder you may want to save the results to review later. While you can always export the results table, you lose the payload you used for the attack, along with the server responses.
However, if you save the attack to your project file, you not only save the results but can also save the attack configuration and server responses.
By default, if you use a temporary project file, this isn't available to you. Nor is it available to you in the Community edition. But if you create and work within a project using Burp Suite Professional, the option to save Intruder attacks is no longer grayed out.
Now, saving attacks to your project file only works AFTER the attack is complete. So think about that for any long-running attack patterns.
☠️ OK, this is cool. Someone has created a GitHub repo indexing almost every proof of concept (PoC) exploit for every CVE published.
⚔️ Have you checked out GraphRunner? It's a post-exploitation toolkit for Microsoft 365, published by the fine folks over at Black Hills Information Security.
🤔 Now, this is interesting. Evading detection by modifying a backdoor into hacked Cisco devices to only work when certain HTTP headers are included. Nice touch.
📚 The folks over at AssetNote have a great writeup on CitrixBleed. Leaking session tokens from the OAuth endpoints is just ugly. I think we are going to see more and more attacks in the future against the auth endpoints, especially for APIs.
📓 Speaking of attacking OAuth, did you check out the article about the exploitation of OAuth account takeover using app impersonation through custom scheme hijacking?
🔍 Have you looked at PostLeaks? It's a script that runs through Postman's public library of APIs detecting sensitive data leaks about private websites and companies.
▶️ The latest episode of the Critical Thinking podcast has Daniel Miessler and Rez0 talking about hacking with AI. Well worth watching.
🤣 OMG, this is awesome. The OpenAI team noticed a group was abusing their internal APIs for ChatGPT. Instead of cutting them off, the team decided to replace the responses with CatGPT... "meowing" each response. I loved watching this story being told on YouTube. Absolutely wicked.
On that note, I think it's time to raid the candy to get that sugar high...
Talk to you in the next newsletter.