🗓️ The API Hackers' Month in Review - October 2023 👀

This is awkward. You just had a newsletter delivered yesterday... and now you are getting this one. The monthly review doesn't usually fall right after the weekly one... so apologies for hitting your inbox so soon.

But it's that time. The era of "pumpkin everything" is ending... and the days of "peppermint everything" are upon us. 🎃 ❄️

I always love this time of the year. The change in season always makes me happy. The leaves turn to crimson and gold, and I can start drinking hot chocolate while hacking on the deck in a hoodie without feeling guilty.

I've been trying to get into reading more fiction again, but I've been failing at it miserably. Lately, I've been reading Trojan Horse by Mark Russinovich. It's the second book in the Jeff Aiken series, and I just can't get into it. It's not a bad book, but I just don't like following so many different character story arcs at the same time.

I mean, a story about cyber espionage can't be all bad, right? If you can get past the slow start with so many story arcs it gets much better at the end when it all comes together.

Articles in October

October was relatively busy for me. I tried to write a few different articles from the norm to help you level up your core skills. Here is a glimpse at what you were sent last month...

1️⃣ You learned how to create mind maps that can help you improve your API hacking methodology during security testing and pentest engagements.

2️⃣ You were shown how to leverage the Exploit Prediction Scoring System (EPSS) to identify the vulnerabilities in your APIs that are most exploitable.

3️⃣ You explored how to prove API exploitability through the use of the Burp Collaborator for out-of-band application security testing (OAST).

4️⃣ You were taught how to use OWASP and MITRE to improve your adversarial thinking to better approach security testing of your web apps and APIs.

5️⃣ You were given a tutorial on how to use the AI in Eyeballer from BishopFox to help identify interesting targets during recon of your web apps & APIs.

Wishing I'd cover something else? Just hit "reply" on this email and let me know. It might be considered for a future article!

Pro Tip

One of the reasons I recommend API hackers to buy Burp Suite Professional is so you can have access to the Project File feature.

Let me show you why project files are so useful.

When you conduct an attack using Intruder you may want to save the results to review later. While you can always export the results table, you lose the payload you used for the attack, along with the server responses.

However, if you save the attack to your project file, you not only save the results but can also save the attack configuration and server responses.

By default, if you use a temporary project file, this isn't available to you. Nor is it available to you in the Community edition. But if you create and work within a project using Burp Suite Professional, the option to save Intruder attacks is no longer grayed out.

Now, saving attacks to your project file only works AFTER the attack is complete. So think about that for any long-running attack patterns.

Industry News

☠️ OK, this is cool. Someone has created a GitHub repo indexing almost every proof of concept (PoC) exploit for every CVE published.

⚔️ Have you checked out GraphRunner? It's a post-exploitation toolkit for Microsoft 365, published by the fine folks over at Black Hills Information Security.

🤔 Now, this is interesting. Evading detection by modifying a backdoor into hacked Cisco devices to only work when certain HTTP headers are included. Nice touch.

📚 The folks over at AssetNote have a great writeup on CitrixBleed. Leaking session tokens from the OAuth endpoints is just ugly. I think we are going to see more and more attacks in the future against the auth endpoints, especially for APIs.

📓 Speaking of attacking OAuth, did you check out the article about the exploitation of OAuth account takeover using app impersonation through custom scheme hijacking?

🔍 Have you looked at PostLeaks? It's a script that runs through Postman's public library of APIs detecting sensitive data leaks about private websites and companies.

▶️ The latest episode of the Critical Thinking podcast has Daniel Miessler and Rez0 talking about hacking with AI. Well worth watching.

🤣 OMG, this is awesome. The OpenAI team noticed a group was abusing their internal APIs for ChatGPT. Instead of cutting them off, the team decided to replace the responses with CatGPT... "meowing" each response. I loved watching this story being told on YouTube. Absolutely wicked.

On that note, I think it's time to raid the candy to get that sugar high...

Talk to you in the next newsletter.

Hack hard!

😈 The API Hacker Inner Circle

Helping developers, testers, and hackers improve their approach to appsec and find vulnerabilities in their apps and APIs before their adversaries do. Interested to know more? Subscribe to my newsletter below!

Read more from 😈 The API Hacker Inner Circle

Hey friend 👋, WTF, where did June go? I swear I blinked, and it was gone. Apologies for this newsletter not arriving yesterday. It was Canada Day, and I was out being loud and proud. (Sorry... couldn't resist. 🇨🇦) In all honesty, I was sitting quietly eating cookies and catching up on some reading. And not some funky flavour of Oreos (albeit they have some great Maple Cream Oreos out there), but some patriotic Maple Leaf Peek Freans. IYKYK. Canadians prefer Birthday cookies (or Nanaimo bars...

Hey friend 👋, Wow, did May go by fast. I think these months need to start getting rate-limited so I can actually keep up. I have to admit though, members of the inner circle have kept me going. First, Stephen sent me this... I got a chuckle from that. And then Viktor shared with me a new flavor he came across... WTF? Who would eat that? I'm all for hacking late at night with a plate of cookies, but damn. Silliness aside, the last thing we want is kids seeing that. You just never know these...

Hey friend 👋, April has been a bit intense. Ya, it started with jokers putting toothpaste in our Oreos. 🤢 It ended with some well-deserved R&R on the beaches of the West Coast of Vancouver Island. I can't complain too much; I mean, I was also introduced to Churro Oreos... I can't believe these are a thing... ... and it ended with long walks along the beach... Walking along Cox Bay for a week isn't a bad way to decompress... While I was away, I got to finish reading Pegasus: How a Spy in Your...