profile

😈 The API Hacker Inner Circle

πŸ—“οΈ The API Hackers' Month in Review - October 2024 πŸ‘€

Published 20 days agoΒ β€’Β 3 min read

Hey friend πŸ‘‹,

Wow. October disappeared faster than a ghost at dawn – one minute it was haunting, the next it was history!

Speaking of ghosts, did you have a cool Halloween costume this year? I thought about going as "The Great Pumpkin"...

... ok, maybe not the best idea I've had.

Anyway, as I gorge on some of this halloween candy while in the city, I am staring at a book I picked up last month that you might find interesting. It's called the Web Hacking Arsenal: A Practical Guide to Modern Web Pentesting.

The book reminds me of a modern version of The Web Application Hacker’s Handbook. It's a hands-on guide for aspiring and seasoned security testers alike, covering essential tools, techniques, and methodologies to identify vulnerabilities in modern web applications.

What's nice is that it has a focus on practicality, helping you to improve your pentesting skills by applying strategies for real-world scenarios in web security. Well worth the read if you liked the web app hacker's handbook.

Of course, if you aren't into reading big thick books on hacking stuff, you could read some of my articles from the last month. Let's look at some of those...

Articles in October

Here is a glimpse of the articles I wrote last month that you received through the weekly newsletters...

1️⃣ You learned how to improve your API discovery with a custom Burp Suite extension I wrote dedicated to automatically finding API document artifacts for you.

2️⃣ I gave you five tips that will help improve the API exploits you submit into security triage as part of your vulnerability research..

3️⃣ You were shown how to use JSON injection to manipulate API payloads to control the flow of data and business logic within an API. This was a VERY popular article that got picked up by several news sources.

4️⃣ I had some fun and showed you how to write exploits that take advantage of blind command injection vulnerabilities using a time-delayed boolean oracle attack. Hat tip to Ben (Nahamsec) for the idea.

5️⃣ You were taught how to cross-reference Known Exploit Vulnerabilities (KEV) against CWE to find the best attack vectors to use during security testing.

Wishing I'd cover something else? Just hit "reply" on this email and let me know. It might be considered for a future article!

Industry News

βš”οΈ Have you checked out secure.py? It's a lightweight modern Python library to add security headers (CSP, HSTS, etc.) to Django, Flask, FastAPI, and more. Flip the table. Read the code to understand what "secure by default" headers they think matter by platform. Look for those headers that are missing during your recon. How could you leverage that in an attack?

✍🏻 Bill wrote an interesting article on Why Enterprises Are Concerned About Zombie APIs. You'd think more of them should read my Guide to Finding Zombie APIs.

πŸ₯΄ Did you hear about Burp's new Nmap Scanner? It's a new extension that integrates Nmap's powerful network scanning capabilities directly into the Burp Suite interface.

πŸ“Š Traceable has released their 2025 Global State of API Security report. (looks at calendar... WTF??) One of the key findings is that API attack detection remains a blind spot. Only 21% of respondents can even see us coming.

πŸ€” The researchers over at Sonar discovered a flaw in the OpenAPI Generator library, a widely used tool for generating application programming interfaces (APIs), that makes it possible for an attacker to both read and delete files and files stored in a write directory. *ouch*

πŸ“– Security Magazine had an interesting interview with Karl from Akamai on How organizations can defend against the increasing API attack surface.

πŸ“ Here is an interesting writeup on how an API hacker earned $4,500 in API bug bounties from a single web app on a program on HackerOne. Always great to see real examples in the field. #winning

πŸ“± Vodafone has shared their API governance model key to API security, scalability and consistency. We'll see how consistent they will be in following that as they improve their codebase.

πŸ€– So Apple recently released Apple Intelligence. And they are offering a $1,000,000 bug bounty to anyone who can hack their Private Cloud Compute (PCC) system, which backs their AI. What's cool is that they are offering virtual research environment to help you do it, along with access to some of the vital source code that drives PCC.

Well, that's it for this month's review. November is now upon us, which means we can look forward to colder weather and Black Friday while we march towards Christmas.

Talk to you next week!

Hack hard!
Dana

How was this week's newsletter?


YOU DID GREAT
DO BETTER

ABOUT

You're reading the API Hackers Inner Circle Newsletter created by Dana Epp (he/him).

🧠 I help teach developers, testers, and hackers how to improve their API hacking tradecraft. Thanks for reading. πŸ™

⏩ Enjoy the newsletter? Please forward this to a friend who would find these articles and insights useful!

πŸ‘‹ Did a pal share this with you? Sign up for your own copy here. I send out the newsletter every Tuesday.

​

β˜•οΈ Want to support this free newsletter and my work? Buy me a coffee.

🀯 Want some expert advice? Book a 1:1 session with me.

​

Is this newsletter not right for you? You can unsubscribe here.

😈 The API Hacker Inner Circle

by Dana Epp πŸ‘‹

Helping developers, testers, and hackers improve their approach to appsec and find vulnerabilities in their apps and APIs before their adversaries do. Interested to know more? Subscribe to my newsletter below!

Share this page