Where the heck did September go? It seems in the blink of an eye, we started seeing everything pumpkin-spiced showing up on the shelves, and now we're gearing up for October festivities.

I will admit though that finding pumpkin-spiced Oreos was "interesting".

I wonder if I need to start looking out for Halloween Oreos. I'm sure they exist. 🤣

Anyway, I enjoyed those Oreos with coffee and a good book. Lately, I have been reading "A Vulnerable System: The History of Information Security in the Computer Age" by Andrew Stewart. It's an easy-to-read history of computer security and how the world has shifted to a patch-and-pray mentality. It gives a glimpse into how we got here and acts as a sober warning on why we need to do better in cybersecurity, especially when considering software systems that affect our national security interests.

Well worth the read if you are into the history of vulnerabilities in software and systems. And who isn't? 😈

---

Articles in September

I was pretty swamped last month on some security research that kept me busy. However, I did make time for a few articles in a couple of different areas. Here is a glimpse of what you were sent in September...

1️⃣ You learned how to use the generative AI models built into Postman to quickly build security tests to check for vulnerabilities in the APIs you are testing.

2️⃣ You explored why API hacking should be an important and critical component of your web app security testing process. These are great talking points to use when discussing why investing in offensive security testing is important with technical leadership in your org.

3️⃣ You got to feel my pain as I struggled to explore using the no-code programming environment in Postman Flows to visually design and run API exploits as part of your security research.

4️⃣ You were shown how to use contextual discovery and path prediction to find hidden API endpoints during your security testing. Hopefully, you are starting to get into the mind's eye of the developers who write these APIs that you hack.

Wishing I'd cover something else? Just hit "reply" on this email and let me know. It might be considered for a future article!

---

Pro Tip

A powerful strategy for discovering potential vulnerabilities in an API is by tainting data in places the developer isn't even thinking about.

For example, tampering with hidden fields is one method of tainting the payload. If the API's business logic isn't prepared for this alteration, it may react unpredictably or expose weaknesses that could be exploited.

Another example might be by inserting duplicate HTTP headers, which may cause the API server to act in unexpected ways.

There are several places you should consider tampering with data, including:

• HTTP headers
• Query parameters
• Request body

I've previously written about this in much more detail. The article to check out is called "Attacking APIs by tainting data in weird places". It covers how you can tamper with data in such a way that the APIs may very well work in ways devs aren't expecting them to.

And you can abuse that. 😈

---

Industry News

📓 I read an interesting article on using API reverse engineering and decompilation to gain control of a vanMoof S3 e-bike, now that the company recently went bankrupt. Beautiful writeup on his approach.

⚙️ Like to parse API endpoints and secrets out of Javascript files? Then check out BishopFox's jsluice, written by @tomnomnom. Here's a video presentation to check it out; and here are the slides.

🤔 If your web apps & APIs rely on continuous integration and deployment (CI/CD), this article argues that DAST as an assessment methodology should be avoided. It's an interesting position, but as the author clearly articulates, this shouldn't affect pentesting.

🛠️ Getting into hacking GraphQL? Check out ZeroDayHacker's walkthrough of DVGA, the Damn Vulnerable GraphQL App.

🌎 I stumbled upon a GitHub repo with a collection of repositories pointing to BChecks scripts for Burp Suite Professional. Don't know what that is? Then read my article on how to Improve your API Security Testing with Burp BCheck Scripts.

☠️ To all my binary hacking ninjas out there, have you checked out this writeup about the Android Native Library Exploitation Challenge? Very interesting stuff. Hacking native interfaces (JNI) in Java is kind of sweet.

Speaking of sweets, I think it's time to go find some more Oreos.

Talk to you in the next newsletter.

Hack hard!
Dana