🗓️ The API Hackers' Month in Review - September 2023 👀


Where the heck did September go? It seems in the blink of an eye, we started seeing everything pumpkin-spiced showing up on the shelves, and now we're gearing up for October festivities.

I will admit though that finding pumpkin-spiced Oreos was "interesting".

I wonder if I need to start looking out for Halloween Oreos. I'm sure they exist. 🤣

Anyway, I enjoyed those Oreos with coffee and a good book. Lately, I have been reading "A Vulnerable System: The History of Information Security in the Computer Age" by Andrew Stewart. It's an easy-to-read history of computer security and how the world has shifted to a patch-and-pray mentality. It gives a glimpse into how we got here and acts as a sober warning on why we need to do better in cybersecurity, especially when considering software systems that affect our national security interests.

Well worth the read if you are into the history of vulnerabilities in software and systems. And who isn't? 😈


Articles in September

I was pretty swamped last month on some security research that kept me busy. However, I did make time for a few articles in a couple of different areas. Here is a glimpse of what you were sent in September...

1️⃣ You learned how to use the generative AI models built into Postman to quickly build security tests to check for vulnerabilities in the APIs you are testing.

2️⃣ You explored why API hacking should be an important and critical component of your web app security testing process. These are great talking points to use when discussing why investing in offensive security testing is important with technical leadership in your org.

3️⃣ You got to feel my pain as I struggled to explore using the no-code programming environment in Postman Flows to visually design and run API exploits as part of your security research.

4️⃣ You were shown how to use contextual discovery and path prediction to find hidden API endpoints during your security testing. Hopefully, you are starting to get into the mind's eye of the developers who write these APIs that you hack.

Wishing I'd cover something else? Just hit "reply" on this email and let me know. It might be considered for a future article!


Pro Tip

A powerful strategy for discovering potential vulnerabilities in an API is by tainting data in places the developer isn't even thinking about.

For example, tampering with hidden fields is one method of tainting the payload. If the API's business logic isn't prepared for this alteration, it may react unpredictably or expose weaknesses that could be exploited.

Another example might be by inserting duplicate HTTP headers, which may cause the API server to act in unexpected ways.

There are several places you should consider tampering with data, including:

  • HTTP headers
  • Query parameters
  • Request body

I've previously written about this in much more detail. The article to check out is called "Attacking APIs by tainting data in weird places". It covers how you can tamper with data in such a way that the APIs may very well work in ways devs aren't expecting them to.

And you can abuse that. 😈


Industry News

📓 I read an interesting article on using API reverse engineering and decompilation to gain control of a vanMoof S3 e-bike, now that the company recently went bankrupt. Beautiful writeup on his approach.

⚙️ Like to parse API endpoints and secrets out of Javascript files? Then check out BishopFox's jsluice, written by @tomnomnom. Here's a video presentation to check it out; and here are the slides.

🤔 If your web apps & APIs rely on continuous integration and deployment (CI/CD), this article argues that DAST as an assessment methodology should be avoided. It's an interesting position, but as the author clearly articulates, this shouldn't affect pentesting.

🛠️ Getting into hacking GraphQL? Check out ZeroDayHacker's walkthrough of DVGA, the Damn Vulnerable GraphQL App.

🌎 I stumbled upon a GitHub repo with a collection of repositories pointing to BChecks scripts for Burp Suite Professional. Don't know what that is? Then read my article on how to Improve your API Security Testing with Burp BCheck Scripts.

☠️ To all my binary hacking ninjas out there, have you checked out this writeup about the Android Native Library Exploitation Challenge? Very interesting stuff. Hacking native interfaces (JNI) in Java is kind of sweet.

Speaking of sweets, I think it's time to go find some more Oreos.

Talk to you in the next newsletter.

Hack hard!
Dana

😈 The API Hacker Inner Circle

Helping developers, testers, and hackers improve their approach to appsec and find vulnerabilities in their apps and APIs before their adversaries do. Interested to know more? Subscribe to my newsletter below!

Read more from 😈 The API Hacker Inner Circle

Hey friend 👋, WTF, where did June go? I swear I blinked, and it was gone. Apologies for this newsletter not arriving yesterday. It was Canada Day, and I was out being loud and proud. (Sorry... couldn't resist. 🇨🇦) In all honesty, I was sitting quietly eating cookies and catching up on some reading. And not some funky flavour of Oreos (albeit they have some great Maple Cream Oreos out there), but some patriotic Maple Leaf Peek Freans. IYKYK. Canadians prefer Birthday cookies (or Nanaimo bars...

Hey friend 👋, Wow, did May go by fast. I think these months need to start getting rate-limited so I can actually keep up. I have to admit though, members of the inner circle have kept me going. First, Stephen sent me this... I got a chuckle from that. And then Viktor shared with me a new flavor he came across... WTF? Who would eat that? I'm all for hacking late at night with a plate of cookies, but damn. Silliness aside, the last thing we want is kids seeing that. You just never know these...

Hey friend 👋, April has been a bit intense. Ya, it started with jokers putting toothpaste in our Oreos. 🤢 It ended with some well-deserved R&R on the beaches of the West Coast of Vancouver Island. I can't complain too much; I mean, I was also introduced to Churro Oreos... I can't believe these are a thing... ... and it ended with long walks along the beach... Walking along Cox Bay for a week isn't a bad way to decompress... While I was away, I got to finish reading Pegasus: How a Spy in Your...