Hey friend π,
Wow. It sure felt like we fell into fall pretty fast.
Say that three times fast. π π
With September behind us, its time to look back and review what has been done.
Before I do that though, remember in last week's newsletter when I mentioned the NSA's new podcast called No Such Podcast? A few of you sent me notes that you loved learning about it. Some of you have already listened to all of the episodes.
But I've got something better for you.
I've recently been reading Code Warriors: NSA's Codebreakers and the Secret Intelligence War Against the Soviet Union. It's a riveting exploration of the NSA's clandestine operations during the Cold War. This book provides valuable insights into the historical roots of modern cryptography and cyber espionage.
It's something every sigint or security geek should check out.
The author delves into the technical intricacies of codebreaking and signals intelligence, highlighting the relentless pursuit of securing and penetrating communication channels.
What I found fascinating was that the narrative underscores how the strategies and challenges of the past have shaped today's cybersecurity landscape, emphasizing the perpetual cat-and-mouse game between code makers and code breakers.
It's worth checking out if you are into that kinda thing.
If that's not your cup of tea (or Americano Misto like the shot above when I was in the concrete jungle of Vancouver), maybe you would prefer to read about hacking Burp extensions to do your bidding.
That's what this week's article is all about.
Let's get to it...
Article
A few months back, I introduced you to the idea of weaponizing API discovery metadata to detect and catalog APIs. I concluded the article by saying that as the specification for API discovery metadata isnβt widely adopted yet, the API Discovery Burp extension I wrote wonβt find a lot for youβ¦ yet.
Well, that wasnβt good enough for me.Β
So, I decided to improve the code to find API documentation artifacts using a more direct, bruteforced approach through the Burp Web Vulnerability Scanner.
Inspired by BishopFox's SwaggerJacker tool, this week's article follows my work as I build in resilient and fast API doc path enumeration into my Burp extension.
Written purely in Kotlin, I show you how to push the limits of Burp's new Montoya API to automatically discover API documentation.
Articles in September
Here is a glimpse of the articles I wrote last month that you received through the weekly newsletters...
1οΈβ£ I showed you how to gain a competitive edge over other security researchers by detecting changes to APIs with oasdiff even before they know about them.
2οΈβ£ You learned why the X-Bug-Bounty custom HTTP header can be helpful during your bug bounty engagements with a target.
3οΈβ£ You were give a complete step-by-step guide on how to set up your hacking environment to attack mobile apps & APIs running on modern versions of Android with Burp Suite.
4οΈβ£ I shared with you how to use MITREβs Common Weakness Enumerations (CWE) entries to level up your vulnerability reports.
Wishing I'd cover something else? Just hit "reply" on this email and let me know. It might be considered for a future article!
Vibe Check
Last week we asked the API Hacker Inner Circle community what your favorite attack proxy is. Not surprising, Burp Suite came out on top.
By a huge margin.
It goes to show that those of us who do this professionally invest in the right tools to get the job done.
For this week's vibe check, let's explore how you write your proof-of-concept exploits...
| What is your favorite language to write API exploits in? |
|
|
|
|
|
|
|
Industry News
π Katie shares the 3 API Vulnerabilities Developers Accidentally Create. See if you can spot an issue in the article about the vulnerable Laravel routing controller code.
π¬ You really need to check out this video from Portswigger discussing some of the new Burp Suite performance improvements.
π€― Uh oh. This isn't good. A critical vulnerability was recently discovered in Azure API Management (APIM) that allowed users with Reader-level access to escalate their privileges to the equivalent of Contributor-level access. The writeup about the research is pretty thorough.
π€¦πΌββοΈ Oh look, another broken auth vuln in an API. CISA warns that a critical vulnerability (CVE-2024-45229) in Versa Networks' Versa Director exists, and urges organizations to take immediate action to protect their network security. What I find fascinating is that you can exploit this vulnerability by injecting invalid arguments into a GET request. This then exposes authentication tokens of currently logged-in users which you can then reuse and abuse. *whoops*
π€ Sam Curry has a beautiful writeup on Hacking Kia: Remotely Controlling Cars With Just a License Plate. This is great security research showing how to abuse secondary business APIs to take over the world... er... cars. I always love his work; very clear and concise on how he approached things. Well worth reading.
β
Have you checked out the OpenAPI 3.1 Cheatsheet from Bump.sh? Nice resource to have. Study the "Security" section closely and think about how you can leverage those schemas.
π This is cool... Spectral adds Support for the Arazzo Specification. Don't know what Spectral is? You might want to check out my article on Finding Attack Vectors using API Linting.
π οΈ I love seeing people think outside of the box. Check out this writeup on finding CVEs at scale using Semgrep as a SAST against recently updated Wordpress plugins. The results? He found 14 vulnerabilities, mostly around LFI and SQLI. All in a weekend.
βοΈ Have you heard of JarPlant? It's a Java archive implant toolkit. Imagine how many Burp Suite extensions are blindly downloaded from GitHub. How many of them could be spiked? Good reason to use the BApp store.
Well, that's it for this week. October is here and I couldn't be happier.
How about you? Is autumn your favourite season too? Hit "reply" and let me know!
Hack hard!
Dana
How was this week's newsletter?
YOU DID GREAT
|
DO BETTER
|
|