profile

😈 The API Hacker Inner Circle

πŸ—“οΈ The API Hackers' Year in Review - 2023 πŸŽ„πŸ₯³

Published about 2 months agoΒ β€’Β 3 min read

Happy New Year! πŸŽ‰

I trust you had a great holiday season and brought in the New Year with a bang.

I don't know about you, but 2023 felt like it went by so quickly.

Over the holidays I had time to read The Language of Deception: Weaponizing Next Generation AI. It's a penetrating look at the dark side of emerging AI technologies.

The book delves into how AI, especially in the realm of language models, can be used to manipulate, deceive, and influence public opinion, raising significant concerns about privacy, security, and trust in the digital age.

I found it started slow, but the Python code samples at the end on abusing OpenAI's ChatGPT API were very interesting. The author interfaced Kali Linux with ChatGPT to prove that next-generation malware could execute Command and Control (C2) operations without the need for human intervention.

That alone made it worth the read.

Speaking of reading, time to get to the newsletter. I've merged the weekly newsletter and the monthly/annual review so you aren't getting too many emails from me this week.


Latest Article

Never trust user input.

It's been the mantra for years in popular secure coding books.

Yet, even today, we continue to see abuse of tainted data taking out the apps and infrastructure we use daily.

While input validation is improving in frontend web apps, it's not uncommon to bypass this altogether and go straight to attacking the APIs.

Why does this work so well? It's all because APIs use structured data formats like JSON and XML, which developers trust implicitly.

When structured data is being relied on, such as within API contracts, Structured Format Injection (SFI) becomes a thing.

And you can abuse that.

You'll have to read the article to find out how.


Articles in December

Like many of you, December was busy closing out the year and enjoying time away with family and friends. But a few articles got published...

1️⃣ You learned how to write Burp Bambda Filters like a boss and codify complex filtering of your proxy HTTP history.

2️⃣ We explored how to find β€œdark data” in the responses to API calls you make during your security testing engagements.

3️⃣ I shared with you my story about that time I broke into an API and became a billionaire. It's an intriguing real world story about how tainted data and API abuse can lead to the perfect digital bank heist.


Top Five Articles in 2023

I thought it might be fun to explore the top 5 articles that were read in 2023. I'm going to exclude The Beginner’s Guide to API Hacking because it's a completely different beast that gets tens of thousands of views regularly.

Here are the top articles that the community was reading last year:

1️⃣ Exploiting Server Side Request Forgery (SSRF) in an API​

2️⃣ Improve your API Security Testing with Burp BCheck Scripts​

3️⃣ How to use OAST to detect vulnerabilities in an API​

4️⃣ Exploit APIs with cURL​

5️⃣ API Security Testing using AI in Postman​


Industry News

πŸ‘¨πŸ»β€πŸ’» You should check out grep.app. It lets you search code across over a half million repos in Git without having to be logged in.

πŸ“„ Working with targets running in Azure? You might find this article on subdomain takeover on Azure interesting.

πŸ› οΈ Now this is interesting. A VSCode extension called NMAP Peek renders NMAP XML output in a visual manner right inside VS Code.

πŸ“š PortSwigger has produced a page that maps Web Security Academy content with the OWASP Top 10 API vulnerabilities.

βš”οΈ Have you used CherryBomb yet? It's a CLI tool that helps you avoid undefined user behavior by auditing your API specifications, validating them, and running API security tests.

πŸ“° Wow. Over 6 million kids have been impacted by an API vulnerability that exposed student geolocation data and their names in the Edulog Parent Portal.

βš”οΈ Attackers are abusing Cloudflare's Tunnel daemon for persistence and exfiltration on target networks. In fact, it allows them to configure an environment in advance of an attack and then execute a single command from a victim machine to establish a foothold and conduct further operations.

πŸ€” Matthew writes about Sorry AI, APIs Are for Humans. I wonder if that will be true in the future. Weaponizing AI means we could teach LLM to interface and consume API endpoints.

βš™οΈ Jason Haddix has published his 403 bypass wordlist that helps to bypass access control on incorrectly protected pages. He says these work best on config files and global dashboards.


Enjoyed this week's newsletter and the annual review? Hit the "reply" button and let me know.

In the meantime, let's go tackle 2024!

Less talk. More action. 🀣 Cya next week.

Hack hard!
Dana

How was this week's newsletter?


YOU DID GREAT

DO BETTER

ABOUT

You're reading the API Hackers Inner Circle Newsletter created by Dana Epp (he/him).

🧠 I help teach developers, testers, and hackers how to improve their API hacking tradecraft. Thanks for reading. πŸ™

⏩ Enjoy the newsletter? Please forward this to a friend who would find these articles and insights useful!

πŸ‘‹ Did a pal share this with you? Sign up for your own copy here. I send out the newsletter every Tuesday.

​

Is this newsletter not right for you? You can unsubscribe here.

😈 The API Hacker Inner Circle

by Dana Epp πŸ‘‹

Helping developers, testers, and hackers improve their approach to appsec and find vulnerabilities in their apps and APIs before their adversaries do. Interested to know more? Subscribe to my newsletter below!

Read more from 😈 The API Hacker Inner Circle

Hey friend πŸ‘‹, Wow. January has come and gone in the blink of an eye. Did you try a "dry" January and skip the alcohol? They say it's good for the skin... Does Bailey's Irish Cream in the hot cocoa count? Whoops. Grogu I am not. I did catch up on some reading in January while drinking my adult cocoa. I've been reading Tracers in the Dark: The Global Hunt for the Crime Lords of Cryptocurrency. It's a fascinating read about the dark economy driven by cryptocurrency. And a clear lesson on how...

28 days agoΒ β€’Β 4 min read

Hey friend πŸ‘‹, Wow. November whisked by so fast. I swear we were all just parked in a pumpkin patch gorging on candy. And now we're on December's doorstep, getting ready for Christmas. πŸŽ„ I dunno about you, but I took some time off in November to recharge and get ready for the holiday season. My wife and I went storm watching on Vancouver Island and enjoyed this view for a week: Storm watching on Vancouver Island in November When we weren't outside in the chilling cold, we stayed inside and...

3 months agoΒ β€’Β 4 min read

This is awkward. You just had a newsletter delivered yesterday... and now you are getting this one. The monthly review doesn't usually fall right after the weekly one... so apologies for hitting your inbox so soon. But it's that time. The era of "pumpkin everything" is ending... and the days of "peppermint everything" are upon us. πŸŽƒ ❄️ I always love this time of the year. The change in season always makes me happy. The leaves turn to crimson and gold, and I can start drinking hot chocolate...

4 months agoΒ β€’Β 3 min read
Share this post