profile

😈 The API Hacker Inner Circle

πŸ—“οΈ The API Hackers' Year in Review - 2023 πŸŽ„πŸ₯³

Published 5 months agoΒ β€’Β 3 min read

Happy New Year! πŸŽ‰

I trust you had a great holiday season and brought in the New Year with a bang.

I don't know about you, but 2023 felt like it went by so quickly.

Over the holidays I had time to read The Language of Deception: Weaponizing Next Generation AI. It's a penetrating look at the dark side of emerging AI technologies.

The book delves into how AI, especially in the realm of language models, can be used to manipulate, deceive, and influence public opinion, raising significant concerns about privacy, security, and trust in the digital age.

I found it started slow, but the Python code samples at the end on abusing OpenAI's ChatGPT API were very interesting. The author interfaced Kali Linux with ChatGPT to prove that next-generation malware could execute Command and Control (C2) operations without the need for human intervention.

That alone made it worth the read.

Speaking of reading, time to get to the newsletter. I've merged the weekly newsletter and the monthly/annual review so you aren't getting too many emails from me this week.


Latest Article

Never trust user input.

It's been the mantra for years in popular secure coding books.

Yet, even today, we continue to see abuse of tainted data taking out the apps and infrastructure we use daily.

While input validation is improving in frontend web apps, it's not uncommon to bypass this altogether and go straight to attacking the APIs.

Why does this work so well? It's all because APIs use structured data formats like JSON and XML, which developers trust implicitly.

When structured data is being relied on, such as within API contracts, Structured Format Injection (SFI) becomes a thing.

And you can abuse that.

You'll have to read the article to find out how.


Articles in December

Like many of you, December was busy closing out the year and enjoying time away with family and friends. But a few articles got published...

1️⃣ You learned how to write Burp Bambda Filters like a boss and codify complex filtering of your proxy HTTP history.

2️⃣ We explored how to find β€œdark data” in the responses to API calls you make during your security testing engagements.

3️⃣ I shared with you my story about that time I broke into an API and became a billionaire. It's an intriguing real world story about how tainted data and API abuse can lead to the perfect digital bank heist.


Top Five Articles in 2023

I thought it might be fun to explore the top 5 articles that were read in 2023. I'm going to exclude The Beginner’s Guide to API Hacking because it's a completely different beast that gets tens of thousands of views regularly.

Here are the top articles that the community was reading last year:

1️⃣ Exploiting Server Side Request Forgery (SSRF) in an API​

2️⃣ Improve your API Security Testing with Burp BCheck Scripts​

3️⃣ How to use OAST to detect vulnerabilities in an API​

4️⃣ Exploit APIs with cURL​

5️⃣ API Security Testing using AI in Postman​


Industry News

πŸ‘¨πŸ»β€πŸ’» You should check out grep.app. It lets you search code across over a half million repos in Git without having to be logged in.

πŸ“„ Working with targets running in Azure? You might find this article on subdomain takeover on Azure interesting.

πŸ› οΈ Now this is interesting. A VSCode extension called NMAP Peek renders NMAP XML output in a visual manner right inside VS Code.

πŸ“š PortSwigger has produced a page that maps Web Security Academy content with the OWASP Top 10 API vulnerabilities.

βš”οΈ Have you used CherryBomb yet? It's a CLI tool that helps you avoid undefined user behavior by auditing your API specifications, validating them, and running API security tests.

πŸ“° Wow. Over 6 million kids have been impacted by an API vulnerability that exposed student geolocation data and their names in the Edulog Parent Portal.

βš”οΈ Attackers are abusing Cloudflare's Tunnel daemon for persistence and exfiltration on target networks. In fact, it allows them to configure an environment in advance of an attack and then execute a single command from a victim machine to establish a foothold and conduct further operations.

πŸ€” Matthew writes about Sorry AI, APIs Are for Humans. I wonder if that will be true in the future. Weaponizing AI means we could teach LLM to interface and consume API endpoints.

βš™οΈ Jason Haddix has published his 403 bypass wordlist that helps to bypass access control on incorrectly protected pages. He says these work best on config files and global dashboards.


Enjoyed this week's newsletter and the annual review? Hit the "reply" button and let me know.

In the meantime, let's go tackle 2024!

Less talk. More action. 🀣 Cya next week.

Hack hard!
Dana

How was this week's newsletter?


YOU DID GREAT

DO BETTER

ABOUT

You're reading the API Hackers Inner Circle Newsletter created by Dana Epp (he/him).

🧠 I help teach developers, testers, and hackers how to improve their API hacking tradecraft. Thanks for reading. πŸ™

⏩ Enjoy the newsletter? Please forward this to a friend who would find these articles and insights useful!

πŸ‘‹ Did a pal share this with you? Sign up for your own copy here. I send out the newsletter every Tuesday.

​

Is this newsletter not right for you? You can unsubscribe here.

😈 The API Hacker Inner Circle

by Dana Epp πŸ‘‹

Helping developers, testers, and hackers improve their approach to appsec and find vulnerabilities in their apps and APIs before their adversaries do. Interested to know more? Subscribe to my newsletter below!

Read more from 😈 The API Hacker Inner Circle

Hey friend πŸ‘‹, Wow, did May go by fast. I think these months need to start getting rate-limited so I can actually keep up. I have to admit though, members of the inner circle have kept me going. First, Stephen sent me this... I got a chuckle from that. And then Viktor shared with me a new flavor he came across... WTF? Who would eat that? I'm all for hacking late at night with a plate of cookies, but damn. Silliness aside, the last thing we want is kids seeing that. You just never know these...

12 days agoΒ β€’Β 4 min read

Hey friend πŸ‘‹, April has been a bit intense. Ya, it started with jokers putting toothpaste in our Oreos. 🀒 It ended with some well-deserved R&R on the beaches of the West Coast of Vancouver Island. I can't complain too much; I mean, I was also introduced to Churro Oreos... I can't believe these are a thing... ... and it ended with long walks along the beach... Walking along Cox Bay for a week isn't a bad way to decompress... While I was away, I got to finish reading Pegasus: How a Spy in Your...

about 1 month agoΒ β€’Β 5 min read

Hey friend πŸ‘‹, It's April already!! I hate April 1st. You can't trust anything you read on the Internet, and the pranks ruin good food... If I wanted something minty I'd get peppermint cookies... leave my Oreos alone!!! 🀒 Speaking of something that leaves a bitter taste in my mouth (ya, weird transition there... but stick with me), I've been reading an interesting book lately you need to know about. It's called Means of Control: How the Hidden Alliance of Tech and Government Is Creating a New...

2 months agoΒ β€’Β 4 min read
Share this post