Helping developers, testers, and hackers improve their approach to appsec and find vulnerabilities in their apps and APIs before their adversaries do. Interested to know more? Subscribe to my newsletter below!
ποΈ The API Hackers' Year in Review - 2023 ππ₯³
Happy New Year! π I trust you had a great holiday season and brought in the New Year with a bang. I don't know about you, but 2023 felt like it went by so quickly. Over the holidays I had time to read The Language of Deception: Weaponizing Next Generation AI. It's a penetrating look at the dark side of emerging AI technologies. The book delves into how AI, especially in the realm of language models, can be used to manipulate, deceive, and influence public opinion, raising significant concerns about privacy, security, and trust in the digital age. I found it started slow, but the Python code samples at the end on abusing OpenAI's ChatGPT API were very interesting. The author interfaced Kali Linux with ChatGPT to prove that next-generation malware could execute Command and Control (C2) operations without the need for human intervention. That alone made it worth the read. Speaking of reading, time to get to the newsletter. I've merged the weekly newsletter and the monthly/annual review so you aren't getting too many emails from me this week. Latest ArticleNever trust user input. It's been the mantra for years in popular secure coding books. Yet, even today, we continue to see abuse of tainted data taking out the apps and infrastructure we use daily. While input validation is improving in frontend web apps, it's not uncommon to bypass this altogether and go straight to attacking the APIs. Why does this work so well? It's all because APIs use structured data formats like JSON and XML, which developers trust implicitly. When structured data is being relied on, such as within API contracts, Structured Format Injection (SFI) becomes a thing. And you can abuse that. You'll have to read the article to find out how.
Articles in DecemberLike many of you, December was busy closing out the year and enjoying time away with family and friends. But a few articles got published... 1οΈβ£ You learned how to write Burp Bambda Filters like a boss and codify complex filtering of your proxy HTTP history. 2οΈβ£ We explored how to find βdark dataβ in the responses to API calls you make during your security testing engagements. 3οΈβ£ I shared with you my story about that time I broke into an API and became a billionaire. It's an intriguing real world story about how tainted data and API abuse can lead to the perfect digital bank heist. Top Five Articles in 2023I thought it might be fun to explore the top 5 articles that were read in 2023. I'm going to exclude The Beginnerβs Guide to API Hacking because it's a completely different beast that gets tens of thousands of views regularly. Here are the top articles that the community was reading last year: 1οΈβ£ Exploiting Server Side Request Forgery (SSRF) in an APIβ 2οΈβ£ Improve your API Security Testing with Burp BCheck Scriptsβ 3οΈβ£ How to use OAST to detect vulnerabilities in an APIβ 4οΈβ£ Exploit APIs with cURLβ 5οΈβ£ API Security Testing using AI in Postmanβ Industry Newsπ¨π»βπ» You should check out grep.app. It lets you search code across over a half million repos in Git without having to be logged in. π Working with targets running in Azure? You might find this article on subdomain takeover on Azure interesting. π οΈ Now this is interesting. A VSCode extension called NMAP Peek renders NMAP XML output in a visual manner right inside VS Code. π PortSwigger has produced a page that maps Web Security Academy content with the OWASP Top 10 API vulnerabilities. βοΈ Have you used CherryBomb yet? It's a CLI tool that helps you avoid undefined user behavior by auditing your API specifications, validating them, and running API security tests. π° Wow. Over 6 million kids have been impacted by an API vulnerability that exposed student geolocation data and their names in the Edulog Parent Portal. βοΈ Attackers are abusing Cloudflare's Tunnel daemon for persistence and exfiltration on target networks. In fact, it allows them to configure an environment in advance of an attack and then execute a single command from a victim machine to establish a foothold and conduct further operations. π€ Matthew writes about Sorry AI, APIs Are for Humans. I wonder if that will be true in the future. Weaponizing AI means we could teach LLM to interface and consume API endpoints. βοΈ Jason Haddix has published his 403 bypass wordlist that helps to bypass access control on incorrectly protected pages. He says these work best on config files and global dashboards. Enjoyed this week's newsletter and the annual review? Hit the "reply" button and let me know. In the meantime, let's go tackle 2024! Less talk. More action. π€£ Cya next week. Hack hard! |
π The API Hacker Inner Circle
Helping developers, testers, and hackers improve their approach to appsec and find vulnerabilities in their apps and APIs before their adversaries do. Interested to know more? Subscribe to my newsletter below!
Hey friend π, Well, I said I was talking most of August off. And I did. So this month in review doesn't include a lot of new articles. But lots of stuff did happen. First, we moved into our new oceanfront villa. That's been a game changer. I haven't had such long and deep sleeps in years. It's so calm and quiet here. And, who doesn't want a home office view like this? ππ» It gave me lots of time to just sit, think, and read. In fact, I read a fascinating book on that deck in just a couple of...
Hey friend π, Summer is in full swing. Sunburns are in full effect. Wild fires are fully engulfing our forests. And the hottest thing yet... the latest Deadpool movie finally hit theatres. I get it. You probably have been really busy in July. I know I was. Five articles. Three presentations. And one research paper that included a new custom Burp extension that I'm not allowed to talk about. (Ya, it's that dark. And pure Kotlin code). Speaking of "dark", I read a really interesting book in...
Hey friend π, WTF, where did June go? I swear I blinked, and it was gone. Apologies for this newsletter not arriving yesterday. It was Canada Day, and I was out being loud and proud. (Sorry... couldn't resist. π¨π¦) In all honesty, I was sitting quietly eating cookies and catching up on some reading. And not some funky flavour of Oreos (albeit they have some great Maple Cream Oreos out there), but some patriotic Maple Leaf Peek Freans. IYKYK. Canadians prefer Birthday cookies (or Nanaimo bars...