Helping developers, testers, and hackers improve their approach to appsec and find vulnerabilities in their apps and APIs before their adversaries do. Interested to know more? Subscribe to my newsletter below!
ποΈ The API Hackers' Year in Review - 2023 ππ₯³
Happy New Year! π I trust you had a great holiday season and brought in the New Year with a bang. I don't know about you, but 2023 felt like it went by so quickly. Over the holidays I had time to read The Language of Deception: Weaponizing Next Generation AI. It's a penetrating look at the dark side of emerging AI technologies. The book delves into how AI, especially in the realm of language models, can be used to manipulate, deceive, and influence public opinion, raising significant concerns about privacy, security, and trust in the digital age. I found it started slow, but the Python code samples at the end on abusing OpenAI's ChatGPT API were very interesting. The author interfaced Kali Linux with ChatGPT to prove that next-generation malware could execute Command and Control (C2) operations without the need for human intervention. That alone made it worth the read. Speaking of reading, time to get to the newsletter. I've merged the weekly newsletter and the monthly/annual review so you aren't getting too many emails from me this week. Latest ArticleNever trust user input. It's been the mantra for years in popular secure coding books. Yet, even today, we continue to see abuse of tainted data taking out the apps and infrastructure we use daily. While input validation is improving in frontend web apps, it's not uncommon to bypass this altogether and go straight to attacking the APIs. Why does this work so well? It's all because APIs use structured data formats like JSON and XML, which developers trust implicitly. When structured data is being relied on, such as within API contracts, Structured Format Injection (SFI) becomes a thing. And you can abuse that. You'll have to read the article to find out how.
Articles in DecemberLike many of you, December was busy closing out the year and enjoying time away with family and friends. But a few articles got published... 1οΈβ£ You learned how to write Burp Bambda Filters like a boss and codify complex filtering of your proxy HTTP history. 2οΈβ£ We explored how to find βdark dataβ in the responses to API calls you make during your security testing engagements. 3οΈβ£ I shared with you my story about that time I broke into an API and became a billionaire. It's an intriguing real world story about how tainted data and API abuse can lead to the perfect digital bank heist. Top Five Articles in 2023I thought it might be fun to explore the top 5 articles that were read in 2023. I'm going to exclude The Beginnerβs Guide to API Hacking because it's a completely different beast that gets tens of thousands of views regularly. Here are the top articles that the community was reading last year: 1οΈβ£ Exploiting Server Side Request Forgery (SSRF) in an APIβ 2οΈβ£ Improve your API Security Testing with Burp BCheck Scriptsβ 3οΈβ£ How to use OAST to detect vulnerabilities in an APIβ 4οΈβ£ Exploit APIs with cURLβ 5οΈβ£ API Security Testing using AI in Postmanβ Industry Newsπ¨π»βπ» You should check out grep.app. It lets you search code across over a half million repos in Git without having to be logged in. π Working with targets running in Azure? You might find this article on subdomain takeover on Azure interesting. π οΈ Now this is interesting. A VSCode extension called NMAP Peek renders NMAP XML output in a visual manner right inside VS Code. π PortSwigger has produced a page that maps Web Security Academy content with the OWASP Top 10 API vulnerabilities. βοΈ Have you used CherryBomb yet? It's a CLI tool that helps you avoid undefined user behavior by auditing your API specifications, validating them, and running API security tests. π° Wow. Over 6 million kids have been impacted by an API vulnerability that exposed student geolocation data and their names in the Edulog Parent Portal. βοΈ Attackers are abusing Cloudflare's Tunnel daemon for persistence and exfiltration on target networks. In fact, it allows them to configure an environment in advance of an attack and then execute a single command from a victim machine to establish a foothold and conduct further operations. π€ Matthew writes about Sorry AI, APIs Are for Humans. I wonder if that will be true in the future. Weaponizing AI means we could teach LLM to interface and consume API endpoints. βοΈ Jason Haddix has published his 403 bypass wordlist that helps to bypass access control on incorrectly protected pages. He says these work best on config files and global dashboards. Enjoyed this week's newsletter and the annual review? Hit the "reply" button and let me know. In the meantime, let's go tackle 2024! Less talk. More action. π€£ Cya next week. Hack hard! |
π The API Hacker Inner Circle
Helping developers, testers, and hackers improve their approach to appsec and find vulnerabilities in their apps and APIs before their adversaries do. Interested to know more? Subscribe to my newsletter below!