Happy New Year! π
I trust you had a great holiday season and brought in the New Year with a bang.
2024 has been an interesting year. Anyone else feel that way?
Over the holidays I have been catching up on reading and just finished Offensive Security Using Python. It's a hands-on guide to help build custom pentesting and red team tools using Python, along with tooling for threat detection and incident response.
I found the book tries to cover too much, and doesn't go into enough depth into any one area. I would have rather seen it go deeper into stealthy exploits and backdoors to automating recon and post-exploitation tasks in more detail. Offensive security tactics and threat detection to me should be in two separate books.
But I guess I'm a bit biases since my attitude has always been about appsec through offsec.
There are some good tidbits of Python code that still makes the book worth reading though.
Reading is learning. And we should always be learning. Speaking of which, since it's our year end review, let's take a look at the top 10 articles I wrote in 2024.
Top Ten Articles in 2024
Last year many of you in the community appreciated learning what the most popular articles were in 2023. I thought it might be fun to do that again in this year's review.
I will of course exclude the How to get started as an API hacker since that covers the beginners guide and what not that everyone gets pointed to when they first start out.
Here are the top articles I wrote in 2024 that the community has been reading the most:
1οΈβ£ Attacking APIs using JSON Injectionβ
2οΈβ£ Is Bruno a good Postman alternative for API hacking?β
3οΈβ£ Detecting Uncommon Headers in an API using Burp Bambda Filtersβ
4οΈβ£ Hacking Modern Android Mobile Apps & APIs with Burp Suiteββ
5οΈβ£ Discovering API secrets & endpoints using APKLeaksβ
6οΈβ£ Reverse Engineering Electron Apps to Discover APIsβ
7οΈβ£ Is Nuclei any good for API hacking?β
8οΈβ£ Detecting API endpoints and source code with JS Minerβ
9οΈβ£ Exploiting an API with Structured Format Injectionβ
π Fuzzing JSON to find API security flawsβ
With over 45 articles written last year, it was interesting to see what was most popular. I would have thought articles like How to find hidden API parameters would have ranked higher.
But hey, you know what you like!
Industry News
π οΈ Have you checked out Vacuum yet? They boast that it's the fastest OpenAPI and Swagger linter and quality analysis tool out there for APIs. Do you agree?
π€ How Many APIs Does the Average Enterprise Have? Kin Lane completed an interesting analysis on the subject. My gut tells me regardless of the size of the company, no one really knows what's REALLY out there. So many zombie and shadow APIs out there that get forgotten about.
π Now this surprised me... In Cloudflare's Year in Review for 2024 they call out that "Go" is the most popular language choice for automated API clients. Node.js came in a close second, with Python following up right behind.
π€ It's being reported that a new study finds that a quarter of all respondents have encountered AI-enhanced security threats related to APIs or LLMs, and 75% are expressing serious concern about AI-enhanced attacks in the future.
π€― Speaking of AI-enhanced attacking, have you checked out Burpference yet? This is a new Burp extension that captures HTTP requests and responses in Burp Suite and sends it off to a remote LLM API in JSON format to run inference to see if any potential vulnerabilities exists in the request/response. Hacking apps and APIs with AI. Gotta love it.
βοΈ Are you using WAFW00F? It's a great tool to identify and fingerprint Web Application Firewalls (WAF) protecting an API. They just released an update recently. I like looking at the Git changelog via release tags to notice new WAFs they are detecting.
π Apparently over 300,000 Prometheus instances have been exposed due to API keys leaking online. According to the researchers, "Unauthenticated Prometheus servers enable direct querying of internal data, potentially exposing secrets that attackers can exploit to gain an initial foothold in various organizations". *groan*
π Gotta Mc-Love it. A security researcher in India exploited the McDonald's Delivery API to hijack deliveries and order food for a penny. The writeup includes some decent details on how he approached the attack. Gives an entirely new meaning to "would you like fries with that?".
β οΈ Earlier this year when I wrote about testing Bruno out as a replacement for Postman, people thought I was daft. I mentioned back then that I thought it was a terrible idea of having cloud-based workspaces for my sensitive security work as I could just see things leaking. I was right. The folks over at CloudSEK have published some details about their year-long investigation that revealed over 30,000 publicly accessible Postman workspaces leaking sensitive information, including API keys, business data and customer PII.
Well, that's about it for 2024. Enjoyed the annual review? Have an idea for an article you think I should write in 2025? Hit the "reply" button and let me know.
In the meantime, let's tackle those APIs in 2025!
Hack hard!
Dana
How was this week's newsletter?
YOU DID GREAT
|
DO BETTER
|
|