-
Why you should stay “professionally detached” from the vulns you find
Learn how to stay professionally detached from the vulnerabilities you discover and disclose as part of your security research.
-
Why Shadow APIs provide a defenseless path for threat actors
Learn why shadow APIs sometimes provide a defenseless path for threat actors, and learn what YOU can do about it.
-
Is the latest book on “Pentesting APIs” any good?
Let’s explore the latest book by Packt Publishing on “Pentesting APIs” and see if it’s worth putting on an API hacker’s bookshelf.
-
Evade IP blocking by using residential proxies
Learn how to use upstream residential and mobile proxies in Burp Suite to evade IP blocking during your API security testing.
-
KEV + CWE = Attack Vector ❤️🔥
Learn how to cross-reference Known Exploit Vulnerabilities (KEV) against CWE to find the best attack vectors to use during security testing.
-
From Exploit to Extraction: Data Exfil in Blind RCE Attacks
Learn how to write exploits that take advantage of blind command injection vulnerabilities using a time-delayed boolean oracle attack.
-
Attacking APIs using JSON Injection
Learn how to use JSON injection to manipulate API payloads to control the flow of data and business logic within an API.
-
5 tips to improve your API exploits
Learn five tips that will help improve the API exploits you submit into security triage as part of your vulnerability research.
-
Hacking API discovery with a custom Burp extension
Learn how to improve your API discovery with a custom Burp Suite extension dedicated to automatically finding API document artifacts for you.
-
Level Up Your Vulnerability Reports With CWEs
Learn how to use MITRE’s Common Weakness Enumerations (CWE) entries to level up your vulnerability reports.
Dana Epp's Blog
Security (de)engineering for fun and profit