What a gut punch. My stomach was in knots as I realized I had just wasted several days doing recon when I didn’t have to.
I threw everything I had at the target. I even spun up some expensive cloud-based GPUs to try to crack the hash I retrieved when I dumped the firmware and extracted the web server password file.
But no luck.
As Hydra desperately ran through another wordlist iteration against the admin login page, I decided to thumb through the documentation someone had printed out for me. And right there, under the setup and configuration section, was the default password for the web app.
F*ck.
We all make mistakes
Ya, it happens. Failing to look at the docs first is a common mistake many of us make from time to time. I’m not immune to that.
It didn’t matter that I tried to google for default passwords and found nothing; I should have looked at the manual.
Making mistakes is part of the process.
If you read enough articles on the Internet (or social media like Twitter or Facebook), you will tend to hear about all the wins. What you don’t usually hear about is the string of failures and setbacks that happen along the way.
Sure, once I had that password, I was able to log in and find several interesting vulnerabilities. But at that point, I wasted half of the engagement timebox. And that was on me.
Sometimes you just won’t win
So here is a truth few talk about. Sometimes, you won’t find anything at all. It’s not that there aren’t vulnerabilities in front of you; it’s just that you haven’t found them. And that’s OK.
Can you relate?
Don’t worry, I’m here to tell you that failure is not only normal but can actually be a key to future success.
In this post, we’ll explore the importance of embracing failure in API hacking and how it can lead to more successful security testing.
But more importantly, I’ll show you how to use failure as a learning experience to improve your skills and become a better hacker.
So put on your learning hat and get ready to embrace failure like never before!
What does embrace failure mean?
Embrace failure means accepting and learning from failures rather than being discouraged or afraid of them. It is about understanding that failure is a natural part of the learning and growth process and using those experiences to improve and ultimately achieve success.
Understanding the Importance of Failure in API Hacking
Years ago, Nike ran a commercial featuring Michael Jordan that included an interesting quote:
I’ve missed more than 9,000 shots in my career. I’ve lost almost 300 games. Twenty-six times I’ve been trusted to take the game-winning shot and missed. I’ve failed over and over and over again in my life. And that is why I succeed.
Understanding the importance of failure is crucial. Be it in basketball or hacking.
Embracing failure as a learning opportunity allows you to identify weaknesses, improve strategies, and find innovative solutions to challenges.
Failure also fosters resilience and persistence, essential qualities for success. By embracing failure, you can achieve greater mastery in your tradecraft.
So, don’t be afraid to fail; instead, see it as an opportunity for growth and progress.
The Role of Failure in Learning and Growth
Failure is a crucial aspect of the learning process. It enables us to identify areas where we can improve and lets us learn from our experiences.
Embracing failure also fosters resilience and perseverance while providing insight into the weaknesses of our hacking methodologies. It inspires creative solutions as we learn what NOT to do.
Bill Gates once summed this up well when he said:
It’s fine to celebrate success, but it is more important to heed the lessons of failure.
Learning from past failures prevents future mistakes, improving our overall success rates.
Failure should be viewed as an opportunity for growth and improvement in our hacking methodologies, ultimately leading to long-term success.
When we embrace failure it empowers us to take risks, push boundaries, and foster innovation.
Developing the Right Mindset for API Hacking
One of the biggest obstacles to success in API hacking is fear – fear of failure, fear of rejection, fear of the unknown. These fears can paralyze us and prevent us from taking risks which could lead to greater rewards.
The key to overcoming this challenge is developing an abundant mindset, one focused on growth and improvement rather than perfection or a false notion of invincibility.
We need to challenge ourselves to try new things and accept the learning opportunities failure provides. By learning from our mistakes, we can develop better expertise in API hacking and more effective strategies for success.
What to do when facing failure when hacking an API
When failure arises in the process of hacking and API, it’s crucial to not let it derail your progress or dampen your enthusiasm.
Instead, treat it as an opportunity for analysis and learning. Break down the failure and understand its root cause – was it a technical oversight, lack of understanding, or an unexpected response from the API?
Once you’ve identified the issue, work on solutions to overcome it, and make it a point to document it for future reference.
Remember, every failure is a step towards success and a chance to improve your hacking skills.
Take a break and come back with fresh eyes
Sometimes, in the face of seemingly insurmountable challenges, the best course of action is simply to pause. Stepping away from the problem can provide much-needed perspective.
This might sound counterintuitive in a high-paced discipline like offensive cybersecurity, but taking a break can be highly beneficial. It allows your brain to rest, reset, and possibly come up with new ways to approach the problem.
When you return to your task, you come with fresh eyes, renewed energy, and potentially innovative solutions to tackle the issue at hand.
Don’t let the fear of failure deter you; instead, see it as a moment for growth and reassessment.
Re-evaluate your approach to the API
After a break, it’s crucial to revisit your approach. Perhaps the method you were using was not the most suitable for the API you’re interacting with.
Consider different techniques or tools which might be more effective. Continued research and recon on the API might reveal some previously overlooked details that could prove useful.
In some instances, you may even want to collaborate with teammates or fellow hackers, leveraging diverse perspectives for innovative solutions.
Most importantly, don’t allow a fear of failure to dissuade you from exploring new strategies. Always remember that each failure is laying down the foundation for future successes.
When should you give up when API hacking?
I’ve previously written about when to give up on an API target.
You need to take into account your own skillset, the economics of the engagement, and how much time you’re willing to invest in finding vulns. If you find that you’re constantly encountering roadblocks and not making significant progress, it might be time to move on.
But don’t forget – API hacking is also about learning, so don’t be afraid to try new things and experiment with different techniques as you hunt for vulnerabilities. The most successful hackers are always evolving and expanding their knowledge base to find new vulns.
We never stop learning. We never stop failing. As Winston Churchill once said:
Success is not final, failure is not fatal: it is the courage to continue that counts.
Conclusion
Failure is an inevitable part of the API hacking journey.
It’s important to embrace failure and view it as a valuable learning experience rather than a setback. Mistakes and setbacks are opportunities for growth and development.
They provide valuable insights into what went wrong and how to improve in the future.
By adopting the right mindset, overcoming the fear of failure, and cultivating persistence and resilience, you can navigate through failures with a positive attitude.
Remember to take breaks when needed, re-evaluate your approach, and come back with fresh eyes. Embracing failure will ultimately lead you to success in the long run.
So keep hacking, learning, and growing!
One last thing…
The API Hacker Inner Circle is growing. It’s my FREE weekly newsletter where I share articles like this, along with pro tips, industry insights, and community news that I don’t tend to share publicly. If you haven’t yet, join us by subscribing at https://apihacker.blog.
