APPSEC Cali 2018 - A Tour of API Underprotection

Effective API protection is a growing concern, reflecting the popularity of RESTful Web APIs and richer front-end clients which stress current security and access authorization approaches. You’ll learn about potential threats resulting from undersecured Web APIs and techniques to strengthen your API security posture. You'll gain a clear understanding of user authorization via OAuth2, software authorization via static API keys and the critical interplay between them. Of particular concern are mobile API consumers whose code is statically published with secrets which are often poorly concealed. Practical advice with code examples will show how to improve mobile API security. TLS is necessary but insufficient to fully secure client-server communications. Certificate pinning is explained with code examples to show how to strengthen channel communications. Some advanced techniques will be discussed such as app hardening, white box cryptography and mobile app attestation. You should gain a good understanding of the underprotected API problem, with some immediately practical tips to improve your API security posture and a sense of emerging tools and technologies that enable a significant step change in API security.

Author

Skip Hovsmith is a Principal Engineer and VP Americas for CriticalBlue, working on securing API usage between mobile apps and backend services. Previously, Skip consulted with CriticalBlue customers on accelerating mobile and embedded software running on multicore and custom coprocessor platforms in video, networking, and security modules. Prior to CriticalBlue, Skip worked in formal verification, FPGA design, reconfigurable hw/sw systems, and VLSI and mixed-signal chip design. He enjoys working directly with customers and is a writer at Hacker Noon, focused on API security topics such as “They reverse engineered 16k apps; here’s what we’d fix”, and "Mobile API Security".

https://youtu.be/lgAEJwgxe0Y

🕴 @Phantasm_Lab

Mobile Network Hacking, IP Edition

We explore which protection measures are missing from the mobile network and discuss how to best bring them over from the IT security domain into mobile networks.

https://www.youtube.com/watch?v=3XUo7UBn28o&list=PLH15HpR5qRsXiPOP3gxN6ultoj0rAR6Yn&index=3

$300 Google API key leaked to Public on Live Website
https://www.youtube.com/watch?v=ZUXUz22dCiQ

Getting started with the Red Team Guides

RedTeamGuides is a platform that provides red team tutorial and guidance along with cheatsheets. It is aimed at helping security professionals and enthusiasts to learn about red teaming and penetration testing techniques.

The platform provides a wide range of resources, including step-by-step tutorials, how-to guides, and cheat sheets, that cover different topics related to red teaming, such as reconnaissance, exploitation, post-exploitation, and privilege escalation. The guides are regularly updated to keep up with the latest techniques and tools in the field.

https://redteamguides.com/index.html

OTP Bypass via Source Page Inspection

https://medium.com/@katmaca2014/otp-bypass-via-source-page-inspection-3c6ac90a0fb5

File Shared < 1.6.48 (Wordpress Plugin) — Sensitive Data Exposure Mysql version, enviroment..

When we try upload an unauthorized file, The plugin core stored Database sensitive informations like Mysql Version, Enviroment informations, userid, user_session, ip,(browser informations).

https://medium.com/@DreadPirateRobertt/file-shared-1-6-48-wordpress-plugin-sensitive-data-exposure-mysql-version-enviroment-343356762353

(Authenticated) Stored XSS - Simple Download Monitor 3.9.19 (Wordpress Plugin)

https://medium.com/@DreadPirateRobertt/stored-xss-simple-download-monitor-3-9-19-wordpress-plugin-cbef1564a44b

FFuF - Fuzzing Tool

👨‍💻🛠​ In this week's episode of Hacker Tools, we will take a look at FFuF.

https://www.youtube.com/watch?v=UDaeS7455mU

Leveraging a Hooking Framework to Expand Malware Detection Coverage on the Android Platform
https://unit42.paloaltonetworks.com/hooking-framework-in-sandbox-to-analyze-android-apk/

iOS Pentesting Series
Learn how to work with useful tools and apps such as Frida, Objection, 3uTools, Cydia, Burp, fsmon, fridump, SSL bypass, reFlutter etc.
Part 1: https://kishorbalan.medium.com/start-your-first-ios-application-pentest-with-me-part-1-1692311f1902
Part 2: https://kishorbalan.medium.com/ios-pentesting-series-part-2-into-the-battlefield-f17ed2778890
Part 3: https://kishorbalan.medium.com/ios-pentesting-series-part-3-the-ceasefire-53fcea3bbd70

Alien Vault - The World’s First Truly Open Threat Intelligence Community

https://otx.alienvault.com/