Dana Epp's Blog

Learn how to cross-reference Known Exploit Vulnerabilities (KEV) against CWE to find the best attack vectors to use during security testing.

The post KEV + CWE = Attack Vector ❤️‍🔥 appeared first on Dana Epp's Blog.

Learn how to write exploits that take advantage of blind command injection vulnerabilities using a time-delayed boolean oracle attack.

The post From Exploit to Extraction: Data Exfil in Blind RCE Attacks appeared first on Dana Epp's Blog.

Learn how to use JSON injection to manipulate API payloads to control the flow of data and business logic within an API.

The post Attacking APIs using JSON Injection appeared first on Dana Epp's Blog.

Learn five tips that will help improve the API exploits you submit into security triage as part of your vulnerability research.

The post 5 tips to improve your API exploits appeared first on Dana Epp's Blog.

Learn how to improve your API discovery with a custom Burp Suite extension dedicated to automatically finding API document artifacts for you.

The post Hacking API discovery with a custom Burp extension appeared first on Dana Epp's Blog.

Learn how to use MITRE's Common Weakness Enumerations (CWE) entries to level up your vulnerability reports.

The post Level Up Your Vulnerability Reports With CWEs appeared first on Dana Epp's Blog.

Learn how to set up your hacking environment to attack mobile apps & APIs running on modern versions of Android with Burp Suite.

The post Hacking Modern Android Mobile Apps & APIs with Burp Suite appeared first on Dana Epp's Blog.

Learn why the X-Bug-Bounty custom HTTP header can be helpful during your bug bounty engagements with a target.

The post Why the X-Bug-Bounty Header Matters for Hackers appeared first on Dana Epp's Blog.

Gain a competitive edge over other security researchers by detecting changes to APIs before others even know about them by using oasdiff.

The post Detecting new API endpoints with oasdiff appeared first on Dana Epp's Blog.

Let's look at Tracfone's $16 million settlement with the FCC to understand why API security testing matters.

The post Why API Security Testing Matters – Learning from Tracfone appeared first on Dana Epp's Blog.

Learn how to map MITRE CAPEC attack patterns to STRIDE threat model categories and improve your approach to security testing.

The post Mapping Attack Patterns to your Threat Model appeared first on Dana Epp's Blog.

Learn how to conduct covert data exfiltration within JSON payloads of an API response.

The post Covert Data Exfiltration via JSON in an API appeared first on Dana Epp's Blog.

Learn how to fuzz JSON to find security vulnerabilities in the APIs you are hacking with the help of a custom wordlist and Param Miner.

The post Fuzzing JSON to find API security flaws appeared first on Dana Epp's Blog.

Learn how to use Param Miner to find hidden parameters that may help manipulate an API in unintended ways, revealing potential security flaws.

The post Finding hidden API parameters appeared first on Dana Epp's Blog.

Learn how to weaponize API discovery metadata to improve your recon of the APIs you are hacking or conducting security testing on.

The post Weaponizing API discovery metadata appeared first on Dana Epp's Blog.

Learn why HTTPie is a great replacement for curl and how to use it when conducting your own API security testing.

The post Hacking APIs with HTTPie appeared first on Dana Epp's Blog.

Learn how to improve your application security code reviews with the help of tools like graudit.

The post 3 ways to improve appsec code auditing with graudit appeared first on Dana Epp's Blog.

Explore the misconceptions and anti-patterns of applying security testing to APIs, and how to address them.

The post 7 Deadly Sins of API Security Testing appeared first on Dana Epp's Blog.

Learn why Human Application Security Testing (HAST) is important to API hackers.

The post Why HAST is important to API hackers appeared first on Dana Epp's Blog.

Learn how to write Burp Suite extensions using the new Montoya API with Kotlin and Visual Studio Code (VS Code)

The post Writing Burp extensions in Kotlin appeared first on Dana Epp's Blog.