hAPI_hacker @hAPI_hacker

If you signed up for a career in cybersecurity you signed up for a career of continuous learning. Learning in this field doesn’t end with a cert, a degree, or a job offer, it never ends.

Woo, I can confirm "Can AI Do Novel Security Research? Meet the HTTP Terminator" is coming to @defcon! This research was a huge gamble and the result was glorious, can't wait to share!

I am planning my fall speaking schedule. What are some good conferences to submit CFPs to?

What conferences/events/meet ups do you want to see me at this year? Whats the best local conference near you that I should throw a cfp into????

@Microsoft patched a critical Entra bug, told me it was not a bug, and never told you it existed. A broken API authorization flaw was used on 15 separate @azuread Entra services. Any low-privileged authenticated user in your tenant could download all sorts of logs for the entire enterprise, with no role and no admin rights. That telemetry included source IP addresses, geolocation, MFA status, application access patterns, and the Conditional Access policies applied to every sign-in. Timeline: April 8: I reported it to MSRC as VULN-181669 with a video proof of concept attached. April 23: MSRC said they could not reproduce it and asked for a video. April 24: I confirmed the video was already in the original submission. April 27: They closed the case as below the bar for immediate servicing, with no CVE and no bounty, claiming the API enforced permissions server side and returned 403. April 29: I retested, and the endpoint that had returned a full log dump now returned a role-check error that did not exist when I filed. They closed the finding as not a bug, and then they shipped the fix for it on the side. That is the opposite of coordinated disclosure. A single export across the sign-in logs exposed user principal names for every account, source IPs with geolocation, MFA status per sign-in, the full application and service principal inventory, and Conditional Access policy results. In the instance of my finding this resulted in roughly 400 MB of tenant-wide authentication data from one service. The same flaw appeared in 14 more, including Provisioning Logs, ID Protection, Conditional Access, Authentication Methods, Billing - Licenses - Audit Logs and Certificate Authorities. This was not a single misconfigured endpoint. It was one broken authorization pattern repeated across the platform. The bug is gone now, and without notification, that is precisely the problem. You cannot reproduce it, and Microsoft has published no CVE and no advisory confirming it was ever there. Without that disclosure, you have no exposure window to investigate and no indicators of compromise to hunt. The exploit traffic would show up in your logs as 200 responses to auditLogs/signIns from users who never had read access, but nothing from Microsoft tells you where to look. Microsoft should reopen VULN-181669, notify affected customers, publish indicators of compromise, and issue the CVE. Full writeup: lnkd.in/gXSVwXgZ @InsiderPhD @DoerrfeldBill @chrishonda0716 @ryanrutan @EdwardLichtner @JoseHaroPeralta @nicfill

🚨 Workshop Spotlight # 5👉 "Instant API Hacker" by Corey J. Ball (@hAPI_hacker), author of "Hacking APIs" and founder of APIsec University (@apisecu) & hAPI Labs 📝 Description "Instant API Hacker" demonstrates how quickly someone can learn to identify and exploit API vulnerabilities. You'll witness the exploitation of critical vulnerabilities from the OWASP API Security Top 10, including broken authentication, authorization flaws (BOLA), and excessive data exposure. Through live demos using the "One Request to Rule Them All," you'll see firsthand how APIs can be compromised, and gain actionable insights you can apply immediately. The session walks through finding APIs, analyzing endpoints in Postman, going deep with Burp Suite, and exploiting the most common vulnerabilities. You leave with free resources for continued learning, including vulnerable labs and APIsec University courses. Beginner-friendly. By the end, you're an API hacker. 🎟️ Only at ContinuumCon 2026 Work through it live, or revisit the lab on your own time. Own it forever. The workshop doesn't end when the conference does. Got your ticket yet? 👉 continuumcon.com Hosted by @_JohnHammond, @JustHackingHQ, @AnthonyBendas, and @Level_Effect!

😎

John Hammond invites you to ContinuumCon, the virtual con that never ends and EVERY talk is a hands-on workshop! continuumcon.com/Join us June 12-14! "The team and I have put together a banger of an online event at an affordable price that includes online training. We hope to see you in June!" CC 2026 is a virtual cybersecurity conference hosted by John, Co-Founder of Just Hacking Training, and Anthony Bendas of Level Effect. It’s built around practical workshops covering AI/ML, DFIR, Detection Engineering, Reverse Engineering, Threat Hunting, Malware Analysis, CTI, SecOps, and Tactical GRC. And, of course, we’ll be hanging out on Discord where the real party happens. 😜 Why Attend? - All 3 days of ContinuumCon broadcast FREE online. No Travel! No Cost! - One Single Track! Allows you to attend all talks. - EVERY talk is a hands-on workshop with cloud-based labs hosted on JHT. - Affordable tickets (just $79 & $159) grant access to ALL labs during AND after the event. - Free CTF! 'nuff said Top experts you WANT to see: 💫 Corey Ball 💫 Andrew Bellini 💫 Eva Benn 💫 Bryson Bort 💫 Jun34u 💫 rekdt 💫 solst/ICE 💫 John Strand 💫 Rachel Tobac 💫 Jamie Williams 💫 Many more! #explore #cybersecurity #ethicalhacking #training #conference

I put a prompt injection into my LinkedIn bio and recruiters are messaging me in Old English and calling me Lord.

keyboard_arrow_left Previous keyboard_arrow_right Next

Thank you to everyone who came to my shrek-themed hacking alongside AI talk today at Hacking APIs Con @hAPI_hacker

If you want to know how I, AI skeptic really changed my mind on hacking with AI I’ll be at HackingAPIsCon/apidays New York next week to talk about how I worked WITH an agent rather than fight against it and Ill share some of my AI hacking methodology

🔥 ContinuumCon 2026 June 12-14 Workshops Announced! Stacked with content, plus a special event: This year we'll have a Live AMA with @brysonbort and @strandjs - Q&A, commentary, and the top-tier banter. Workshops 👇 # Roll Your Own Analyst by Rain Jordan Build your own local AI threat intel pipeline with Python & Ollama # Killing Active Directory Attack Paths Once and For All by @techspence Hands-on destruction of major AD attack paths with hardening to mitigate # Hacking Over & Under The Wire by @klrgrz Beginner-friendly SSH & PowerShell using OverTheWire wargames and trying back to tradecraft # Practical Security Engineering by @IceSolst Stand up SAST, DAST, SCA, and secrets scanning for free using GitHub Actions # Prompt Injection Fundamentals & Hack-Along by Eva Benn and @Andrew Bellini Practical, beginner-friendly walkthrough of prompt injection fundamentals. It's a solid on-ramp if you want to get into AI pentesting! # Escaping Sandboxes with AI by @ZackKorman Hands-on techniques for finding and executing AI sandbox escapes # Instant API Hacker by @hAPI_hacker Fast-paced exploitation of the OWASP API Top 10 with the author of Hacking APIs # Smarter AWS WAF: Reduce Noise, Detect Threats & Automate Response by Ihor S. Production-ready AWS WAF with custom monitoring, Slack alerts & automated threat response! # Tactical GRC - Turning Governance Into a Force Multiplier for Security Teams by @fletusposton Build lightweight, engineering-aligned GRC that actually accelerates security work! # How to Analyze Malware by Matthew N. Safe, practical malware analysis workflow for beginners – static, dynamic & real sample walkthrough! # Analyzing WannaCry: A Forensic Method for Recovering Ransomware Data with Open-Source Software by Smit Nayak Deep forensic recovery of WannaCry artifacts using open-source tools – DFIR gold! # StegoDefender: Hunting Malware Hidden in Plain Sight - Advanced Steganography Detection & Payload Extraction by Christopher Dio C. Detect & extract hidden malware from images & files with next-level steganography tools! And we'll be hosting content again this year through the great @getCourseStack platform! Big thank you to all putting the work and time in in to bring this con to everyone! 🙏 @_JohnHammond @JustHackingHQ @AnthonyBendas @Level_Effect Got your ticket yet? 🎟️ Head over to: continuumcon.com

I became good friends with Dan shortly after I passed the ASCP, while I was still at MTN Nigeria. A few days into that friendship, he sent me a message asking for permission to share my name with the then MTN’s Group Chief Information Security Officer, a South African guy. He told me, “Al-Amir, I informed Justin that one of his security engineers at MTN Nigeria cracked our most difficult exam, making him one of the very few to pass it.” I remember reading that and calling my guy Rojo, we both just laughed out of pure joy. I told him to go ahead, you never know the opportunity that’ll come out of it. A few years later, Dan recommended me to the team at APISec Inc. That’s where I met some incredible engineers, Jesse, Jose, Raj, extremely cracked guys. I joined as a Security Engineer, working on research, manually validating test cases/exploits, and then writing code to help the APISec scanning engine automate those checks. It was easily one of the most challenging roles I’ve taken on in my entire life. Eventually, I had to step away for new opportunities, and partly to take care of myself. When I told Dan I was leaving, he did everything he could to convince me to stay. He even tried to create other paths so we could keep working together. It meant a lot. APISec & APISec Uni will definitely feel his absence. He is a legend!

keyboard_arrow_left Previous keyboard_arrow_right Next

New issue of our newsletter; Executive Offense! The New Perimeter - Supply Chains and AI Environments executiveoffense.beehiiv.com/p/the-new-peri… Subscribe 🫶

Day 30/#30daysofApisecU Covered OWASP API Top 10, API pentesting, and security fundamentals hands on. Worked through crAPI, DVAPI, and realworld API finding flaws, breaking auth, and understanding what defenders miss. Will continue my journey with GraphQL. @ce3nerd @hAPI_hacker

keyboard_arrow_left Previous keyboard_arrow_right Next

Abdulmalik_cybersecurity @malik_cybersec

a month ago

Day 28&29/#30DaysofApisecU I tested my brother's RestAPI and reported to him what I found. I practiced all I learnt from @hAPI_hacker course on APIsecU and book. looking forward to testing more real life API @akintunero @commando_skiipz @ce3nerd @KoredeSec

1 2 25 2K 3

Day 28&29/#30DaysofApisecU I tested my brother's RestAPI and reported to him what I found. I practiced all I learnt from @hAPI_hacker course on APIsecU and book. looking forward to testing more real life API @akintunero @commando_skiipz @ce3nerd @KoredeSec

Abdulmalik_cybersecurity @malik_cybersec

a month ago

Day 27/#30DaysofAPIsecU Chapter 2 reading "Black Hat GraphQL " installation of tools that will be needed throughout the course. @akintunero @commando_skiipz @ce3nerd @KoredeSec @hAPI_hacker

0 2 16 1K 0

I just did an interview with @SecWeekly, with teasers for my upcoming #BHUSA presentation "Can AI Do Novel Vulnerability Research: Meet the HTTP Terminator", plus reflections on the Top Ten Web Hacking Techniques of 2025 & 2026. Watch it here: youtube.com/watch?v=fOWhhT…

Meet the Burp Ambassadors: @rana__khalil 🌍 Rana Khalil is a security educator and founder of Rana Khalil’s Academy. Her mission: make web app testing accessible to more people. #BurpAmbassador #BurpSuite

We've launched a new @WebSecAcademy topic on exploiting AI-powered security scanners! Learn how to use indirect prompt injection to steal data, cause damage & trigger exploit chains!