Olivia
Online
hAPI_hacker
@hAPI_hacker
{
"name": "Corey J. Ball",
"author": "Hacking APIs",
"creator": " true
}
Grants Pass, OR
Joined May 2020
767 Following
14K Followers
1.3K Posts
Pinned Tweet
The Hacking APIs Conference is back for 2026!
HAC NYC returns May 14th. CFP is open.
Got a live API hack? A breach case study? Research that made a security team sweat? Submit it.
Vulnerabilities that shipped. Exploits that worked. Defenses that held.
Stop paying $20 per month for Claude Code. McDonald’s AI bot is FREE.
Someone asked a McDonald’s support assistant how to reverse a linked list in Python.
It answered correctly. Actual code.
We’re definitely at peak AI now.
What conferences/events/meet ups do you want to see me at this year? Whats the best local conference near you that I should throw a cfp into????
@Microsoft patched a critical Entra bug, told me it was not a bug, and never told you it existed.
A broken API authorization flaw was used on 15 separate @azuread Entra services. Any low-privileged authenticated user in your tenant could download all sorts of logs for the entire enterprise, with no role and no admin rights. That telemetry included source IP addresses, geolocation, MFA status, application access patterns, and the Conditional Access policies applied to every sign-in.
Timeline:
April 8: I reported it to MSRC as VULN-181669 with a video proof of concept attached.
April 23: MSRC said they could not reproduce it and asked for a video.
April 24: I confirmed the video was already in the original submission.
April 27: They closed the case as below the bar for immediate servicing, with no CVE and no bounty, claiming the API enforced permissions server side and returned 403.
April 29: I retested, and the endpoint that had returned a full log dump now returned a role-check error that did not exist when I filed.
They closed the finding as not a bug, and then they shipped the fix for it on the side. That is the opposite of coordinated disclosure.
A single export across the sign-in logs exposed user principal names for every account, source IPs with geolocation, MFA status per sign-in, the full application and service principal inventory, and Conditional Access policy results. In the instance of my finding this resulted in roughly 400 MB of tenant-wide authentication data from one service. The same flaw appeared in 14 more, including Provisioning Logs, ID Protection, Conditional Access, Authentication Methods, Billing - Licenses - Audit Logs and Certificate Authorities. This was not a single misconfigured endpoint. It was one broken authorization pattern repeated across the platform.
The bug is gone now, and without notification, that is precisely the problem. You cannot reproduce it, and Microsoft has published no CVE and no advisory confirming it was ever there. Without that disclosure, you have no exposure window to investigate and no indicators of compromise to hunt. The exploit traffic would show up in your logs as 200 responses to auditLogs/signIns from users who never had read access, but nothing from Microsoft tells you where to look.
Microsoft should reopen VULN-181669, notify affected customers, publish indicators of compromise, and issue the CVE.
Full writeup: https://t.co/cH5md3x71m
@InsiderPhD @DoerrfeldBill @chrishonda0716 @ryanrutan @EdwardLichtner @JoseHaroPeralta @nicfill
Who to follow
Youssef Sammouda (sam0)
@samm0uda
Security Researcher/Hacker
1st in Meta bug bounty program for 6 years
Opinions are my own and not my employer's.
James Kettle
@albinowax
Director of Research at @PortSwigger aka @Burp_Suite. Find my research, tools & contact details at https://t.co/vP6UbGmvl3
The Bug Bounty Hunter
@tbbhunter
Promotions or business ✉️[email protected]
🚨 Workshop Spotlight # 5👉 "Instant API Hacker"
by Corey J. Ball (@hAPI_hacker), author of "Hacking APIs" and founder of APIsec University (@apisecu) & hAPI Labs
📝 Description
"Instant API Hacker" demonstrates how quickly someone can learn to identify and exploit API vulnerabilities.
You'll witness the exploitation of critical vulnerabilities from the OWASP API Security Top 10, including broken authentication, authorization flaws (BOLA), and excessive data exposure.
Through live demos using the "One Request to Rule Them All," you'll see firsthand how APIs can be compromised, and gain actionable insights you can apply immediately.
The session walks through finding APIs, analyzing endpoints in Postman, going deep with Burp Suite, and exploiting the most common vulnerabilities. You leave with free resources for continued learning, including vulnerable labs and APIsec University courses.
Beginner-friendly. By the end, you're an API hacker.
🎟️ Only at ContinuumCon 2026
Work through it live, or revisit the lab on your own time. Own it forever. The workshop doesn't end when the conference does.
Got your ticket yet? 👉 https://t.co/N7pFB85xsS
Hosted by @_JohnHammond, @JustHackingHQ, @AnthonyBendas, and @Level_Effect!
😎
John Hammond invites you to ContinuumCon, the virtual con that never ends and EVERY talk is a hands-on workshop! https://t.co/yMJxtAfg2x us June 12-14!
"The team and I have put together a banger of an online event at an affordable price that includes online training. We hope to see you in June!"
CC 2026 is a virtual cybersecurity conference hosted by John, Co-Founder of Just Hacking Training, and Anthony Bendas of Level Effect. It’s built around practical workshops covering AI/ML, DFIR, Detection Engineering, Reverse Engineering, Threat Hunting, Malware Analysis, CTI, SecOps, and Tactical GRC. And, of course, we’ll be hanging out on Discord where the real party happens. 😜
Why Attend?
- All 3 days of ContinuumCon broadcast FREE online. No Travel! No Cost!
- One Single Track! Allows you to attend all talks.
- EVERY talk is a hands-on workshop with cloud-based labs hosted on JHT.
- Affordable tickets (just $79 & $159) grant access to ALL labs during AND after the event.
- Free CTF! 'nuff said
Top experts you WANT to see:
💫 Corey Ball
💫 Andrew Bellini
💫 Eva Benn
💫 Bryson Bort
💫 Jun34u
💫 rekdt
💫 solst/ICE
💫 John Strand
💫 Rachel Tobac
💫 Jamie Williams
💫 Many more!
#explore #cybersecurity #ethicalhacking #training #conference
I put a prompt injection into my LinkedIn bio and recruiters are messaging me in Old English and calling me Lord.
RT @rana__khalil: I’m so excited to announce that I’ve joined the @PortSwigger Burp Suite Ambassador Program!
I started using Burp over a…
Thank you to everyone who came to my shrek-themed hacking alongside AI talk today at Hacking APIs Con @hAPI_hacker
If you want to know how I, AI skeptic really changed my mind on hacking with AI I’ll be at HackingAPIsCon/apidays New York next week to talk about how I worked WITH an agent rather than fight against it and Ill share some of my AI hacking methodology
🔥 ContinuumCon 2026 June 12-14 Workshops Announced! Stacked with content, plus a special event:
This year we'll have a Live AMA with @brysonbort and @strandjs - Q&A, commentary, and the top-tier banter.
Workshops 👇
# Roll Your Own Analyst
by Rain Jordan
Build your own local AI threat intel pipeline with Python & Ollama
# Killing Active Directory Attack Paths Once and For All
by @techspence
Hands-on destruction of major AD attack paths with hardening to mitigate
# Hacking Over & Under The Wire
by @klrgrz
Beginner-friendly SSH & PowerShell using OverTheWire wargames and trying back to tradecraft
# Practical Security Engineering
by @IceSolst
Stand up SAST, DAST, SCA, and secrets scanning for free using GitHub Actions
# Prompt Injection Fundamentals & Hack-Along
by Eva Benn and @Andrew Bellini
Practical, beginner-friendly walkthrough of prompt injection fundamentals. It's a solid on-ramp if you want to get into AI pentesting!
# Escaping Sandboxes with AI
by @ZackKorman
Hands-on techniques for finding and executing AI sandbox escapes
# Instant API Hacker
by @hAPI_hacker
Fast-paced exploitation of the OWASP API Top 10 with the author of Hacking APIs
# Smarter AWS WAF: Reduce Noise, Detect Threats & Automate Response
by Ihor S.
Production-ready AWS WAF with custom monitoring, Slack alerts & automated threat response!
# Tactical GRC - Turning Governance Into a Force Multiplier for Security Teams
by @fletusposton
Build lightweight, engineering-aligned GRC that actually accelerates security work!
# How to Analyze Malware
by Matthew N.
Safe, practical malware analysis workflow for beginners – static, dynamic & real sample walkthrough!
# Analyzing WannaCry: A Forensic Method for Recovering Ransomware Data with Open-Source Software
by Smit Nayak
Deep forensic recovery of WannaCry artifacts using open-source tools – DFIR gold!
# StegoDefender: Hunting Malware Hidden in Plain Sight - Advanced Steganography Detection & Payload Extraction
by Christopher Dio C.
Detect & extract hidden malware from images & files with next-level steganography tools!
And we'll be hosting content again this year through the great @getCourseStack platform!
Big thank you to all putting the work and time in in to bring this con to everyone! 🙏
@_JohnHammond @JustHackingHQ @AnthonyBendas @Level_Effect
Got your ticket yet? 🎟️
Head over to: https://t.co/N7pFB85xsS
I became good friends with Dan shortly after I passed the ASCP, while I was still at MTN Nigeria.
A few days into that friendship, he sent me a message asking for permission to share my name with the then MTN’s Group Chief Information Security Officer, a South African guy.
He told me, “Al-Amir, I informed Justin that one of his security engineers at MTN Nigeria cracked our most difficult exam, making him one of the very few to pass it.”
I remember reading that and calling my guy Rojo, we both just laughed out of pure joy. I told him to go ahead, you never know the opportunity that’ll come out of it.
A few years later, Dan recommended me to the team at APISec Inc. That’s where I met some incredible engineers, Jesse, Jose, Raj, extremely cracked guys.
I joined as a Security Engineer, working on research, manually validating test cases/exploits, and then writing code to help the APISec scanning engine automate those checks.
It was easily one of the most challenging roles I’ve taken on in my entire life. Eventually, I had to step away for new opportunities, and partly to take care of myself.
When I told Dan I was leaving, he did everything he could to convince me to stay. He even tried to create other paths so we could keep working together. It meant a lot.
APISec & APISec Uni will definitely feel his absence. He is a legend!
New issue of our newsletter; Executive Offense!
The New Perimeter - Supply Chains and AI Environments
https://t.co/wzbdXsDol9
Subscribe 🫶
Day 30/#30daysofApisecU
Covered OWASP API Top 10, API pentesting, and security fundamentals hands on. Worked through crAPI, DVAPI, and realworld API finding flaws, breaking auth, and understanding what defenders miss. Will continue my journey with GraphQL.
@ce3nerd @hAPI_hacker
Day 28&29/#30DaysofApisecU
I tested my brother's RestAPI and reported to him what I found. I practiced all I learnt from @hAPI_hacker course on APIsecU and book. looking forward to testing more real life API
@akintunero @commando_skiipz @ce3nerd @KoredeSec
I just did an interview with @SecWeekly, with teasers for my upcoming #BHUSA presentation "Can AI Do Novel Vulnerability Research: Meet the HTTP Terminator", plus reflections on the Top Ten Web Hacking Techniques of 2025 & 2026. Watch it here:
https://t.co/BSUuoyW0MF
Meet the Burp Ambassadors: @rana__khalil 🌍
Rana Khalil is a security educator and founder of Rana Khalil’s Academy.
Her mission: make web app testing accessible to more people.
#BurpAmbassador #BurpSuite
We've launched a new @WebSecAcademy topic on exploiting AI-powered security scanners! Learn how to use indirect prompt injection to steal data, cause damage & trigger exploit chains!
Meet the Burp Ambassadors: @0xTib3rius 🇺🇸
Tib3rius is a professional pentester and well-known content creator - you’ve probably seen his livestreams or training content. 👀
#BurpAmbassador #BurpSuite #pentesting
hELLO
the tIME HAS cOME oNCE AGAIN on my cONTENT cALENDAR
for me to continue to scream and shout about
oUR VIRTUAL EVENT ContinuumCon 2026
jUNE 12 - 14 https://t.co/F2sTgM7xv0
livestream run of show is free & public but all workshop sessions get into hands-on labs
see u there ✌️
Last Seen Users on Sotwe
Most Popular Users
Elon Musk
@elonmusk
240.1M followers
Barack Obama
@barackobama
119.3M followers
Donald J. Trump
@realdonaldtrump
111.6M followers
Cristiano Ronaldo
@cristiano
108.8M followers
Narendra Modi
@narendramodi
106.9M followers
Rihanna
@rihanna
97.2M followers
NASA
@nasa
92.1M followers
Justin Bieber
@justinbieber
90.5M followers
KATY PERRY
@katyperry
86.7M followers
Taylor Swift
@taylorswift13
80.5M followers
Lady Gaga
@ladygaga
72.1M followers
Kim Kardashian
@kimkardashian
69.3M followers
YouTube
@youtube
68.6M followers
Virat Kohli
@imvkohli
68.4M followers
Bill Gates
@billgates
63.4M followers
The Ellen Show
@theellenshow
62.5M followers
CNN
@cnn
61.9M followers
Neymar Jr
@neymarjr
60.9M followers
X
@x
60.9M followers
CNN Breaking News
@cnnbrk
59.9M followers