Hosting Environment
Operating System
Task Type
Draft Beta

PingIntelligence for APIs - API Behavioral Security Engine 3.2.1

Updated 64

Add to MyDocs | Hide Show Table of Contents

Manage REST API attack detection

For each API, the API JSON file (see API Security Enforcer Admin Guide for information) determines whether the attacks and other reports are based on cookie identifier, token, or IP address. An environment with multiple APIs can support a mixture of identifier types in a single ABS system. Client identifier use cases include:

  • API JSON with OAuth2 token parameter – When an API JSON is configured with OAuth2 token parameter = true, then attack information is associated with the OAuth2 access token used by the hacker. Configuring the OAuth2 token parameter is recommended when access tokens are present as it is a unique client identifier that eliminates issues identified below with IP addresses.
  • API JSON with cookie parameter – When the cookie parameter is configured, most attacks are reported with cookie identifiers, the exception being pre-authentication attacks (such as client login attacks). Configuring the cookie parameter is recommended when cookies are present as it is a unique client identifier that eliminates issues identified below with IP addresses.
  • API JSON without a cookie or token parameter – When cookie and OAuth2 token parameters are not configured, all attacks are reported with the client IP address which is determined based on the following:
  • XFF header present: The first IP address in the XFF list is used as the client identifier. When forwarding traffic, load balancers and other proxy devices with XFF enabled add IP addresses to the XFF header to provide application visibility of the client IP address. The first IP address in the list is typically associated with the originating IP address.
Note: XFF is not always a reliable source of the client IP address and can be spoofed by a malicious proxy.
  • No XFF header: When no XFF header is present, the source IP address of the incoming traffic is used as the client identifier. In this configuration, make sure that the incoming traffic is using public or private IP addresses associated with the actual client devices, not a load balancer or proxy device on your premise.
Note: When a load balancer or other proxy without XFF enabled is the source of the inbound traffic, then all client traffic will be associated with the load balancer IP addresses. This configuration will not provide effective attack reporting unless cookies or tokens are used.

To change the client identifier for an existing API, save the API JSON with a new name and update the configuration to include the new client identifier parameter. ABS then re-trains the model for this API and starts detecting attacks. For more information on configuring API JSON files, see API Security Enforcer Admin Guide.

Tags Product > PingIntelligence; Product > PingIntelligence > PingIntelligence 3.2