PingIntelligence

ASE attack detection

API Security Enforcer supports the following real time ASE attack detection and blocking:

  • API pattern enforcement – validate traffic to ensure it is consistent with the API definition

  • API deception – blocks hackers probing a decoy API (see API deception environment)

Enable ASE detected attacks

Enable real-time ASE attack detection by running the following ASE command:

/opt/pingidentity/ase/bin/cli.sh -u admin -p admin enable_ase_detected_attack
ASE detected attack is now enabled

Disable ASE detected attacks

Disable real-time ASE detected attacks by running the following command on the ASE command line:

/opt/pingidentity/ase/bin/cli.sh -u admin -p admin disable_ase_detected_attack
ASE detected attack is now disabled
When you disable ASE Detected attacks, the attacks are deleted from the blacklist.

Configure pattern enforcement

After enabling API cybersecurity, configure API pattern enforcement to block API traffic that does not match the permitted criteria in the following categories:

  • Protocol (HTTP, HTTPS, WS, WSS) – only allow the defined protocols

  • Method (GET, POST, PUT, DELETE, HEAD) – only allow the specified methods

  • Content Type – only allow the defined content type, not enforced if an empty string is entered

  • HTTPS Only – only allow HTTPS traffic

ASE blocks attacks based on parameters configured in the API JSON file. If a client request includes values not configured in the API JSON, ASE blocks the connection in real-time. When the connection is blocked, the OAuth2 token, cookie, or IP address is blocked from accessing any APIs.

The following API JSON file snippet shows an example of pattern enforcement parameters:

"api_pattern_enforcement": {
 "protocol_allowed": "https",
 "http_redirect": {
 "response_code": 301,
 "response_def": "Moved Permanently",
 "https_url": "https://shopping.xyz.com/login/"
 },
 "methods_allowed": [
 "GET",
 "POST"
 ],
 "content_type_allowed": "application/json",
 "error_code": 401,
 "error_def": "Unauthorized",
 "error_message_body": " Error: Unauthorized"
 },

The above example sets up the following enforcement:

  • Only HTTPS traffic is allowed access to the API. If an HTTP request is sent, it will be redirected to the https_url defined in the http_redirect section.

  • Only GET and POST methods are allowed; PUT, DELETE, and HEAD will be blocked.

  • Only application/json content type is allowed; other content types are blocked.

If a request satisfies all three parameters (protocol, method, and content type), ASE will send the request to the backend API server for processing. Otherwise, ASE sends an error code using the following API JSON parameters:

  • Error_code – for example, “401”

  • error_def– error definition, for example, “Unauthorized”

  • error_message_body – error message content, for example, “Error: Unauthorized”

If an empty string is specified for content_type_allowed, ASE does not enforce content type for the incoming traffic.

"content_type_allowed": ""

When API security is enabled, the protocol_allowed parameter takes precedence over the protocolparameter in the beginning of the API JSON file

Detection of attacks for pattern enforcement violation

The following is a snippet of access log file showing what is logged when a connection is blocked based on any pattern enforcement violation. NOTE: Make sure that ASE detected attacks are enabled.

The following example shows a method violation for an OAuth2 token:

[Fri Aug 10 15:59:12:435 2018] [thread:14164] [info] [connectionid:1681692777] [seq:1] [connectinfo:100.100.1.5:36839] [type:request] [api_id:shop] PATCH /shopapi/categories/list HTTP/1.1
User-Agent: curl/7.35.0
Accept: /
Host: app
Content-Type: application/text
Cookie: JSESSIONID=ebcookie
Authorization: Bearer OauthTokenusemethoid12345
[Fri Aug 10 15:59:12:435 2018] [thread:14164] [info] [connectionid:1681692777] [seq:1] [connectinfo:100.100.1.5:36839] [type:connection_drop]  [enforcement:method]  [api_id:shop] PATCH /shopapi/categories/list HTTP/1.1
User-Agent: curl/7.35.0
Accept: /
Host: app
Content-Type: application/text
Cookie: JSESSIONID=ebcookie
Authorization: Bearer OauthTokenusemethoid12345

Violations logged in the ASE access log files are sent to API Behavioral Security engine for further analysis and reporting.