PingIntelligence

API deception

You can view the deception APIs by running the following command. The deception API is part of the set up. The deception command completes the following steps:

  • Enables ASE detected attacks

  • Fetches the list of configured APIs from ASE

  • Sends traffic to the decoy API and receives a 200 OK response

  • Send traffic to a regular API (for example, shopapi). The connection is blocked because any client which previously accessed a decoy API is not allowed access to “production” APIs.

API deception works only for inline Docker PoC setup.

Execute the following script to test API deception:

root@vortex-108:/opt/pingidentity/docker-poc$sudo./bin/start.sh deception
Enabling enable_ase_detected_attack on ASE...
Press any key to continue
ASE Detected Attack is now enabled
Fetching the list of APIs from ASE
Press any key to continue
decoy ( loaded ), http, decoy: out-context, client_spike_threshold: 0/second, server_connection_queueing: disabled
shop-books ( loaded ), http, client_spike_threshold: 300/second, server_connection_queueing: disabled
shop-electronics ( loaded ), http, decoy: in-context, client_spike_threshold: 700/second, server_connection_queueing: enabled
shop ( loaded ), http, decoy: in-context, client_spike_threshold: 300/second, server_connection_queueing: disabled
Sending traffic to "decoy API" with client IP 10.10.10.10...
Press any key to continue
curl -v http://localhost:8000/decoy/myhome -H "X-Forwarded-For: 10.10.10.10"
* Trying 127.0.0.1...
* Connected to localhost (127.0.0.1) port 8000 (#0)
> GET /decoy/myhome HTTP/1.1
> Host: localhost:8000
> User-Agent: curl/7.47.0
> Accept: /
> X-Forwarded-For: 10.10.10.10
>
< HTTP/1.1 200 OK
< Server: ASE
< Content-Length: 2
< Connection: close
<
* Closing connection 0
OK
Accessing regular API using client IP 10.10.10.10...
Press any key to continue
curl -v http://localhost:8000/shopapi/login -H "Host: shopapi" -H "Content-Type: application/text" -H "X-Forwarded-For: 10.10.10.10" -d 'user=root'
* Trying 127.0.0.1...
* Connected to localhost (127.0.0.1) port 8000 (#0)
> POST /shopapi/login HTTP/1.1
> Host: shopapi
> User-Agent: curl/7.47.0
> Accept: /
> Content-Type: application/text
> X-Forwarded-For: 10.10.10.10
> Content-Length: 9
>
* upload completely sent off: 9 out of 9 bytes
< HTTP/1.1 401 Unauthorized
< Server: ASE
< Connection: close
< content-length: 19
<
* Closing connection 0
Error: Unauthorized
Error: Unauthorized