PingIntelligence

Viewing deception APIs

View the deception APIs.

About this task

The deception application programming interface (API) is part of the Docker setup. The deception command completes the following steps:

  • Enables API Security Enforcer (ASE) detected attacks.

  • Fetches the list of configured APIs from ASE.

  • Sends traffic to the decoy API and receives a 200 OK response.

  • Sends traffic to a regular API (for example, shopapi). The connection is blocked because any client that previously accessed a decoy API is not allowed access to production APIs.

API deception works only for inline Docker evaluation setup.

Steps

  • Run the following script to test API deception:

    root@vortex-108:/opt/pingidentity/docker-poc$sudo./bin/start.sh deception

    Example:

    Enabling enable_ase_detected_attack on ASE...
    Press any key to continue
    ASE Detected Attack is now enabled
    Fetching the list of APIs from ASE
    Press any key to continue
    decoy ( loaded ), http, decoy: out-context, client_spike_threshold: 0/second, server_connection_queueing: disabled
    shop-books ( loaded ), http, client_spike_threshold: 300/second, server_connection_queueing: disabled
    shop-electronics ( loaded ), http, decoy: in-context, client_spike_threshold: 700/second, server_connection_queueing: enabled
    shop ( loaded ), http, decoy: in-context, client_spike_threshold: 300/second, server_connection_queueing: disabled
    Sending traffic to "decoy API" with client IP 10.10.10.10...
    Press any key to continue
    curl -v http://localhost:8000/decoy/myhome -H "X-Forwarded-For: 10.10.10.10"
    * Trying 127.0.0.1...
    * Connected to localhost (127.0.0.1) port 8000 (#0)
    > GET /decoy/myhome HTTP/1.1
    > Host: localhost:8000
    > User-Agent: curl/7.47.0
    > Accept: /
    > X-Forwarded-For: 10.10.10.10
    >
    < HTTP/1.1 200 OK
    < Server: ASE
    < Content-Length: 2
    < Connection: close
    <
    * Closing connection 0
    OK
    Accessing regular API using client IP 10.10.10.10...
    Press any key to continue
    curl -v http://localhost:8000/shopapi/login -H "Host: shopapi" -H "Content-Type: application/text" -H "X-Forwarded-For: 10.10.10.10" -d 'user=root'
    * Trying 127.0.0.1...
    * Connected to localhost (127.0.0.1) port 8000 (#0)
    > POST /shopapi/login HTTP/1.1
    > Host: shopapi
    > User-Agent: curl/7.47.0
    > Accept: /
    > Content-Type: application/text
    > X-Forwarded-For: 10.10.10.10
    > Content-Length: 9
    >
    * upload completely sent off: 9 out of 9 bytes
    < HTTP/1.1 401 Unauthorized
    < Server: ASE
    < Connection: close
    < content-length: 19
    <
    * Closing connection 0
    Error: Unauthorized
    Error: Unauthorized