ASE attack detection
API Security Enforcer (ASE) supports the following real-time ASE attack detection and blocking. For more information on enabling and disabling ASE-detected attacks, see Enabling and disabling ASE attack detection.
-
API pattern enforcement – validate traffic to ensure it is consistent with the application programming interface (API) definition
-
API deception – blocks hackers probing a decoy API. For more information, see API deception environment in inline mode.
Pattern enforcement configuration
After enabling API cybersecurity, configure API pattern enforcement to block API traffic that does not match the permitted criteria in the following categories:
-
Protocol (HTTP, HTTPS, WS, WSS) – only allow the defined protocols
-
Method (GET, POST, PUT, DELETE, HEAD) – only allow the specified methods
-
Content Type – only allow the defined content type, not enforced if an empty string is entered
-
HTTPS Only – only allow HTTPS traffic
ASE blocks attacks based on parameters configured in the API JavaScript Object Notation (JSON) file. If a client request includes values not configured in the API JSON, ASE blocks the connection in real time. When the connection is blocked, the OAuth2 token, cookie, or IP address is blocked from accessing any APIs.
The following API JSON file snippet shows an example of pattern enforcement parameters:
"api_pattern_enforcement": { "protocol_allowed": "https", "http_redirect": { "response_code": 301, "response_def": "Moved Permanently", "https_url": "https://shopping.xyz.com/login/" }, "methods_allowed": [ "GET", "POST" ], "content_type_allowed": "application/json", "error_code": 401, "error_def": "Unauthorized", "error_message_body": " Error: Unauthorized" },
The above example sets up the following enforcement:
-
Only HTTPS traffic is allowed access to the API. If an HTTP request is sent, it will be redirected to the
https_url
defined in thehttp_redirect
section. -
Only GET and POST methods are allowed. PUT, DELETE, and HEAD will be blocked.
-
Only application/JSON content type is allowed. Other content types are blocked.
If a request satisfies all three parameters (protocol, method, and content type), ASE will send the request to the backend API server for processing. Otherwise, ASE sends an error code using the following API JSON parameters:
Parameter | Error code |
---|---|
|
Error code, for example: “401” |
|
Error definition, for example: “Unauthorized” |
|
Error message content, for example: “Error: Unauthorized” |
If an empty string is specified for content_type_allowed
, ASE does not enforce content type for the incoming traffic.
"content_type_allowed": ""
When API security is enabled, the |
Detection of attacks for pattern enforcement violation
The following is a snippet of access log file showing what is logged when a connection is blocked based on any pattern enforcement violation.
Make sure that ASE-detected attacks are enabled. |
The following example shows a method violation for an OAuth2 token:
[Fri Aug 10 15:59:12:435 2018] [thread:14164] [info] [connectionid:1681692777] [seq:1] [connectinfo:100.100.1.5:36839] [type:request] [api_id:shop] PATCH /shopapi/categories/list HTTP/1.1 User-Agent: curl/7.35.0 Accept: / Host: app Content-Type: application/text Cookie: JSESSIONID=ebcookie Authorization: Bearer OauthTokenusemethoid12345 [Fri Aug 10 15:59:12:435 2018] [thread:14164] [info] [connectionid:1681692777] [seq:1] [connectinfo:100.100.1.5:36839] [type:connection_drop] [enforcement:method] [api_id:shop] PATCH /shopapi/categories/list HTTP/1.1 User-Agent: curl/7.35.0 Accept: / Host: app Content-Type: application/text Cookie: JSESSIONID=ebcookie Authorization: Bearer OauthTokenusemethoid12345
Violations logged in the ASE access log files are sent to API Behavioral Security (ABS) AI Engine for further analysis and reporting.