PingIntelligence

Out-of-context decoy API

Out-of-context decoy APIs are independent APIs where every path is a decoy API. Any sub-paths accessed in the API are treated as part of the decoy API.

Diagram of ASE blocking attackers through decoy APIs

The following is a snippet of a trading API JSON file which has been deployed as a decoy API:

{
    "api_metadata": {
        "protocol": "http",
        "url": "/account",
        "hostname": "*",
;
; Note – other configuration parameters removed
;
        "decoy_config":
        {
          "decoy_enabled": true,
          "response_code" : 200,
          "response_def" : "OK",
          "response_message" : "OK",          Decoy API Configuration
          "decoy_subpaths": [

          ]
       }

Since the decoy_subpaths parameter is empty, any sub-path accessed by the attacker after /account is regarded as a decoy path or decoy API.

After configuring in-context or out-of-context decoy APIs, you can check the API listings by running the list_api command:

opt/pingidentity/ase/bin/cli.sh list_api -u admin -p
flight ( loaded ), https
shop ( loaded ), https, decoy: in-context
trading ( loaded ), https, decoy: out-context