Page created: 12 May 2021 |
Page updated: 1 Nov 2021
ABS AI Engine detects attacks based on behavior from the username accessing API services. PingIntelligence captures the username information in the following three ways:
- User information is captured if the incoming request has a JSON Web Token (JWT). For more information, see Extract user information from JWT in inline mode and Extract user information from JWT in sideband mode.
- Similarly, if an incoming request has a custom header with user information, then the username is extracted. For more information see, Extract username from custom header in sideband mode and Extract username from custom header in inline mode.
- PingIntelligence is deployed in sideband mode with an API gateway that supports capturing username information. Following is a list of PingIntelligence and API gateway integrations that support capturing username information:
Note the following points for ABS AI engine to detect username based attacks:
- OAuth token parameter, oauth2_access_token, must be configured in API JSON in ASE. For more information on API JSON definition see, Defining an API using API JSON configuration file in sideband mode
- The incoming request must have an OAuth token in it for ABS AI engine to detect username based attacks
Important: ABS AI engine will not detect username attacks for requests where the server responds with an HTTP 401 Unauthorized Error code. This will prevent blocking of a valid user if an attacker tries to impersonate the user.
Detected attacks based on username
|Attack Type||Description||id||Single or Across APIs|
|API Probing Replay Attack Type 1||Probing or breach attempts on an API service – also called fuzzing - Username||
|API Probing Replay Attack Type 2||Probing an API service over an extended time period - Username||
|Sequence Attack||Abnormal sequence of API transactions||
|Abnormal API Access||Abnormal user behavior when accessing API services||
|User Data Exfiltration Type 2||A User is extracting excessive data via an API service||
|User Data Injection||A User is injecting excessive data into an API service||
Important: While reporting an abnormal sequence, if username is available with the API ecosystem, ABS reports username or else it reports OAuth token.