Viewing deception APIs - PingIntelligence for APIs

Viewing deception APIs - PingIntelligence for APIs - 5.2

PingIntelligence

bundle

pingintelligence-52

ft:publication_title

PingIntelligence

Product_Version_ce

PingIntelligence for APIs 5.2 (Latest)

category

APISecurity

AdvancedAPICybersecurity

Capability

Environment

Product

apisecurity

capability

linux

pi-52

pingintelligence

private

ContentType_ce

View the deception APIs.

The deception API is part of the Docker setup. The deception command completes the following steps:

Enables API Security Enforcer (ASE) detected attacks.
Fetches the list of configured APIs from ASE.
Sends traffic to the decoy API and receives a 200 OK response.
Sends traffic to a regular API (for example, shopapi). The connection is blocked because any client that previously accessed a decoy API is not allowed access to production APIs.

Note:

API deception works only for inline Docker evaluation setup.

Run the following script to test API deception:

root@vortex-108:/opt/pingidentity/docker-poc$sudo./bin/start.sh deception

Enabling enable_ase_detected_attack on ASE...
Press any key to continue 
ASE Detected Attack is now enabled
Fetching the list of APIs from ASE
Press any key to continue 
decoy ( loaded ), http, decoy: out-context, client_spike_threshold: 0/second, server_connection_queueing: disabled
shop-books ( loaded ), http, client_spike_threshold: 300/second, server_connection_queueing: disabled
shop-electronics ( loaded ), http, decoy: in-context, client_spike_threshold: 700/second, server_connection_queueing: enabled
shop ( loaded ), http, decoy: in-context, client_spike_threshold: 300/second, server_connection_queueing: disabled
Sending traffic to "decoy API" with client IP 10.10.10.10...
Press any key to continue 
curl -v http://localhost:8000/decoy/myhome -H "X-Forwarded-For: 10.10.10.10"
* Trying 127.0.0.1...
* Connected to localhost (127.0.0.1) port 8000 (#0)
> GET /decoy/myhome HTTP/1.1
> Host: localhost:8000
> User-Agent: curl/7.47.0
> Accept: */*
> X-Forwarded-For: 10.10.10.10
>
< HTTP/1.1 200 OK
< Server: ASE
< Content-Length: 2
< Connection: close
<
* Closing connection 0
OK
Accessing regular API using client IP 10.10.10.10...
Press any key to continue 
curl -v http://localhost:8000/shopapi/login -H "Host: shopapi" -H "Content-Type: application/text" -H "X-Forwarded-For: 10.10.10.10" -d 'user=root'
* Trying 127.0.0.1...
* Connected to localhost (127.0.0.1) port 8000 (#0)
> POST /shopapi/login HTTP/1.1
> Host: shopapi
> User-Agent: curl/7.47.0
> Accept: */*
> Content-Type: application/text
> X-Forwarded-For: 10.10.10.10
> Content-Length: 9
>
* upload completely sent off: 9 out of 9 bytes
< HTTP/1.1 401 Unauthorized
< Server: ASE
< Connection: close
< content-length: 19
<
* Closing connection 0
Error: Unauthorized
Error: Unauthorized