Enumeration and Snooping Attack

Enumeration and Snooping Attack: Automation allows a bad actor to launch enumeration attacks directly against the application APIs as shown in the Prying-Eye vulnerability where a bot cycles through (enumerates) and discovers valid numeric meeting IDs. If the common user practice of disabling security functionality is followed, then the bad actor would be able to view or listen to an active meeting. Other examples would be using automation to discover valid gift cards, or shipping confirmations.

Enumeration and Snooping Attack

Image 2: Prying Eye vulnerability allowed bad actors to enumerate, discover and join valid web meetings through an enumeration attack across a set of exposed APIs.

Content Scraping

Ecommerce web sites are dynamically generated based on user input. When a shopper searches for a product, numerous API calls are made behind the scenes and the web page is generated on the fly. These same API calls can be used to automate content scraping. In cases where the desired content requires authorized access, the bad actor will first establish a fake account using APIs to fill in the account signup form, then move on to the next phase of the scraping campaign.

Content Scraping

Image 3: APIs are commonly used by content scrapers to steal images, text, HTML code and pricing from unsuspecting victims.

Protecting APIs from Automated Attacks: Key CQ botDefense Differentiators

  • ML-based analytics engine delivers complete API visibility: CQ botDefense is based on CQAI, an ML-based analytics engine that operates out-of-band to automatically discover all the APIs that support your public-facing web and mobile applications, automatically building an intuitive site map that can be used for policy-based protection. The stateless nature of APIs means that alternative JavaScript instrumentation and mobile SDK integration-based solutions are unable to collect the necessary telemetry to deliver consistent protection for your exposed APIs.
  • Open, extensible platform with customizable responses including deception: Using more than 150 customizable automation indicators, CQAI determines the malicious or benign intent of API-based transaction. Customizable mitigation policies provide multiple response options including block, rate limit, geo fence, or deception. Alternatively, the REST API can be used to export CQAI findings to external systems for archiving, additional analysis or an alternative response.
  • New APIs protected automatically, security-induced delays eliminated: As new APIs and public-facing applications are deployed, they are automatically discovered and protected by CQ botDefense, effectively baking security into your application deployment workflow.
  • Consistent protection for all APIs – web, mobile and direct to API: CQ botDefense protects all of your public-facing APIs from automated attacks including those that are used for direct integration as well as those used by your web and mobile applications. A single, consistent security policy to protect all of your APIs provides an opportunity to consolidate application security functions into a single platform.
  • Deployable anywhere: A container-based software architecture allows CQ botDefense to be deployed in your data center, the cloud or as a SaaS offering, allowing you to choose the architecture that best fits your application security needs.

Additional API Security Resources

CQ botDefense API Security Solution Brief

CQ botDefense 5 Minute Demo

Prying Eye: Direct to API Enumeration Attack Webinar