Thursday, September 28, 2023

Security Boulevard Logo

Security Boulevard

The Home of the Security Bloggers Network

Community Chats Webinars Library
  • Home
    • Cybersecurity News
    • Features
    • Industry Spotlight
    • News Releases
  • Security Bloggers Network
    • Latest Posts
    • Contributors
    • Syndicate Your Blog
    • Write for Security Boulevard
  • Webinars
    • Upcoming Webinars
    • Calendar View
    • On-Demand Webinars
  • Events
    • Upcoming Events
    • On-Demand Events
  • Sponsored Content
  • Chat
    • Security Boulevard Chat
    • Marketing InSecurity Podcast
    • Techstrong.tv Podcast
    • TechstrongTV - Twitch
  • Library
  • Related Sites
    • Techstrong Group
    • Cloud Native Now
    • DevOps.com
    • Security Boulevard
    • Techstrong Research
    • Techstrong TV
    • Techstrong.tv Podcast
    • Techstrong.tv - Twitch
    • Devops Chat
    • DevOps Dozen
    • DevOps TV
  • Media Kit
  • About
  • Sponsor

  • Analytics
  • AppSec
  • CISO
  • Cloud
  • DevOps
  • GRC
  • Identity
  • Incident Response
  • IoT / ICS
  • Threats / Breaches
  • More
    • Blockchain / Digital Currencies
    • Careers
    • Cyberlaw
    • Mobile
    • Social Engineering
  • Humor
Hot Topics
  • Crocs enhances customer journey and safeguards revenue growth with Kasada
  • Threat Spotlight: The Dark Web and AI
  • Lawsuit Filed Against Google, Meta, H&R Block for Sharing Taxpayer Data
  • Unlocking Endpoint Security as a Service: 2023 Insights!
  • TrustCloud Product Updates: September 2023
Security Bloggers Network 

Home » Security Bloggers Network » Tales from the Front Lines: Attackers Target APIs with GET-Based ATOs 

SBN

Tales from the Front Lines: Attackers Target APIs with GET-Based ATOs 

by Will Glazier on June 8, 2020

This blog will describe how account takeovers (ATO) can be executed against APIs using GET methods, as opposed to POST. It’s an excellent example of how bad actors will analyze an application to uncover potential attack vectors.

A Brief Primer on GET and POST

The GET method allows you to fetch information from a website or an API. GET supports passing query parameters, path parameters, or HTTP request headers to display dynamic content from a site. POST is often used to send information from the client to server using a form, JSON, or other formats.

AWS Builder Community Hub

Examples include:

  • users manually filling out a form to perform logins or to create new accounts.
  • a script can also automatically collect information from the browser or mobile device and sends it back to the server.

The Role of Developers and Development Frameworks

Developers will publish their web application to server-side frameworks, which then process the method and parameter requests and respond with appropriate content.

Basic server-side frameworks need the developers to parse the parameters based on the method type. But, advanced server-side frameworks like Spring, PHP, and others automatically parse these parameters, be it query parameters in the GET request or the form parameters in the POST request and normalize them in a simple key-value collection.

Unless explicitly enforced, parameters like username and password combination can be passed as GET query parameters or POST form parameters, and they are treated the same way by the backend. Developers often implement logic that uses the normalized parameters and does not care about how these parameters were submitted.

Bad Actors Moving from POST to GET

As first-generation bot prevention solutions became more widespread, bad actors began to adapt and take advantage of a fundamental architectural loophole. Those offerings relied on device fingerprinting through JavaScript or client-side telemetry delivered via a mobile SDK. The architecture of these tools primarily relies on the user’s device first executing this device fingerprinting code, which is delivered from the server. Then on a subsequent login attempt, the bot detection tool will devise, based on the telemetry it receives, if the request is a “bot or not.”

This architecture works fine for basic bots running common browser automation tools like PhantomJS or Selenium. Those mimic the flow of a regular user, first retrieving the login page via a GET request and then sending in login credentials via a subsequent POST request. The second POST request will deliver all the telemetry data the tool needs to decide if it’s a “bot or not.” However, this design leaves a crack in the door, particularly over the API channel, and the bad actors began to drive a truck through that crack.

GET-based ATOs via APIs

Leveraging this crack in the door is the technique we call GET-based ATO attacks. Attacks use it to escape detection and mitigation efforts by merely avoiding the need to first GET a page and then POST to a server.

Many mobile apps are driven primarily through APIs, and those mobile apps often have an entire set of functions and areas behind an authentication gate. A user must be logged in to view profiles on a dating site. They must be logged in to view items in a shopping cart and so on.

The need for an application to understand if a user is logged in over a stateless API is a problem that’s been around forever and can be solved with secure coding practices. In this case, the problem lies in enumerating and understanding all possible APIs in your ecosystem and ensuring that no APIs accessed through GET requests could return different responses based on something a user themselves is inputting – such as credentials as parameters.

After their initial bot campaigns via POST requests on traditional login endpoints are shut down, bad actors will sign up for a valid account manually. Then, they will enumerate and reverse engineer the API calls that access seemingly benign data, such as a profile dashboard or shopping cart.

If they see that authentication is taking place through a susceptible method, they will begin to modify a tool to carry out an ATO. Some of the areas vulnerable to authentication schemes are:

  • HTTP Basic Auth through the Authorization header
  • Bearer Tokens & OAuth
  • HTTP Digest Auth
  • Custom headers and/or cookies that are app-specific

From POST to GET-based ATOs – a Customer Timeline

In one customer example, we observed more than 60+ million ATO attempts through POST requests every week. Upon enabling mitigation and stopping the ATOs, the bad actors shifted to GET-based ATOs against APIs within three weeks.

The GET-based ATO campaigns scaled quickly to 2.2 million requests per week, and now they continue to enumerate and probe dozens of APIs using the same logic. We are observing more than 50+ million GET-based ATO attempts per week. Additionally, ATOs using POST have dropped to a mere 500,000 attempts per week.

To provide additional context, GET-based ATOs saw a 2000% increase, while POST-based ATOs showed a 99.99% reduction. Those GET-based ATO campaigns attempted to hit more than 35 different APIs simultaneously as the campaign scaled. To an outsider, it may seem like this rapid, massive scaling up of attack volume via GET requests would be easily detectable. Still, there’s another reason an attacker would prefer to hide in plain sight among GET requests.

On top of their ability to avoid JavaScript fingerprinting, the average volume of GET requests compared to POST requests in a typical application can be around 10X. That means that detection heuristics based on volume, traffic analysis, and rate limiting will struggle to adapt and adjust to the bots that have become a needle in a 10X bigger haystack.

Cequence Security is the only bot prevention solution that does not rely on JavaScript or SDK to collect attacker telemetry. Learn more about how we can help prevent ATO at your organization here.

The post Tales from the Front Lines: Attackers Target APIs with GET-Based ATOs  appeared first on Cequence.

*** This is a Security Bloggers Network syndicated blog from Cequence authored by Will Glazier. Read the original post at: https://www.cequence.ai/blog/tales-from-the-front-lines-attackers-target-apis-with-get-based-atos/

June 8, 2020June 8, 2020 Will Glazier account takeover, API Attack, API security, automated attacks, bot attacks, Bot Defense, Tales from the Front Lines, Uncategorized
  • ← 6 Tips for Remote Workers to Avoid Cybercriminals
  • Zorab Ransomware Disguised as STOP Djvu Ransomware Decryptor →

Techstrong TV – Live

Click full-screen to enable volume control
Watch latest episodes and shows

Upcoming Webinars

Oct 03

Way Too Vulnerable: Uncovering the State of the Identity Attack Surface

October 3 @ 11:00 am - 12:00 pm
Oct 11

ASPM: Leveling the AppSec Playing Field

October 11 @ 1:00 pm - 2:00 pm
Oct 16

Shadow Access: Where IAM Meets Cloud Security

October 16 @ 3:00 pm - 4:00 pm
Oct 17

Securing Cloud-Native Applications Across the Software Development Life Cycle

October 17 @ 11:00 am - 12:00 pm
Oct 18

Live Workshop on ‘SCA 2.0’: Using Runtime Analysis to Find High-Risk SCA Vulnerabilities

October 18 @ 12:00 pm - 1:30 pm
Oct 19

Managing Security Posture and Entitlements in the Cloud

October 19 @ 1:00 pm - 2:00 pm
Oct 24

When Seconds Matter: Real-Time Cloud Security With AWS and Sysdig

October 24 @ 11:00 am - 12:00 pm
Oct 24

Reporting From the Pipeline: The State of Software Security in DevOps

October 24 @ 1:00 pm - 2:00 pm
Oct 26

How to Shift Left the Right Way

October 26 @ 3:00 pm - 4:00 pm
Oct 30

Zero-Trust

October 30 @ 1:00 pm - 2:00 pm

More Webinars

Subscribe to our Newsletters

TSTV Podcast

Most Read on the Boulevard

Building Your Incident Response Team
Qakbot Takedown Resembles Hack Back, Will Botnet, Malware Be Resurrected?
More iOS Zero Days, More Mercenary Spyware — This Time: Cytrox Predator
‘All of Sony’ Hacked, Claims Ransomed.vc Group
ZenRAT Targets Windows Users with Fake Bitwarden Site
A Guide to Understanding the Three CMMC Levels
What CIOs Can Learn from Airbnb’s Official ‘Party Pooper’
Insider Risk Digest: Week 37-38
Cyber Week 2023 & The Israel National Cyber Directorate Presents – CIO Perspectives and the Innovation Community
What is digital trust, and why is it at risk

Download Free eBook

The Dangers of Open Source Software and Best Practices for Securing Code

Industry Spotlight

Lawsuit Filed Against Google, Meta, H&R Block for Sharing Taxpayer Data
Cyberlaw Cybersecurity Data Privacy Data Security Featured Identity & Access Industry Spotlight News Security Boulevard (Original) Spotlight 

Lawsuit Filed Against Google, Meta, H&R Block for Sharing Taxpayer Data

September 28, 2023 Jeffrey Burt | 4 hours ago 0
Xenomorph Android Banking Trojan Makes Landfall in US
Application Security Cybersecurity Data Security Featured Identity & Access Industry Spotlight Malware Mobile Security News Security Boulevard (Original) Spotlight Threats & Breaches 

Xenomorph Android Banking Trojan Makes Landfall in US

September 26, 2023 Jeffrey Burt | 2 days ago 0
More iOS Zero Days, More Mercenary Spyware — This Time: Cytrox Predator
Analytics & Intelligence API Security Application Security AppSec Cloud Security Cloud Security Cyberlaw Cybersecurity Data Privacy Data Security Deep Fake and Other Social Engineering Tactics Editorial Calendar Endpoint Featured Governance, Risk & Compliance Humor Identity & Access Identity and Access Management Incident Response Industry Spotlight Insider Threats Malware Mobile Security Most Read This Week Network Security News Popular Post Regulatory Compliance Securing the Cloud Securing the Edge Security at the Edge Security Awareness Security Boulevard (Original) Social Engineering Software Supply Chain Security Spotlight Threat Intelligence Threats & Breaches Vulnerabilities Zero-Trust 

More iOS Zero Days, More Mercenary Spyware — This Time: Cytrox Predator

September 25, 2023 Richi Jennings | 3 days ago 0

Top Stories

China-Backed Hacks of Cisco Routers Worry Feds — BlackTech Revenge?
Analytics & Intelligence API Security Application Security Cloud Security Cloud Security Cyberlaw Cybersecurity Data Privacy Data Security DevOps DevSecOps Editorial Calendar Featured Governance, Risk & Compliance Humor Identity & Access Identity and Access Management Incident Response IOT IoT & ICS Security Malware Most Read This Week Network Security News Popular Post Securing the Cloud Securing the Edge Security at the Edge Security Awareness Security Boulevard (Original) Security Challenges and Opportunities of Remote Work Security Operations Spotlight Threat Intelligence Threats & Breaches Vulnerabilities Zero-Trust 

China-Backed Hacks of Cisco Routers Worry Feds — BlackTech Revenge?

September 28, 2023 Richi Jennings | 7 hours ago 0
US: China’s BlackTech Group Hacks Cisco Firmware in Cyberattacks
Cybersecurity Data Security Endpoint Featured Identity & Access IoT & ICS Security Malware Network Security News Security Boulevard (Original) Spotlight Threat Intelligence Threats & Breaches 

US: China’s BlackTech Group Hacks Cisco Firmware in Cyberattacks

September 28, 2023 Jeffrey Burt | 8 hours ago 0
Exabeam Brings Generative AI to SIEM Platform
Analytics & Intelligence Cybersecurity Endpoint Featured Incident Response News Security Boulevard (Original) Social - Facebook Spotlight Threat Intelligence 

Exabeam Brings Generative AI to SIEM Platform

September 28, 2023 Michael Vizard | 10 hours ago 0

Security Humor

a PRC flag flies in a stiff breeze

China-Backed Hacks of Cisco Routers Worry Feds — BlackTech Revenge?

Security Boulevard Logo White

DMCA

Join the Community

  • Add your blog to Security Bloggers Network
  • Write for Security Boulevard
  • Bloggers Meetup and Awards
  • Ask a Question
  • Email: [email protected]

Useful Links

  • About
  • Media Kit
  • Sponsor Info
  • Copyright
  • TOS
  • DMCA Compliance Statement
  • Privacy Policy

Related Sites

  • Techstrong Group
  • Cloud Native Now
  • DevOps.com
  • Digital CxO
  • Techstrong Research
  • Techstrong TV
  • Techstrong.tv Podcast
  • DevOps Chat
  • DevOps Dozen
  • DevOps TV
Powered by Techstrong Group
Copyright © 2023 Techstrong Group Inc. All rights reserved.