Brute Force Attacks and APIs — Watch Those Logs!

Brute force attacks are one of those things that all developers have heard of, but most have never really seen it for themselves.

I have, and it’s terrifying. In fact, I’ve done it myself. Perhaps the scariest part of it all was how easily one could install a program, watch a couple tutorials online, and get to hacking. But even if you haven’t seen an attack underway, I’ll bet you are more familiar with this tactic than you may realise.

Have you ever forgotten your password, only to figure it out by trying every single password you’ve ever used? Whether you eventually got it or got locked out of your account, you have performed a brute force attack on yourself; brute forcing is not usually the most sophisticated way to get something done, but that in no way makes it less dangerous.

Of course, when an attacker employs a brute force tactic against an organisation, they’re not sitting at their computer for hours on end trying to guess the password to the admin account. No, they have programs like Hydra that can do that for them.

These programs can also leverage wordlists of common passwords, usernames, directories, and just about anything else to make smarter guesses at your sensitive information and program files. In some cases, these programs can try hundreds of passwords in a matter of minutes.

Fortunately, it is fairly easy to detect and prevent these attacks. To discover an attempted brute force attack merely requires one to look through the logs of their site or application to find repeated, failed login attempts over a short period of time. This may sound kind of cliche, but you’ll know it when you see it.

As it turns out, logs are extremely useful for detecting malicious behaviour in general and not just for finding brute force attacks. In fact, it is the basis for detecting many potential security breaches when it comes to APIs.

Like with a fully fledged web application, APIs send (hopefully) HTTPS requests and responses to each other and to servers in order to function properly. How can you tell when an API is being exploited? Just like with a brute force attack, you must look at the messages being sent from the APIs themselves.

If someone is abusing or attacking an API, it’ll show in the logs. However, an API attack will look very different from your traditional brute force attack, and is often difficult to spot manually; there is context behind every message sent, and sometimes it’s easy to overlook. In contrast, AI-enhanced programs that are designed to detect these threats make a night-and-day difference when it comes to API security and can ease your load as a developer! Software like Darkspark will notice subtle differences in traffic, such as abnormal data in a request or requests from certain credentials sent at an unusual time of the day, and let you know so you can take appropriate action.

Keeping a watchful eye (or an automated one!) on API logs is crucial for any program or application’s security. In fact, insufficient logging and monitoring is in the OWASP top 10 , and it’s moving up the list! So just like checking a web application’s logs for brute force attacks, checking API logs for threats (such as a pagination attack) must be a top priority for any developer looking to use and implement APIs in their projects.

Originally published at https://www.bycontxt.com on September 13, 2022.