![]() ![]() In addition to the built-in HTTP Page Skins, Canaries allow you to create a Custom TCP Service that listen on a port you define, and gives you control over various interactions. In order to capture the POST parameters, we created a Defined Skin, you can read further about this here, Capturing Incident Data on POSTs. More context: how much money was attempted to be transferred and to which account!įor more detail on these parameters see this blog post about custom webroot configurations. To capture the POST parameters, we add a custom file. In the above example, we only see the basic attributes of the request. When anyone attempts to use this command, we will get the following alert! d destination=acct_acdcD82eZvKYlo2C8675309 \ Enable Webserver settings in the Canary Console: Below is a basic example of applying the Jenkins Login HTTP Page Skin. This is a great way to create an enticing server that attackers may attempt to interact with. With another click you can choose one of the default HTTP Skins. We can see that we receive the same alert, even though the hostname was changed.Ĭanaries have a built-in feature that allows you to configure a Webserver on it with a single click. We add a CNAME record to point to, so that when the request is made, we still receive the alert!Ĭurl ww0mayx9rro4h2l3keazj0zdk / api/v1/ endpoint We create a CNAME record in a domain we control. If you are using the free service, you can abstract away the Domain Name by using a DNS CNAME record. Teams using our commercial Canary offering have the ability to use a custom domain. However, it is pretty clear by the hostname, that we are hitting a Canarytoken URL. We can see the utility of a quick alert or signal that someone finds this url interesting (and by extension that someone had access to the place it was stored). This is a simple example to showcase the captured HTTP request, source IP address and the User-Agent string. Or send requests and track responses with a tool like Postman Apart from the hostname and the actual token ( in red ), you can change all other parts of the token-URL. Next, we will modify the generated URL slightly to make it appear more like a REST API endpoint. We will then use PostMan, an API testing tool to send a sample request to start out.įirst we will create the Canarytoken, either in our private Canary Console or at. We will create a Web Bug Canarytoken, annotate our Token Reminder, for later. This is the most basic form of the request, create a Web / URL Canarytoken, then leave a hint to its use in a document someplace and see if anyone ever runs a script or curl command to trigger the alert. Using the (fake) Webserver on a Canary.We will show three types of REST APIs you can consider using: This allows defenders to quickly gain insight into unauthorized use of REST APIs within their organization with low setup costs. We can easily leverage these to create a REST API Canary endpoint. There are already a number of HTTP request related primitives built into Canaries and Canarytokens. ![]() What we need is a way to receive a request, log relevant headers or parameters and HTTP methods, then send an alert to the Canary console. (The AWS API-key is already our most popular Canarytoken, with hundreds of thousands deployed world wide, but we wanted to mint API keys for our own internal services and have them be as useful)Īt its core, a REST API call is an HTTP request. It started us thinking, how we might be able to create and use Canaries and Canaryokens to catch or detect unauthorized REST API endpoint or key usage? Our end goal would be for teams to receive an alert when an API key, or tokened URL endpoint they want to monitor, is used by an attacker. From workstation management to web applications, from complex business logic and application integrations, to payment processing services, APIs form a backbone for all kinds of crucial services. Both internal and external services often rely on the use of REST APIs. Here we present several new approaches, and look forward to hearing from the community on the usefulness and ways to increase insight here for network defenders.ĪPIs are everywhere and permeate most organization’s daily web based workflows. (Like all things Canary) We wanted something easy to use that delivers immediate value. Given the importance of REST API endpoints for most networks and applications, we wanted a way to use (existing) Canarytokens, or Canaries to detect unauthorized access to a REST API. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |