Protection against API Credential Stuffing using Modshield SB Web Application Firewall

Ref: https://owasp.org/www-community/attacks/Credential_stuffing

Credential stuffing is the automated injection of breached username/password pairs in order to fraudulently gain access to user accounts. This is a subset of the brute force attack category: large numbers of spilled credentials are automatically entered into websites until they are potentially matched to an existing account, which the attacker can then hijack for their own purposes.

Application Level Protection Recommended:

1. Implement a Multi factor authentication mechanism for all your critical applications. With numerous applications implementing this already, this is pretty simple to do these day and also acts as a near fool proof method to mitigate credential stuffing.
2. Implement Rate limiting either at the application level or at the firewall level. Rate limiting is a process by which the number of requests for an asset from a single IP address is limited to a certain threshold
3. Use a Web Application Firewall that protects you from automated attacks

How does Modshield SB protect from these kind of attacks

At a configuration level:

• Enable DoS protection to identify bruteforce attacks and credential stuffing attacks. Dos Protection will also provide a rate limiting mechanism at a higher level
• Enable IP reputation filters: Modhsield SB’s continously updated threat intelligence feeds help identify the latest set of indicators to identify known Bad IPs. It is a probability that the credential stuffing attacks might originate from one of the previously identified Bad IPs

Specific to your application:

Add a simple custom rule to protect critical APIs against an attack of this kind. Modhsield SB used Modsecurity and the OWASP CRS at its engine and hence finding a rule that best fits your purpose is a simple Google search away. An example for doing this is given below:

SecRuleEngine On
<LocationMatch "^/somepath">
SecActioninitcol:ip=%{REMOTE_ADDR},pass,nolog
SecAction "phase:5,deprecatevar:ip.somepathcounter=1/1,pass,nolog"
SecRule IP:SOMEPATHCOUNTER "@gt 60" "phase:2,pause:300,deny,status:509,setenv:RATELIMITED,skip:1,nolog"
SecAction "phase:2,pass,setvar:ip.somepathcounter=+1,nolog"
  Header always set Retry-After "10" env=RATELIMITED
</LocationMatch>
ErrorDocument 509 "Rate Limit Exceeded"

Ref: https://bit.ly/310kYWf

Most application firewalls protect you from a denial of service kind of attack. However a credential stuffing attack looks more like legitimate requests rather than a random flooding of requests. It requires careful analysis to implement an intelligent protection which will not lead to legitimate requests being blocked by the firewall