Logo Logo
  • Home
  • Modshield SB
  • services
    • Application Security Testing
    • IoT Security Testing
    • Infrastructure Security Testing
    • Testing for Compliance
    • Red Team Exercise
    • Performance Testing
  • Training
    • Cybersecurity Awareness Program
    • Cybersecurity For Developers(Web Application)
    • Cybersecurity For Developers(Mobile Application)
  • Resources
    • Blog
    • CyberNews
  • About
    • Partners
    • Contact

Protection against API Credential Stuffing using Modshield SB Web Application Firewall

  • Home
  • Blog Details
June 23 2020
  • Blog

Ref: https://owasp.org/www-community/attacks/Credential_stuffing

Credential stuffing is the automated injection of breached username/password pairs in order to fraudulently gain access to user accounts. This is a subset of the brute force attack category: large numbers of spilled credentials are automatically entered into websites until they are potentially matched to an existing account, which the attacker can then hijack for their own purposes.

Application Level Protection Recommended:

  1. Implement a Multi factor authentication mechanism for all your critical applications. With numerous applications implementing this already, this is pretty simple to do these day and also acts as a near fool proof method to mitigate credential stuffing.
  2. Implement Rate limiting either at the application level or at the firewall level. Rate limiting is a process by which the number of requests for an asset from a single IP address is limited to a certain threshold
  3. Use a Web Application Firewall that protects you from automated attacks

How does Modshield SB protect from these kind of attacks

At a configuration level:

  • Enable DoS protection to identify bruteforce attacks and credential stuffing attacks. Dos Protection will also provide a rate limiting mechanism at a higher level
  • Enable IP reputation filters: Modhsield SB’s continously updated threat intelligence feeds help identify the latest set of indicators to identify known Bad IPs. It is a probability that the credential stuffing attacks might originate from one of the previously identified Bad IPs

Specific to your application:

Add a simple custom rule to protect critical APIs against an attack of this kind. Modhsield SB used Modsecurity and the OWASP CRS at its engine and hence finding a rule that best fits your purpose is a simple Google search away. An example for doing this is given below:

SecRuleEngine On
<LocationMatch "^/somepath">
SecActioninitcol:ip=%{REMOTE_ADDR},pass,nolog
SecAction "phase:5,deprecatevar:ip.somepathcounter=1/1,pass,nolog"
SecRule IP:SOMEPATHCOUNTER "@gt 60" "phase:2,pause:300,deny,status:509,setenv:RATELIMITED,skip:1,nolog"
SecAction "phase:2,pass,setvar:ip.somepathcounter=+1,nolog"
  Header always set Retry-After "10" env=RATELIMITED
</LocationMatch>
ErrorDocument 509 "Rate Limit Exceeded"

Ref: https://bit.ly/310kYWf

Most application firewalls protect you from a denial of service kind of attack. However a credential stuffing attack looks more like legitimate requests rather than a random flooding of requests. It requires careful analysis to implement an intelligent protection which will not lead to legitimate requests being blocked by the firewall

Previous Post Next Post

Leave a Comment

Recent Posts

  • SOC 2 Compliance – Complete Guide
  • What is compliance and why do you need it?
  • OWASP WAF – Web Application Firewall
  • Top Cyber News April Week 3
  • Top Cyber News April Week 2

Recent Comments

  1. Vishnu on IEC 62443 – Cybersecurity for Industrial Automation and Control Systems

Archives

  • July 2022
  • June 2022
  • April 2022
  • March 2022
  • February 2022
  • January 2022
  • December 2021
  • November 2021
  • October 2021
  • September 2021
  • August 2021
  • December 2020
  • November 2020
  • October 2020
  • September 2020
  • June 2020

Categories

  • Blog
  • CyberNews
© Copyright 2020. Anada WordPres Theme By WordPressRiver