Reputation: 279
Can you brute force discover REST API endpoints?
If I have a rest endpoint for logging in that doesn't match common semantics, like a random UID
my_url.com/api/2lk3jh54kjhlkj34hhlkjhvaksjdv123
and similar parameter names, does that make it relatively secure? Would this help prevent brute-force login attempts?
Would this be an alternative to blacklisting IP's that are flagged for brute-force attacks or work well in conjunction?
Upvotes: 2
Views: 12174
Answers (1)
Reputation: 67029
Using Forced Browsing to enumerate API endpoints is very common because it works well. However, if the attacker has access to the client, then they can intercept HTTP requests, and identify HTTP endpoints. Intercepting traffic from the client is the very first step an attacker will make when targeting a backend service, and these requests can be used for fuzzing or other manipulation.
Blacklisting IPs alone is almost never used - gmail and accounts.google.com use a heat-based approach to brute force protection. Additionally 2fa is a strong mitigation, and should always be used by administrative/super-user accounts.
Upvotes: 3
Related Questions
- Is there a way to discover all endpoints of a REST API?
- How to protect public REST API from attackers using network sniffing tools
- What prevents third-party access and “mining” when serving data to a front-end via REST API?
- Is there a way to secure a public endpoint?
- Can a HTTP GET request on REST web service be safe?
- Identifying resources of REST endpoints for given context
- How do you prevent brute force attacks on RESTful data services
- RESTful API security
- REST Api an invitation to hackers for injection?
- Blocking REST API calls