analyzing-api-gateway-access-logs
Compare original and translation side by side
🇺🇸
Original
English🇨🇳
Translation
ChineseAnalyzing API Gateway Access Logs
分析API网关访问日志
When to Use
使用场景
- When investigating security incidents that require analyzing api gateway access logs
- When building detection rules or threat hunting queries for this domain
- When SOC analysts need structured procedures for this analysis type
- When validating security monitoring coverage for related attack techniques
- 当需要分析API网关访问日志来调查安全事件时
- 当为此领域构建检测规则或威胁狩猎查询时
- 当SOC分析师需要此类分析的结构化流程时
- 当验证相关攻击技术的安全监控覆盖范围时
Prerequisites
前提条件
- Familiarity with security operations concepts and tools
- Access to a test or lab environment for safe execution
- Python 3.8+ with required dependencies installed
- Appropriate authorization for any testing activities
- 熟悉安全运营概念与工具
- 可访问测试或实验室环境以安全执行操作
- Python 3.8+及所需依赖已安装
- 拥有任何测试活动的适当授权
Instructions
操作步骤
Parse API gateway access logs to identify attack patterns including broken object
level authorization (BOLA), excessive data exposure, and injection attempts.
python
import pandas as pd
df = pd.read_json("api_gateway_logs.json", lines=True)解析API网关访问日志,识别攻击模式,包括对象级权限绕过(BOLA)、过度数据暴露和注入尝试。
python
import pandas as pd
df = pd.read_json("api_gateway_logs.json", lines=True)Detect BOLA: same user accessing many different resource IDs
Detect BOLA: same user accessing many different resource IDs
bola = df.groupby(["user_id", "endpoint"]).agg(
unique_ids=("resource_id", "nunique")).reset_index()
suspicious = bola[bola["unique_ids"] > 50]
Key detection patterns:
1. BOLA/IDOR: sequential resource ID enumeration
2. Rate limit bypass via header manipulation
3. Credential scanning (401 surges from single source)
4. SQL/NoSQL injection in query parameters
5. Unusual HTTP methods (DELETE, PATCH) on read-only endpointsbola = df.groupby(["user_id", "endpoint"]).agg(
unique_ids=("resource_id", "nunique")).reset_index()
suspicious = bola[bola["unique_ids"] > 50]
undefinedExamples
关键检测模式
python
undefined- BOLA/IDOR:连续资源ID枚举
- 通过请求头操纵绕过速率限制
- 凭证扫描(单一来源的大量401错误)
- 查询参数中的SQL/NoSQL注入
- 只读端点上出现异常HTTP方法(DELETE、PATCH)
Detect 401 surges indicating credential scanning
示例
auth_failures = df[df["status_code"] == 401]
scanner_ips = auth_failures.groupby("source_ip").size()
scanners = scanner_ips[scanner_ips > 100]
undefinedpython
undefined—
Detect 401 surges indicating credential scanning
—
auth_failures = df[df["status_code"] == 401]
scanner_ips = auth_failures.groupby("source_ip").size()
scanners = scanner_ips[scanner_ips > 100]
undefined