Abstract: Various embodiments facilitate uncovering an Application Programming Interface (API) attack surface for an organization. In some examples, an apparatus comprises storage media, a processing system, and program instructions stored on the storage media. The apparatus processes Domain Name System (DNS) data to determine a set of possible API servers. The apparatus determines a set of possible Uniform Resource Identifier (URI) paths that may lead to one or more actual API endpoints. The apparatus joins the set of possible API servers with the set of possible URI paths to generate a set of possible API Uniform Resource Locators (URLs). The apparatus performs an API-specific crawl of the set of possible API URLs by submitting API requests to the set of possible API URLs and analyzing responses to determine the one or more actual API endpoints and one or more actual API servers of the set of possible API servers.

Abstract: Techniques to facilitate prevention of malicious attacks on a web service are disclosed herein. In at least one implementation, a computing system intercepts a web request directed to a web server providing the web service. The computing system identifies whether or not the web request is malicious. When the web request is identified as malicious, the computing system redirects the web request to an isolated mitigation server configured to mimic responses of the web server. The isolated mitigation server processes the web request to generate artificial content based on the web request that appears to be genuine content provided by the web server, and presents the artificial content in response to the web request.

Abstract: Techniques to facilitate network security analysis and attack response are disclosed herein. In at least one implementation, a passive analysis system receives a copy of network traffic, performs deep analysis on the copy of network traffic, and generates security data points based on the deep analysis. The passive analysis system then provides the security data points to an active inline security device, wherein the active inline security device compares incoming network traffic to the security data points to detect security events.

Abstract: Techniques to facilitate passive detection of forged web browsers are disclosed herein. In at least one implementation, web traffic between a web server and a client is monitored, and a hypertext transfer protocol (HTTP) header transmitted by the client is processed to determine a type of web browser associated with the client. Attribute data points for the client are generated based on fields in the HTTP request header transmitted by the client and connection behavior of the client with the web server. The attribute data points for the client are then compared with predetermined attribute data points for the type of web browser associated with the client to determine if the client is a genuine web browser of the type of web browser associated with the client.

Abstract: Techniques to facilitate prevention of malicious attacks on a web service are disclosed herein. In at least one implementation, web resources associated with the web service are crawled to obtain information about internal and external web assets associated with the web service. Responses from the internal and external web assets are intercepted and content security policy headers are dynamically injected into the responses to determine internal and external dependency data associated with the internal and external web assets. The internal and external dependency data is processed with script reputation and domain reputation data to generate enriched dependency graph data. The enriched dependency graph data is analyzed to dynamically generate content security policies for the web service, and the dynamically generated content security policies are deployed to protect the web service.

Abstract: A method to facilitate detection of automated attacks on a web service is disclosed. Some embodiments of the method can include binding a session identifier to a user session with the web service. The method can further include receiving a plurality of web requests during the user session that include the session identifier. The plurality of web requests can then be processed with a set of automation detection heuristics to identify session attributes associated with the session identifier during the user session. The method can further include detecting that the session identifier is associated with an automated attack when at least one of the session attributes associated with the session identifier exceeds a threshold amount.

Abstract: Techniques to facilitate passive detection of forged web browsers are disclosed herein. In at least one implementation, security information transmitted by a client during Hypertext Transfer Protocol Secure (HTTPS) session establishment between a web server and the client is monitored, and header information transmitted by the client is processed to determine a type of web browser associated with the client. A security signature for the client is generated based on the security information transmitted by the client during the HTTPS session establishment. The security signature for the client is compared with a predetermined signature for the type of web browser associated with the client to determine if the client is a genuine web browser of the type of web browser associated with the client.

Abstract: Techniques to facilitate web traffic classification are disclosed herein. In at least one implementation, web traffic between a plurality of clients and at least one web server is monitored, and the web traffic is analyzed to determine attribute data points associated with each individual client of the plurality of clients. The attribute data points associated with each individual client are compared to define a plurality of client groups based on similarities in the attribute data points among each individual client. A client of the plurality of clients is identified as malicious when the client is included in more than one of the client groups.

Abstract: Techniques to validate web service requests from applications executing on wireless communication devices are disclosed herein. In at least one implementation, an application that generates a web service request is executed on a wireless communication device. The wireless communication device executes a client security component of the application to collect security information and include the security information in the web service request, and utilizes a mobile application programming interface to transfer the web service request including the security information for delivery to a web server. The web server executes a server security component of a web service to extract the security information from the web service request, validate the web service request based on the security information, and provide the web service request to the web service upon successful validation.

Abstract: Techniques to validate web service requests from applications executing on wireless communication devices are disclosed herein. In at least one implementation, an application that generates a web service request is executed on a wireless communication device. The wireless communication device executes a client security component of the application to collect security information and include the security information in the web service request, and utilizes a mobile application programming interface to transfer the web service request including the security information for delivery to a web server. The web server executes a server security component of a web service to extract the security information from the web service request, validate the web service request based on the security information, and provide the web service request to the web service upon successful validation.

Abstract: Techniques to facilitate securing web services from unauthorized access are disclosed herein. In at least one implementation, user interactions with a web service are monitored, and sets of the user interactions are generated per originator based on origination information associated with the user interactions. The sets of the user interactions are processed to identify credentials used to access the web service per originator. The credentials used to access the web service per originator are compared with compromised credentials stored in a database to identify one or more user accounts of the web service associated with an originator that used the compromised credentials found in the database. Security measures are applied for at least the one or more user accounts of the web service associated with the originator that used the compromised credentials found in the database.

Abstract: Techniques to facilitate detection of real user interaction with mobile applications are disclosed herein. In at least one implementation, a mobile application that generates a web service request is executed on a wireless communication device. The wireless communication device executes a client security component of the mobile application to include user behavior attributes in the web service request, and utilizes a mobile application programming interface to transfer the web service request including the user behavior attributes for delivery to a web server. The web server executes a server security component of a web service to extract the user behavior attributes from the web service request and process the user behavior attributes to determine whether or not the mobile application is being operated by a human user.

Abstract: Techniques to facilitate securing web services from unauthorized access are disclosed herein. In at least one implementation, user interactions with a web service are monitored, and sets of the user interactions are generated per originator based on origination information associated with the user interactions. The sets of the user interactions are processed to identify credentials used to access the web service per originator. The credentials used to access the web service per originator are compared with compromised credentials stored in a database to identify one or more user accounts of the web service associated with an originator that used the compromised credentials found in the database. Security measures are applied for at least the one or more user accounts of the web service associated with the originator that used the compromised credentials found in the database.

Abstract: Techniques to facilitate detection of whether or not applications are executed on physical devices are disclosed herein. In at least one implementation, a mobile application that generates a web service request is executed on a computing system. The computing system executes a client security component of the mobile application to collect attributes associated with the computing system and an operating environment on which the mobile application is executing, and utilizes a mobile application programming interface to transfer the web service request including the attributes for delivery to a web server. The web server executes a server security component of a web service to extract the attributes from the web service request and process the attributes to determine whether or not the mobile application is being executed on a physical mobile device.

Abstract: Techniques to facilitate passive detection of forged web browsers are disclosed herein. In at least one implementation, web traffic between a web server and a client is monitored, and a hypertext transfer protocol (HTTP) header transmitted by the client is processed to determine a type of web browser associated with the client. Attribute data points for the client are generated based on fields in the HTTP request header transmitted by the client and connection behavior of the client with the web server. The attribute data points for the client are then compared with predetermined attribute data points for the type of web browser associated with the client to determine if the client is a genuine web browser of the type of web browser associated with the client.

Abstract: Techniques to facilitate passive detection of forged web browsers are disclosed herein. In at least one implementation, web traffic between a web server and a client is monitored, and a hypertext transfer protocol (HTTP) header transmitted by the client is processed to determine a type of web browser associated with the client. Attribute data points for the client are generated based on fields in the HTTP request header transmitted by the client and connection behavior of the client with the web server. The attribute data points for the client are then compared with predetermined attribute data points for the type of web browser associated with the client to determine if the client is a genuine web browser of the type of web browser associated with the client.

Abstract: Techniques to validate web service requests from applications executing on wireless communication devices are disclosed herein. In at least one implementation, an application that generates a web service request is executed on a wireless communication device. The wireless communication device executes a client security component of the application to collect security information and include the security information in the web service request, and utilizes a mobile application programming interface to transfer the web service request including the security information for delivery to a web server. The web server executes a server security component of a web service to extract the security information from the web service request, validate the web service request based on the security information, and provide the web service request to the web service upon successful validation.

Abstract: Techniques to facilitate prevention of malicious attacks on a web service are disclosed herein. In at least one implementation, a computing system intercepts a web request directed to a web server providing the web service. The computing system identifies whether or not the web request is malicious. When the web request is identified as malicious, the computing system redirects the web request to an isolated mitigation server configured to mimic responses of the web server. The isolated mitigation server processes the web request to generate artificial content based on the web request that appears to be genuine content provided by the web server, and presents the artificial content in response to the web request.

Abstract: Techniques to facilitate web traffic classification are disclosed herein. In at least one implementation, web traffic between a plurality of clients and at least one web server is monitored, and the web traffic is analyzed to determine attribute data points associated with each individual client of the plurality of clients. The attribute data points associated with each individual client are compared to define a plurality of client groups based on similarities in the attribute data points among each individual client. A client of the plurality of clients is identified as malicious when the client is included in more than one of the client groups.

Abstract: Techniques to facilitate network security analysis and attack response are disclosed herein. In at least one implementation, a passive analysis system receives a copy of network traffic, performs deep analysis on the copy of network traffic, and generates security data points based on the deep analysis. The passive analysis system then provides the security data points to an active inline security device, wherein the active inline security device compares incoming network traffic to the security data points to detect security events.