Retrieve all the context you need • Authenticated user • Custom business information • Custom code / framework information • Any HTTP value • Previous service called • Spanning information
Analyze • The volume of calls • The successive actions performed by a given user (or IP) • Detect unusual activity • Anomalies in volume, proportions • Check logic flows
• Deny access to sensitive functions • Deny access to a whole service • Set account “read only” • Lock a user account • Log a user out • Trigger a pager • Fire a webhook • Create a ticket • … Respond
How to solve it Record business logic actions (down to the code) Define rules to detect a vulnerability exploitation Trigger security responses to be applied (a)Impersonate a user (b) Generate a token User is calling (impersonation) too much OR user is calling (generate_token) too much Lock the user AND Tag the user for review