analyzing-api-gateway-access-logs
@adriannoes · 收录于 1 周前
Parses API Gateway access logs (AWS API Gateway, Kong, Nginx) to detect BOLA/IDOR attacks, rate limit bypass, credential scanning, and injection attempts. Uses pandas for statistical analysis of request patterns and anomaly detection. Use when investigating API abuse or building API-specific threat detection rules.
适合你,如果需要从API网关日志中快速发现BOLA、IDOR等攻击行为
/ 下载安装
用别的 agent?下载 .zip 解压,把文件夹放进它的技能目录
Claude Code
~/.claude/skills/(项目级 .claude/skills/)Codex CLI
~/.codex/skills/Cursor自动读取上面两处目录
其他工具见其文档的「skills」目录;两个下载是同一份文件,只是名字不同
/ 通过 npx 安装 校验哈希
npx oh-my-skill add adriannoes/awesome-vibe-coding/analyzing-api-gateway-access-logs/ 通过 bash 安装
curl -fsSL https://oh-my-skill.com/install.sh | bash -s -- adriannoes/awesome-vibe-coding/analyzing-api-gateway-access-logs/ 已经装过?验证本机副本,不用重装
npx oh-my-skill verify adriannoes/awesome-vibe-coding/analyzing-api-gateway-access-logs安装目标可用 --agent / --scope 或 --to 明确指定;省略时只会在唯一已存在的 agent 目录上自动选择,零命中或多命中会停止并提示。content_hash 缺失或不一致均拒装。
44GitHub stars
~446最小装载
~446含声明引用
~793文本包总量
镜像托管
怎么用
技能原文 SKILL.md
Analyzing API Gateway Access Logs
When to Use
- When investigating security incidents that require analyzing api gateway access logs
- When building detection rules or threat hunting queries for this domain
- When SOC analysts need structured procedures for this analysis type
- When validating security monitoring coverage for related attack techniques
Prerequisites
- Familiarity with security operations concepts and tools
- Access to a test or lab environment for safe execution
- Python 3.8+ with required dependencies installed
- Appropriate authorization for any testing activities
Instructions
Parse API gateway access logs to identify attack patterns including broken object level authorization (BOLA), excessive data exposure, and injection attempts.
import pandas as pd
df = pd.read_json("api_gateway_logs.json", lines=True)
# Detect BOLA: same user accessing many different resource IDs
bola = df.groupby(["user_id", "endpoint"]).agg(
unique_ids=("resource_id", "nunique")).reset_index()
suspicious = bola[bola["unique_ids"] > 50]
Key detection patterns:
- BOLA/IDOR: sequential resource ID enumeration
- Rate limit bypass via header manipulation
- Credential scanning (401 surges from single source)
- SQL/NoSQL injection in query parameters
- Unusual HTTP methods (DELETE, PATCH) on read-only endpoints
Examples
# Detect 401 surges indicating credential scanning
auth_failures = df[df["status_code"] == 401]
scanner_ips = auth_failures.groupby("source_ip").size()
scanners = scanner_ips[scanner_ips > 100]按 Apache-2.0 许可原样转载,未经改动 · 在 GitHub 查看 →
评论
登录即可评论;带「已验证安装」的,是发布者名下有本店的安装或持有记录。
…