Dictionary Attack with Api Keys
How Dictionary Attack Manifests in Api Keys
Dictionary attacks on API keys exploit the fundamental weakness of predictable or guessable keys. Attackers use automated tools to systematically test common patterns, leaked keys, or brute-force variations of key formats. In API contexts, this often targets endpoints that don't implement proper rate limiting or authentication validation.
Common manifestations include:
- Testing common prefixes/suffixes (e.g.,
sk-1234,api_key_,secret_) - Brute-forcing key lengths when length validation is missing
- Exploiting weak random number generators that produce predictable keys
- Targeting endpoints that accept keys in query parameters (exposed in logs)
- Testing keys from public repositories or past data breaches
API keys are particularly vulnerable because they're often transmitted in headers like Authorization: Bearer <key> or query parameters, making them susceptible to interception and replay attacks. Unlike password-based authentication, API keys typically lack built-in rate limiting at the authentication layer.
// Vulnerable endpoint allowing dictionary attacks
app.post('/api/v1/data', (req, res) => {
const apiKey = req.headers['x-api-key'];
// No rate limiting, no key validation
if (apiKey) {
// Process request without verifying key validity
return res.json({ data: fetchSensitiveData() });
}
res.status(401).json({ error: 'Missing API key' });
});
Attackers can send thousands of requests per minute, systematically testing key variations until they find a valid one. This is especially dangerous when endpoints return different responses for valid vs invalid keys, allowing attackers to confirm when they've found a working key.
Api Keys-Specific Detection
Detecting dictionary attacks on API keys requires monitoring for specific patterns and implementing proper logging. Key indicators include:
- Rapid succession of authentication failures from the same IP or user agent
- Requests with systematically varied key formats (incremental numbers, common prefixes)
- Unusual geographic distribution of requests targeting authentication endpoints
- High volume of requests to endpoints that should have low traffic
- Requests with keys that match known leaked patterns or common formats
middleBrick's black-box scanning approach detects dictionary attack vulnerabilities by testing API endpoints without credentials. The scanner identifies endpoints that accept API keys in insecure ways, lack rate limiting, and return distinguishable error messages that aid attackers.
// Detection middleware for API key dictionary attacks
const rateLimit = require('express-rate-limit');
const apiAuthLimiter = rateLimit({
windowMs: 15 * 60 * 1000, // 15 minutes
max: 5, // Limit each IP to 5 auth attempts
message: 'Too many authentication attempts',
keyGenerator: (req) => req.ip + req.headers['x-api-key'],
standardHeaders: true,
legacyHeaders: false,
});
// Monitor for suspicious patterns
const suspiciousApiKeys = [
/^sk-[0-9a-f]{4}$/, // Short keys
/^api_[0-9]{4}$/, // Numeric keys
/^test_.*$/, // Test prefixes
];
function detectDictionaryAttack(req, res, next) {
const apiKey = req.headers['x-api-key'];
if (suspiciousApiKeys.some(pattern => pattern.test(apiKey))) {
console.warn(`Suspicious API key pattern: ${apiKey}`);
}
next();
}
middleBrick's API security scanner specifically tests for:
- Rate limiting bypass opportunities
- API key exposure in URLs or logs
- Endpoints that accept keys without validation
- Information leakage through error responses
Api Keys-Specific Remediation
Remediating dictionary attack vulnerabilities in API keys requires a multi-layered approach. The most effective solutions combine proper key generation, validation, and request throttling.
// Secure API key generation
const crypto = require('crypto');
function generateSecureApiKey() {
return crypto.randomBytes(32).toString('hex');
}
// Enhanced API key validation
const validApiKeys = new Map();
function validateApiKey(key) {
const keyData = validApiKeys.get(key);
if (!keyData) {
return { valid: false, reason: 'Invalid key' };
}
if (keyData.expired) {
return { valid: false, reason: 'Key expired' };
}
return { valid: true, permissions: keyData.permissions };
}
// Rate limiting with exponential backoff
const keyAttempts = new Map();
function checkRateLimit(key) {
const now = Date.now();
const attempts = keyAttempts.get(key) || [];
// Remove attempts older than 15 minutes
const recentAttempts = attempts.filter(t => now - t < 15 * 60 * 1000);
if (recentAttempts.length >= 5) {
const firstAttempt = recentAttempts[0];
const timeSinceFirst = now - firstAttempt;
if (timeSinceFirst < 15 * 60 * 1000) {
return false; // Rate limited
}
}
keyAttempts.set(key, [...recentAttempts, now]);
return true;
}
// Secure endpoint implementation
app.post('/api/v1/data', [
checkRateLimit,
detectDictionaryAttack,
(req, res) => {
const apiKey = req.headers['x-api-key'];
const validation = validateApiKey(apiKey);
if (!validation.valid) {
return res.status(401).json({
error: 'Invalid API key',
code: 'INVALID_API_KEY'
});
}
// Process request
res.json({ data: fetchSensitiveData(validation.permissions) });
}
]);
Additional remediation strategies:
- Implement key rotation policies (90-180 day expiration)
- Use HMAC-based authentication instead of static keys
- Add IP whitelisting for API key usage
- Log all API key usage with metadata for anomaly detection
- Use different keys for different environments (staging vs production)
middleBrick's GitHub Action can automatically scan your APIs in CI/CD pipelines, failing builds when dictionary attack vulnerabilities are detected. This ensures dictionary attack protections are validated before deployment.