Average response payload size reduced

firetail:average-response-payload-size-reduced

Type:

Detection

Rule Severity:

Info

The average response payload size during a given period was <= the mean average - one standard deviation of the preceding period.

Although payloads for individual request may change and vary between endpoints, the overall average size of payloads for an application should be fairly stable. Fluctuations in the  payload size may be an indicator of higher than normal usage, changed usage patterns, changed data content, etc. Any of these can be indicators for malicious behaviour.

Remediation

Investigate what has caused the response payloads sent to this API to decrease significantly in size.

Example Attack Scenario

An attacker may have completely abnormal usage pattern, such as only using a single list endpoint to exfiltrate data and hitting that endpoint much more frequently than a normal user would. The proportionally higher number of these requests will affect the average payload size for the whole service.

How to Identify with Example Scenario

How to Resolve with Example Scenario

How to Identify with Example Scenario

Find the text in bold to identify issues such as these in API specifications

How to Resolve with Example Scenario

Modify the text in bold to resolve issues such as these in API specifications
References:

More findings

All Findings
AWS ALB has a WAF that is set to fail open
API key in query string
Use after free
AWS ALB should redirect HTTP to HTTPS
Slack secrets found in logs
Plaintext API key