Skill

analyzing-api-gateway-access-logs

Parses AWS API Gateway, Kong, and Nginx access logs using pandas to detect BOLA/IDOR attacks, rate limit bypasses, credential scanning, and injection attempts. Useful for investigating API abuse and building threat detection rules.

Python

npx claudepluginhub 26zl/cybersec-toolkit --plugin cybersec-toolkit

Popularity

Stars

Forks

Invocation

How this skill is triggered — by the user, by Claude, or both

Slash command

/cybersec-toolkit:analyzing-api-gateway-access-logs

User invocable

Model invocable

Inline context

Default effort

Context Preview

The summary Claude sees in its skill listing — used to decide when to auto-load this skill

- When investigating security incidents that require analyzing api gateway access logs

SKILL.md

82 lines · ~581 tokens

Similar Skills

analyzing-api-gateway-access-logs

asi

analyzing-api-gateway-access-logs

Parses API Gateway access logs (AWS, Kong, Nginx) to detect BOLA/IDOR, rate limit bypass, credential scanning, and injection attempts using pandas.

3 files

cybersecurity-skills

analyzing-api-gateway-access-logs

Parses AWS API Gateway, Kong, and Nginx access logs using pandas to detect BOLA/IDOR attacks, rate limit bypasses, credential scanning, and injection attempts. Useful for investigating API abuse.

3 files

cybersecurity-skills-zh

Stats

LanguagePython

Stars11

Forks2

MaintenanceExcellent

Last CommitJun 10, 2026

Actions

View Source View Plugin View on GitHub View README

Help us improve

Share bugs, ideas, or general feedback.

Stats

Actions

Help us improve

Share bugs, ideas, or general feedback.

Analyzing API Gateway Access Logs

When to Use

When investigating security incidents that require analyzing api gateway access logs

When building detection rules or threat hunting queries for this domain

When SOC analysts need structured procedures for this analysis type

When validating security monitoring coverage for related attack techniques

Prerequisites

Familiarity with security operations concepts and tools

Access to a test or lab environment for safe execution

Python 3.8+ with required dependencies installed

Appropriate authorization for any testing activities

Instructions

Parse API gateway access logs to identify attack patterns including broken object level authorization (BOLA), excessive data exposure, and injection attempts.

import pandas as pd df = pd.read_json("api_gateway_logs.json", lines=True) # Detect BOLA: same user accessing many different resource IDs bola = df.groupby(["user_id", "endpoint"]).agg( unique_ids=("resource_id", "nunique")).reset_index() suspicious = bola[bola["unique_ids"] > 50]

Key detection patterns:

BOLA/IDOR: sequential resource ID enumeration

Rate limit bypass via header manipulation

Credential scanning (401 surges from single source)

SQL/NoSQL injection in query parameters

Unusual HTTP methods (DELETE, PATCH) on read-only endpoints

Examples

# Detect 401 surges indicating credential scanning auth_failures = df[df["status_code"] == 401] scanner_ips = auth_failures.groupby("source_ip").size() scanners = scanner_ips[scanner_ips > 100]