The rapid spread ofapplication programming interfaces(API) is at the forefront of digital transformation and has led to explosive growth in API adoption in recent years. In fact, it's hard to imagine software that doesn't use an API or that is an API in itself. By supporting rapid development and deployment, they help developers put together apps quickly and efficiently while providing a better user experience for mobile and web apps. However, if APIs are not properly secured, they can be harmful to an organization.
APIs not only expand the attack surface by providing attackers with more entry points, but they are also more vulnerable to fraud and misuse of business logic, making them an ideal target for automated attacks. These attacks are increasing at an alarming rate. As we reported in ourBad bots report 202317% of all API attacks in 2022 came from bots trying to abuse business logic, and 21% were other types of automated threats. It should not be surprising that alack of protection against automated threatsis a competitor to the new 2023 version of the OWASP Vulnerability API. But why are APIs increasingly under attack?
APIs are everywhere
APIs are an essential part of modern software development. Respectivelymacia mule98% of companies now use public and/or private APIs. FORSurvey ResearchA study commissioned by Imperva found that the average minimum number of APIs managed by a company today is 300.current reportfound that 70% of developers expect API usage to increase this year. As the number of APIs increases, the attack surface also increases. Therefore, PUAs are expected to become the main target for criminals in the coming years.
Organizations lack visibility
The lack of visibility can be attributed to the following causes:
- Lack of visibility of all existing APIs and their functionality
- Lack of visibility into the proportion of API traffic coming from bots
Organizations must identify and document all of their APIs. Many APIs exist and are publicly available, but the organization has not inventoried them or is actively aware of them. They are commonly known as shadow APIs. Examples include: old API endpoints that were deprecated but never removed, new API endpoints that were not inventoried or documented, or when a developer accidentally makes a change that exposes non-public API endpoints to the internet. Imperva Threat Research found that 14% of all API traffic goes to shadow APIs. This begs the question: how can you protect something you don't know exists?
There's also the challenge of distinguishing between human and bot traffic, not to mention good bots and bad bots. The problem is that everything looks like a bot to an API as they are designed for automated clients. This makes it difficult for companies to protect their APIs from bot attacks. These APIs handle high volumes of requests but lack built-in defense mechanisms. This makes it difficult to detect and block traffic from malicious bots, allowing attackers to take advantage of automation without risking raising an alarm.
However, there are more effective ways to target the intended consumer of an API to prevent bots from accessing it. Many APIs are specifically designed to provide data to single page browsers and mobile apps. By identifying the target consumer of the API, the security team can prevent unauthorized clients from abusing the API.
APIs allow direct access to sensitive data
APIs serve as a direct route to access sensitive data, business functions, resources, and other sensitive information. A recent analysis of Imperva's API endpoints revealed that 13% of the APIs handle highly sensitive information such as credit card numbers, social security numbers, home addresses and more. If an attacker gains access to an API that handles sensitive data, they could gain access to all the data the API was designed for, resulting in a data breach.
APIs are inherently easier to communicate with
APIs are inherently machine-readable, making them easier for developers to parse and easier for attackers to exploit. Simply put, the way APIs handle requests makes it easy for attackers to use automated tools (like bots) without the need to emulate browsers. APIs are similar to SQL interfaces: they make it easy to query data, but they expose their logic publicly.
Another peculiarity of APIs is that they are generally stateless, unlike most traditional web applications, which are stateful. In general, stateless apps are considered more vulnerable than stateful apps because they don't track user session information. In a stateless application, each request is treated as a separate transaction, and the application does not store information about previous requests made by the same user.
Combining the relative ease of targeting APIs with the ease of orchestrating a bot-for-hire/bot-as-a-service attack results in a dangerous combination of a single target and a low-cost, low-effort attack.
Business logic is often overlooked
Respectivelymailman44% of API developers have less than 2 years of API development experience. Additionally, 48% of API developers design, implement, test, and ship an API to production within a week. When it comes to securing their APIs, developers often apply a standard set of rule sets, often neglecting the business logic side, exposing APIs to business logic vulnerabilities. Even when an API has proper authentication and authorization mechanisms in place, implementation flaws can still provide opportunities for attackers to exploit the API. These are vulnerabilities that can be exploited using bots to wreak havoc.
For example, malicious bots can crawl a search API to collect data, or a login API can be hacked to illegally gain access to user accounts. In the specific case of the login function, the APIs are based on the use of a token as a form of authentication. Therefore, no analysis is required. Instead, these tokens and other forms of authentication can be intercepted or stolen by attackers and used to gain unauthorized access to the API and associated account or data.
Even when developers try to contain bot traffic, they often use traditional security tools and techniques. This includes rate limiting, signature-based detection, blocking protocols, etc. These techniques are generally ineffective against today's sophisticated bot attacks targeting APIs.
It's not just about business logic
Scraping and account takeover are two examples of bot attacks that can exploit an API's business logic. There are a variety of other ways that bots can attack APIs. An example of this isdistributed denial of service(DDoS) attacks. Bots can be used to launch DDoS attacks on APIs, overwhelming them with traffic and making them inaccessible to legitimate users. DDoS attacks pose a particular challenge for GraphQL-based APIs because the user has much more flexibility over what data to query and how complex those queries are, which can often result in non-optimal demands on the back-database.
Bots can also be used to inspect APIs for vulnerabilities such as SQL injection or cross-site scripting. This is not a direct attack, but a reconnaissance phase that helps attackers identify potential vulnerabilities they can exploit. These are just a few examples of how bots can break APIs.
Many business logic layer vulnerabilities are specific to an API implementation flaw. For example, a typical over-data disclosure vulnerability (categorized as an OWASP API Security Top 10) allows malicious bots to exfiltrate data by calling APIs that return excessive amounts of data beyond what was intended. Malicious actors have been observed using reconnaissance bots to discover this type of vulnerability in business logic.
In short, organizations increasingly rely on APIs, leading to rapid growth in adoption and usage. In turn, the attack surface that these organizations need to protect today has grown significantly. As bots become more sophisticated and more vulnerable to API business logic attacks every day, they pose a significant risk that we believe will only increase.
Imperva protects APIs from bot attacks and online fraud
Imperva's cloud application security platform is built from the ground up with our industry-leading solutions such as Advanced Bot Protection and API Security. They work together to provide the ideal platform to protect your online business. This defense-in-depth solution is a one-stop shop for protecting your organization's most valuable assets against today's sophisticated and ever-evolving threats.
Advanced protection against Imperva botsProtects websites, mobile apps and APIs from today's most sophisticated bot attacks without affecting legitimate users. Prevents bot operators, attackers, suspicious competitors and scammers from abusing, abusing and attacking your applications. It takes a holistic approach that combines watchful service, superior technology and industry knowledge to give customers complete visibility and control over traffic from human bots, good bots and bad bots.
Imperva API SecurityProvides continuous protection of all APIs through comprehensive detection and classification of sensitive data to uncover all public, private and hidden APIs and empower security teams to implement a positive security model. Through machine learning and automation, Imperva API Security continuously detects and classifies changes to determine "threats and risks" so security teams can keep pace with DevOps.
Try Imperva for free
Protect your business with Imperva for 30 days.
Start now