API Abuse

Prioritized automation of API ecosystem

Just about every application uses an application programming interface (API). While APIs add a lot of value to an organization, they come with some significant problems from a security standpoint. In fact, Gartner predicts that API abuses will be the most common threat vector from 2022, bypassing all other threat vectors.

So, what problems exactly do APIs face? And what can security defenders do about it?

What is an API Abuse?

API abuse refers to the mishandling of APIs for malicious purposes. With the requisite skills, cybercriminals can reverse engineer applications to modify their flow, which can result in hackers getting sanctioned access to the application.

Cybercriminals can use APIs to access undesirable segments of applications, unauthorized access to data belonging to other users, execute account takeovers, scrape business-critical data, perform distributed denial of service (DDoS) attacks, etc.

Understanding API attacks is key to preventing, detecting, and neutralizing them, and this article intends to help with that.

Types of API Abuse

Unwanted Application Business logic

It is possible to modify an application's intrinsic nature using breached APIs. Breached API calls will reassemble a normal API call in every respect but will cause the application's business logic to be tweaked to carry out unintended/unauthorized actions. Examples can be changing the PIN of debit cards or transferring money across accounts without user authorization.

The Coinbase attack in Feb’22 is a great example of such an attack. You can read more about it here: https://blog.coinbase.com/retrospective-recent-coinbase-bug-bounty-award-9f127e04f060

Taking over Accounts

Botnets are deployed to initiate account takeovers. To test stolen users and passwords, a botnet invokes APIs to check the combinations. While API management systems reject invalid login attempts, they aren’t very effective at combating the volume of bots. These bots, emerging from different IPs, repeatedly check for credential combinations with the intention of brute-forcing their way to a valid login.

Specifically, skilled hackers ensure that bots trigger API requests at realistic intervals, resembling human requests, and have a better chance of bypassing conventional security protocols.

Content Scraping

Hackers can deploy APIs to scrape content from an application. It is common for competitors or other cyber criminals to do so to gain a competitive advantage, especially during major sales periods. For example, by scrapping business-critical prices of a famous item, competitors can price their products to damage business prospects.

Distributed Denial of Service (DDoS) Attacks

Hackers can target compute-intensive APIs to intentionally overload application servers. This act, coupled with traffic from numerous IPs and devices, can occupy system resources and prolong server response times for legitimate users.

How to Detect API Abuse

Consider a platform that provides value across the entire API lifecycle, from development, testing, deployment, and retirement.

API visibility in real-time: If you can’t see, you can’t protect it! API visibility is an essential pillar of detecting API abuse. Consider a security platform that provides real-time continuous discovery of all APIs in your tech stack. It should provide details on parameters, such as whether a parameter is mandatory, optional, or PII/sensitive. Additionally, the platform should discover API attributes and not just API endpoints. The visibility should also include baselining of API usage to detect whether APIs are encountering anomalous behavior.

Risk Assessment: The platform should evaluate the risk associated with each API relative to its exposure, likelihood of an attack, and consequent impact. This helps security and engineering teams prioritize response and improves efficiency in addressing security breaches.

Deep Learning of API behavior: Look for a platform to perform deep learning of application behavior to understand the application baseline and context. As API breaches are complex business logic exploits, without building a strong understanding of the application workflows and context, the platform won’t be able to detect API abuse.

Shift-Left API Testing: The platform should shift left to identify weaknesses in the application and insert them into the organization's CI/CD cycle to find potential vulnerabilities earlier in the cycle. As APIs are stateless but the workflows are stateful, the testing platform should be able to mimic all happy path scenarios to provide extensive coverage. AppSentinels does exactly this via the industry’s first Intelligent Stateful API DAST.

Comprehensive view of attacks: Can your API security solution connect security-related events and map them to the source of the attack (users or groups)? AppSentinels accomplishes this through the application, user, device, and traffic fingerprinting.

By connecting activities from the same users across multiple IPs, AppSentinels seeks to offer SecOps teams perfect clarity on an attack, its current stage, and the methods used for the invasion. The correlation also allows us to discern between attacks and legitimate user behavior, which is necessary to avoid false positives.

Prevent API Abuse with AppSentinels

AppSentinels is a comprehensive next-generation full-lifecycle API security platform that leverages AI/ML to prevent advanced business logic API attacks. Our deep learning models detect and block attackers early in the attack cycle, guarding apps against data theft, breaches, and fraudulent invasions. The platform discovers all APIs in real-time, provides a catalog of APIs and the PII/Sensitive data flow occurring via those APIs, and finally, risk score against the APIs.

You can schedule a demo for the product walkthrough, and eligible customers will receive a free trial on the platform.