What is API abuse?
API abuse can be defined as the execution of an automated attack (e.g., account take over, credential stuffing, content scraping) directly against the public facing APIs that are designed to support the application business logic.
How does API abuse work?
Driven by mobile device ubiquity and the move towards modular applications where APIs are foundational elements of the application business logic, using APIs as an attack vector is increasingly common. By targeting the API as opposed to scripting a form fill, a bad actor can leverage the same benefits of ease of use, efficiency and flexibility that APIs bring to the development community.
- APIs are the language of the web: According to Gartner, By 2021, 90% of web-enabled applications will have more surface area for attack in the form of exposed APIs rather than the UI, up from 40% in 20191. Mobile and smart devices use API calls to ensure optimal performance and user experience. Yet at the same time, mobile applications can be analyzed to more easily program an attack, as highlighted in the Aite Group Analysis of Mobile Applications. As shown in the image from SmartBear State of the API, 2019 Report, organizations are using APIs for many things, including to facilitate interoperation with other elements, reduce development time and extend functionality. In most cases, the APIs are exposed and commonly well documented, making the bad actors’ job easier.
- Stateless nature of APIs means better performance: By design, APIs are stateless, assuming that the initial request and response are self-contained, holding all the information needed to complete the transaction. Using an API directly, or in a mobile or web application improves user experience and overall performance. This makes it very easy for a bad actor to script and automate their attack.
The ubiquity and stateless nature of APIs allows bad actors to launch nearly all common automated attacks more easily and efficiently when compared to recording a web form fill. A few examples include:
- Enumeration: This highly automated attack is commonly executed against the application APIs as shown in the Prying-Eye vulnerability where a bot cycles through (enumerates) and discovers valid numeric meeting IDs. If the common user practice of disabling security functionality or not assigning a password is followed, then the bad actor would be able to view or listen to an active meeting. Other examples would be using automation to discover valid gift cards, or shipping confirmations.
- Account Take Over, Credential Stuffing and Fake Account Creation: Bad actors will analyze the public-facing mobile and web application infrastructure, looking for APIs that support account login or new account registration. Once discovered, they can automate the attack using a simple script, as opposed to the more difficult task of automating a form fill.
- Denial of Inventory/Denial of Wallet: In both of these examples, the APIs, as opposed to the web forms, will be the bad actors’ target. Denial of inventory is the process of locking out buyers by loading a shopping cart, but not executing the purchase. The attackers will automate the loading of the desired item(s) using the shopping cart URI. Once in the shopping cart, they can move to the next phase of the attack. To execute a denial of wallet attack or an application DDoS attack, bad actors will use the APIs exclusively, as opposed to a form fill, because it is easier to achieve a high volume of transactions. The end goal of denial of wallet is to use automation to purposely increase resource consumption and associated costs.
- Content Scraping: Many ecommerce web sites are dynamically generated based on user input. When a shopper searches for a product, numerous API calls are made behind the scenes and the web page is generated on the fly. These same API calls can be used to automate scraping of content. In cases where the desired content requires authorized access, the bad actor will first establish a fake account using APIs to fill in the account signup form, then move on to the next phase of the scraping campaign.
API abuse goals and organizational impact include:
Using APIs, as opposed to a scripted web form fill, allows an attacker to execute most any of the automated attacks with the end goal of theft, fraud or both. The end goal of an account takeover or fake account creation executed against a set of APIs will be no different than if the bad actor had used the web form or the mobile application.
Organizationally, the impact of using an API to execute an attack is no different than if the attack was executed on a web form. Lost sales, degradation of customer satisfaction, theft of intellectual property, and resources consumed to address the attack are a few examples.
Preventing API abuse with Cequence Security
The Cequence Application Security Platform prevents API abuse using CQAI, a patented machine-learning analytics engine that discovers all of the application end points including web, mobile and those that are API-based. CQAI then analyzes the application requests to determine the intent and, if deemed malicious, allows you to mitigate the attack through blocking, rate limiting, geo fencing, or deception.
Watch this 5 minute video to learn more.
1 Gartner API Security: What You Need to Do to Protect Your APIs, August 2019