API Security: API10+ Defined as Bots Abusing Well-Formed APIs

API business logic abuse, informally defined as as OWASP API10+, an extension to the OWASP API Top 10, is the practice of attacking perfectly coded APIs to achieve a malicious end-goal. Coding errors like weak authentication, excessive data exposure or the inadvertent publication of internal APIs are all known to be root causes of recent API security incidents. What’s rarely covered are attacks on well-formed APIs, yet with 3.6 billion malicious requests blocked by the CQ Prime Threat Research team, these API10+ attacks were the second largest API security threat mitigated during the first half of 2022.

API10+ Business Logic Abuse: An Informal Extension of the OWASP API Top 10

Any API, or web application for that matter, can be attacked. The Cequence Security API Protection Report highlights how well-formed APIs are attacked daily across all customers. Categorized by the CQ Prime Threat Research Team as API10+, an unofficial extension to the Open Web Application Security Project (OWASP) API Security Top 10 list, this set of attacks target APIs that are coded correctly, properly inventoried and are not susceptible to any of the OWASP API Security Top 10 threats. Yet malicious requests targeting well-formed APIs continue to occur and include these attacks that were blocked by the CQ Prime Threat Research Team during the first half 2022:

• 3 billion+ shopping bots: Shopping bots targeted well-formed APIs with a dense network of highly volumetric and geographically distributed fuzzing payloads. These attacks often have an extremely low success rate, however, economies of scale lead to a compounded return when the target item (e.g., sneakers, luxury goods, game consoles) is successfully bought and then resold for highly inflated prices.
• 290 million+ malicious gift card checks: Gift card enumeration is based on fuzzing numeric patterns on APIs that support payment and checkout microservices. Attackers employ cheap cloud computing resources, distributed across many proxies to execute credential stuffing attacks looking to gain access to free money. The lack of request failure analysis on such APIs leads to a huge gap in application security hardening. Cequence utilizes multiple out of the box capabilities to track threat vectors and attack payloads dealing with payment fraud.
• 37 million comment spam requests: This set of payloads abuse APIs that serve customer relationship management workflows. Spamming and DoS activities on these flows lead to significant customer friction and hampers an organization’s ability to serve its customers.

The rapid growth in API attacks caused by coding errors has led to the notion that an increased focus on application security and testing will solve the problem. The reality is that a shift left mentality will help, but it will not stop a highly automated attack. Attacks on well-formed APIs are a common occurrence because the attackers exploit the same nonfunctional requirements that developers love about APIs – flexibility, speed and ease of use.

API10+ Example: Methodical API Business Logic Abuse

The CQ Prime Threat Research Team successfully mitigated a financially motivated threat actor targeting an e-commerce platform abusing the OWASP API5 (Broken Function Level Authorization) vulnerability. The attackers automated the purchase of consumer items with stolen credit cards and Payment Card Industry Data Security Standard (PCI-DSS) data. The API abuse attack lifecycle depicted the following behavior:

• Vulnerability scanning: The attackers began by mapping the entire site using commonly known vulnerability scanning tools from a single IP address. This included OWASP API 8 attack behaviors such as SQL injection, command injection, directory traversal, and fuzzing of sensitive data. When basic recon did not yield low-hanging fruit, the attacker moved to mapping the API ecosystem.
• Attack probes: The attackers then began using existing attack configurations from well-known bot automation tools like OpenBullet to perform basic credential stuffing and fake account creation attacks. During a 24-hour period, attackers initiated more than 1.5 million requests from 130,000 IP addresses, all of which were mitigated by more than 1,000 different behavioral fingerprints.
• Continued reconnaissance: The attack continued even as it was mitigated, leading to the discovery that this was a head-fake from the attackers and was not the goal. During the following attacks, the reconnaissance behavior returned, this time focusing on account creation and checkout APIs.
• Vulnerability discovered: Attackers discovered that upon creation of a brand-new account, and before email verification had taken place, that the checkout APIs (particularly those to add a payment method) could be invoked by the user. This is an example of broken function level authorization, where an API functionality is intended to be used only by users who have both authenticated and are authorized.
• Theft: The focus of the attack shifted to account creation, and attackers immediately began stuffing new (fake) accounts with stolen payment info, targeting retail products for purchase. They did not care their credential stuffing campaign was failing, they were simply watching which of the new accounts they created would be able to successfully access payment APIs, iterating through stolen credit cards until they found one eligible to continue with the purchase.

API Security Means Full API Lifecycle Protection

The Cequence Unified API Protection (UAP) solution helps protect well-formed APIs from bot-generated abuse by addressing all phases of the API security lifecycle to eliminate unknown and unmitigated API security risks that can lead to data loss, fraud, and business disruption. Cequence UAP features include:

• Discover Public Facing API Attack Surface: API development and deployment is often distributed across many groups, introducing the risk of APIs deployed outside of a CDN purview. The Cequence UAP solution solves that challenge by continuously assessing your public facing APIs and resources to provide an attackers view of your organization’s attack surface, including cloud hosting services, any associated API endpoints, and servers that may be vulnerable to Log4j and LoNg4j exploits.
• Centralized Inventory Tracking of Known and Unknown APIs: The Cequence UAP solution integrates with CDNs and a range of API gateways to provide centralized API visibility and inventory tracking of all the APIs deployed and managed by the respective API gateways. Unregistered or unknown APIs are also discovered, allowing security and development to migrate those shadow APIs to the respective API gateway to ensure security and governance policy consistency.
• Strengthen Compliance and Data Governance Controls: Cequence helps organizations enforce compliance and governance controls with proactive API risk analysis and remediation. Predefined and custom risk assessment rules help organizations teams find and remediate coding errors that introduce sensitive data handling and authentication vulnerabilities that can lead to data governance and compliance violations.
• Detect Sophisticated API Attacks: Going beyond basic protections that CDNs can provide, Cequence UAP analyzes your APIs using ML-based analysis based on a threat database with millions of records and behavioral fingerprinting to detect and continually track sophisticated API attacks as they retool to evade detection.
• Flexible, Real time Mitigation Responses: Real time responses to API attacks range from basic block and rate limiting to HTTP header insertion and deception, all executed in real time, per policy or per app, without reliance on integration with third-party WAFs.

Unified API Protection is different from fragmented or incomplete API security offerings because it’s a methodology designed to account for multiple types of risk, across every phase of the API protection lifecycle.