New API Threat Research Shows Shadow APIs as the Top Threat Vector

January 15, 2023 | by CQ Prime Threat Research Team

API Threat Research - API Protection Report

API threat research by the Cequence CQ Prime Threat Research team confirms shadow APIs are the top threat challenging the industry with 31%, or 5 billion malicious transactions observed in the first half of 2022 targeted unknown, unmanaged and unprotected APIs, commonly referred to as shadow APIs.

The data, drawn from the CQ Prime Threat Research team reviewing roughly 20 billion customer API transactions from the first half of 2022 focuses heavily on active API exploit attempts, delivered by bots, and natively mitigated. Some of these findings may appear new to the API security industry, yet these patterns have been in use consistently by attackers for years.

  • Shadow APIs are the #1 Attack Vector: Roughly 31%, or 5 billion of the 16.7 billion malicious transactions targeted unknown, unmanaged and unprotected APIs, commonly referred to as shadow APIs and categorized as OWASP API9 (Improper Asset Management). Shadow APIs are relatively easy for attackers to discover by analyzing an organization exposed APIs and then simply fuzzing or modifying the values, enumerating through other API endpoints on different versions, under different hostnames to find other API variants.
  • API10+: Perfectly Coded APIs Abused by Bots: An unofficial extension to the OWASP list, API10+ was the second largest API security threat with 3.6 billion malicious requests mitigated during the first half of 2022. API10+ highlights how attackers target perfectly coded APIs that either do not cleanly fall into any of the OWASP API Security Top 10 threats or use a combination of them to achieve their goal. The 3.6 billion malicious requests were made up of shopping bots, gift card fraud, fake account creation and comment spam.
  • The Unholy Trinity: Credential Stuffing, Sensitive Data Exposure and Shadow APIs: The first half of 2022 showed roughly 100 million malicious requests using a combination of OWASP categorized threats to execute their attack.
    • API2 (Broken User Authentication): Attackers used a credential stuffing attack to target the authentication mechanism protecting user integrity. The attack included functionality to test the user confirmation API to determine what sensitive data was returned during the login process.
    • API3 (Excessive Data Exposure): When the user confirmation APIs returned more data than necessary, the attackers then stole the data or looked for variations of the same API to target.
    • API9 (Improper Assets Management): attackers enumerated the victim’s infrastructure using known API patterns that were susceptible to the same API2 and API3 risks, but they were invisible to the security team (improper assets management).

In an example of research mimicking real life, the use of multiple OWASP categorized threats is nearly identical to what was found in the recent Optus Telecom API security incident. The combined use of these threats shows new levels of analysis attackers are performing to understand how each API works, how they interact with each other, and what the expected outcome is.

These attacks are perfect examples of why APIs have become the attackers target of choice and why APIs and bots are inextricably connected. The same characteristics that developers love about APIs – flexibility, speed, ease of use – are also loved by attackers who either find coding errors to exploit, or use bots to attack perfectly coded APIs, or a combination of both. The uptick in API usage and bots to attack perfectly coded APIs is likely one of the reasons that Forrester included API Security and Bot Management as two technologies CISOs must have on their list to invest in their recently published Security Risk Planning Guide.

Steps to Take Now to Protect Your Organization and End Users

APIs have been in use for many years; however only recently have their use cases emerged from deep within IT to being the cornerstone of all things digital. This shift makes API protection a key initiative for the business, not just the business unit or security and development teams. As shown in this report:

  • APIs are under attack from many different vectors, directly impacting a company’s bottom line driven by lost customers, brand damage, IT infrastructure cost overruns, compliance violations and more.
  • The view that API protection can be addressed by a shift left, development focused effort with the OWASP API Security Top 10 list is a start but threat actors do not adhere to a top 10 list, and perfectly coded APIs are susceptible to attacks, as shown in the category we define as API10+.
  • Alternatively, protecting APIs is not solely the responsibility of the security team. Here too, the high volume of attacks on shadow APIs highlights the obvious – you cannot protect what you cannot see. API Protection needs to be treated holistically, with a uniform approach that begins with discovering, identifying, and inventorying your API footprint.

Get your copy of the report

To learn more, download the full report API Protection Report: Shadow APIs and Automated Abuse Explode and view the Infographic and watch the video. Lastly, if you’re interested in seeing how our Unified API Protection Solution can assist you, request a free API Protection assessment.

CQ Prime Threat Research Team


CQ Prime Threat Research Team

Additional Resources