APIs are becoming increasingly popular and are growing at a rate twice as fast as traditional web traffic. However, their popularity and exploitability also make them a prime target for attackers. A recent report by CQI API Protection found that out of over 20 billion transactions observed in the first half of 2022, 16.6 billion were found to be malicious, accounting for around 83 percent.
The report identified the primary ways in which APIs are attacked or abused, which are documented in the OWASP API Top Ten. The two leading types of attack were the exploitation of Improper Assets Management and Insufficient Logging and Monitoring. Shopping bots were found to favor the former, while content scraping was carried out through the latter. However, the report also uncovered a new pattern of attack, where malicious actors combined the tactics, techniques, and procedures detailed in the OWASP Top Ten to abuse perfectly coded APIs.
Contrary to popular belief, even if an API is perfectly coded, adheres to the API specification, and has been properly inventoried and tested, it can still be probed and compromised. No measures can stop a persistent automated attack if the assets being protected by the API are attractive enough to attackers. This is often achieved by using the API’s own functionality against it in an attack known as business logic abuse.
While perfectly coded and inventoried APIs are more difficult to compromise, they still require studying to understand how they work, how they interact with other APIs, and the expected outcome of API calls to avoid triggering an alert. This business logic abuse is on the rise as API development and security improve during production.
One form of abuse that is growing in number is the trinity attack, which combines Broken User Authentication, Excessive Data Exposure, and Improper Assets Management from the OWASP Top Ten. Trinity attacks are still relatively small in number, with 100 million registered during the first half of 2022, but the rate at which they are occurring is increasing.
Trinity attacks can be devastating and can manifest in different ways. Broken User Authentication can lead to credential stuffing, Excessive Data Exposure occurs when APIs return more data than necessary, and Improper Assets Management involves shadow APIs that fly under the radar of the security team. Trinity attacks combine these vulnerabilities to exploit APIs.
An example of a trinity attack was seen in an eCommerce platform that was targeted last year. The attackers conducted reconnaissance using vulnerability scanning tools before moving on to mapping the API ecosystem. They used attack configurations from bot automation tools to perform credential stuffing and account creation attacks. This attack targeted account creation and checkout APIs, exploiting Broken Function Level Authorization. The attackers stuffed new accounts with stolen payment information, iterating through stolen credit card details until they found one eligible to continue with the purchase.
Spotting trinity attacks can be challenging without behavior-based monitoring and analysis. Many organizations rely on security solutions designed to monitor and detect web applications, such as Web Application Firewalls (WAFs), which are unable to detect and block trinity attacks. Bot tools that use JavaScript to determine and block attacks are also ineffective against RESTful APIs, which use JSON or XML.
To protect against trinity attacks, it is important to understand the relationship between bots and APIs. API protection should include bot detection and mitigation, as well as management of the API’s security through discovery, detection, and defense. It is crucial to have a comprehensive understanding of your APIs, including how many you have, what they do, and continuous documentation of any changes using a runtime inventory.
In conclusion, APIs are increasingly being targeted with trinity attacks that combine multiple vulnerabilities to exploit APIs. It is essential for businesses to understand the evolving ways in which APIs are being abused and take steps to protect against these attacks. This includes gaining visibility into API ecosystems, detecting and mitigating bot attacks, and continuously monitoring and updating API security measures.