APIs (Application Programming Interfaces) have in recent years become a crucial component of the modern Web ecosystem, helping seamlessly interconnect a wide array of systems, networks, and architectures. They allow information to flow in real time to facilitate exchange of data between virtually every conceivable type of website and application used for virtually any purpose. When we use a modern website or mobile application, much of the dynamic content we interact with has probably been provided through an API.
A vast range of APIs provide information that allow websites and apps to carry out identity or address verification, determine users’ locations and IP addresses, perform credit checks, interact with banking and payment processing services, and much more. While much of the content we see on a website or app is static, on the back end the website or app needs to query databases through APIs to provide dynamic information that’s displayed to the user, such as pricing or availability, and so on. On an e-commerce site, for example, various APIs are queried during a customer’s visit to find out whether a product is in stock, when it will ship, along with notification services APIs that track the product’s journey from warehouse to consumer.
Figure 1: A single API call can be exploited to systematically scrape data
API vulnerabilities can be exploited by attackers in several ways
Apart from the usual price scraping bots, peak shopping periods are especially attractive to cybercriminals carrying out ATO (Account Takeover) attacks. Using lists of breached or stolen credentials including usernames and passwords (which many Internet users tend to reuse across several websites they use), bots use credential stuffing and credential cracking techniques to enter large numbers of log-in credentials in the hope of identifying those that work. These accounts are then taken over by botmasters looking to steal gift vouchers, discount codes, wallet balances, and similar forms of stored value that can be easily and quickly cashed out or used to make purchases. Others use bots to carry out scalping activities and resellers using bots to snap up popular products for resale at inflated prices.
Recently, it was revealed that the giant credit bureau Experian had just discovered and fixed an API vulnerability at one of their partner websites that could permit scraping of every US citizen’s credit score and certain PII details. This unsecured API allowed financial institutions to automatically query a person’s FICO credit scores from Experian. This would allow anyone to look up this confidential data by simply entering their name and mailing address, according to security researcher Brian Krebs.
Radware’s 2019 State of Web Application Security Survey found that 19% of respondents had experienced access violation and denial of service attacks on their APIs every single day. These included API access violations and denial of service attacks (19% each), code injections (16%), data leakage and element attribute manipulations (15% each), irregular JSON/XML expressions and protocol attacks (14% each), and brute force attacks (13%). Clearly, these daily attack volumes are alarming to enterprises that rely on APIs around the clock to facilitate their Web operations, and API-related exposed threat surfaces continue to increase in number and vulnerability.
How Radware Bot Manager protects APIs
Bot Manager secures critical APIs from malicious attacks through:
- A dedicated API-Client SDK addresses gaps in unique source identification in machine-to-machine communications
- Prevention of out-of-context API invocation for Web and mobile APIs
- Establishment of authentication flows to validate legitimate access to assets
- Detection of anomalous navigation flows or access patterns
To learn more about Radware Bot Manager for APIs, please contact us at email@example.com.