ShieldSquare is now Radware Bot Manager

ShieldSquare is now Radware Bot Manager

Why Bot Mitigation for APIs is Crucial for Enterprises

May 24, 2021 | General Automated Threats Bot Prevention Technologies

Why Bot Mitigation for APIs is-Crucial for Enterprises

APIs (Application Programming Interfaces) have in recent years become a crucial component of the modern Web ecosystem, helping seamlessly interconnect a wide array of systems, networks, and architectures. They allow information to flow in real time to facilitate exchange of data between virtually every conceivable type of website and application used for virtually any purpose. When we use a modern website or mobile application, much of the dynamic content we interact with has probably been provided through an API.

A vast range of APIs provide information that allow websites and apps to carry out identity or address verification, determine users’ locations and IP addresses, perform credit checks, interact with banking and payment processing services, and much more. While much of the content we see on a website or app is static, on the back end the website or app needs to query databases through APIs to provide dynamic information that’s displayed to the user, such as pricing or availability, and so on. On an e-commerce site, for example, various APIs are queried during a customer’s visit to find out whether a product is in stock, when it will ship, along with notification services APIs that track the product’s journey from warehouse to consumer.

single API call can be exploited to systematically scrape data
Figure 1: A single API call can be exploited to systematically scrape data

API vulnerabilities can be exploited by attackers in several ways

Modern Web application architecture trends like public cloud deployments and containerized microservices are exposing APIs to far greater risk of compromise. Cybercriminals, competitors, intelligence services and nefarious entities are increasingly leveraging sophisticated bot technologies to attack APIs through potential vulnerabilities such as authentication flaws, weak encryption, and poor endpoint security. In addition, commonly-used Web technologies such as JavaScript and AJAX (Asynchronous JavaScript and XML) are known to have vulnerabilities that can expose APIs to attacks. In fact, a single API call can be exploited to systematically scrape data, as well as carry out other harmful attacks such as account takeover, application DDoS, payment fraud, and exfiltration of confidential business and user data. With advanced 4th-generation bot technology that can emulate human behavior on websites and apps in a surprisingly realistic way, conventional security tools like WAFs (Web Application Firewalls) and ACLs (Access Control Lists) are incapable of differentiating between humans and sophisticated bots.

Apart from the usual price scraping bots, peak shopping periods are especially attractive to cybercriminals carrying out ATO (Account Takeover) attacks. Using lists of breached or stolen credentials including usernames and passwords (which many Internet users tend to reuse across several websites they use), bots use credential stuffing and credential cracking techniques to enter large numbers of log-in credentials in the hope of identifying those that work. These accounts are then taken over by botmasters looking to steal gift vouchers, discount codes, wallet balances, and similar forms of stored value that can be easily and quickly cashed out or used to make purchases. Others use bots to carry out scalping activities and resellers using bots to snap up popular products for resale at inflated prices.
Bots can exploit JavaScript and AJAX vulnerabilities to programmatically access confidential data
Figure 2: Bots can exploit JavaScript and AJAX vulnerabilities to programmatically access confidential data

Recently, it was revealed that the giant credit bureau Experian had just discovered and fixed an API vulnerability at one of their partner websites that could permit scraping of every US citizen’s credit score and certain PII details. This unsecured API allowed financial institutions to automatically query a person’s FICO credit scores from Experian. This would allow anyone to look up this confidential data by simply entering their name and mailing address, according to security researcher Brian Krebs.

Radware’s 2019 State of Web Application Security Survey found that 19% of respondents had experienced access violation and denial of service attacks on their APIs every single day. These included API access violations and denial of service attacks (19% each), code injections (16%), data leakage and element attribute manipulations (15% each), irregular JSON/XML expressions and protocol attacks (14% each), and brute force attacks (13%). Clearly, these daily attack volumes are alarming to enterprises that rely on APIs around the clock to facilitate their Web operations, and API-related exposed threat surfaces continue to increase in number and vulnerability.

How Radware Bot Manager protects APIs

Bot Manager secures critical APIs from malicious attacks through:

  • A dedicated API-Client SDK addresses gaps in unique source identification in machine-to-machine communications
  • Prevention of out-of-context API invocation for Web and mobile APIs  
  • Establishment of authentication flows to validate legitimate access to assets
  • Detection of anomalous navigation flows or access patterns 

To learn more about Radware Bot Manager for APIs, please contact us at info@radwarebotmanager.com.


Tags: , , , ,

Subscribe to Radware Research and Blog
Thank you for subscribing
Thanks. Sent confirmation email.

Related Content

October 18, 2019
The Impact Of Web Scraping
September 21, 2018
E-commerce Portals Are Attacked With Distributed Multi-stage Scraping Attacks: Radware Bot Manager Research
August 3, 2018
Is On-site Search The Shortest Path For Scraper Bots?

Step Up and Take Action

Powered by Think201