Many factors make API attacks even more dangerous than traditional attacks on user interfaces such as websites or mobile apps.

Elad Amit

Elad Amit, director of product management, PerimeterX

You may be worried about attackers breaking down the front door of your digital storefront, but increasingly their focus is on the side door—your application programming interfaces (APIs).

According to research consultancy and analyst firm Gartner, by 2021, 90% of web applications will have more exposed attack surface area as APIs rather than direct user interfaces on a website or in a mobile app. Unfortunately, many web application operators have not yet caught up to this thinking. Recent API vulnerabilities and attacks have been reported on applications run by exercise company Pelotoncredit report provider Experian and the red-hot audio chat startup Clubhouse.

The API attackers are following the trends of online shopping. Modern ecommerce relies on APIs to expose essential functionalities, such as shopping carts, on multiple platforms. Cybercriminals have recognized that bot-driven API attacks are easier than account takeovers (ATOs) or other forms of attacks.

Criminals can mount API attacks with less infrastructure than other kinds of attacks. Because APIs are machine-to-machine connections, it is easier for an attacker to mask their identity because API communications contain much less information for identifying patterns of attacks. For retailers that want to protect their customers, reputations, and brands, properly protecting their APIs is crucial to doing business in the connected age.

advertisement

What are API attacks?

An API is a way to allow direct connections, communications and data sharing between applications in a platform and technology-agnostic manner. APIs enable all types of devices or partner and affiliate services to ask a question or send information to an application safely and securely. APIs have become a crucial glue that enables the maze of internal and external services making up modern applications to talk to each other in an automated fashion. An API attack is hostile usage or attempted hostile usage of an API.

Because APIs are programmatic in nature, criminals like to use automated attacks against them. There are many types of API attacks, including Distributed Denial of Service (DDoS), injection attacks, authentication hijacking and application abuse. Among these attack types, application abuse is the primary concern for ecommerce operators.

For context, account takeover (ATO) attacks are a form of application abuse. Most ATOs do not try to break the application logic in any way; they merely try to plug in many combinations of username or email and password to validate an account in complete conformance with the application’s logic. Another form of application abuse regularly targeting APIs is inventory denial and hoarding. In these attacks, bad actors use API calls to continually fill shopping carts with items they never intend to purchase to stop legitimate shoppers from buying the items.

advertisement

Why are API attacks so dangerous?

Many factors make API attacks even more dangerous than traditional attacks on user interfaces such as websites or mobile apps. API calls have less identifying information about the user or device requesting the information. This gives automated attack blocking technology fewer clues to identify bad API calls sent by malicious bots.

For example, in an API call, there is no information about how a user moves around a page or how long it takes them to move from one page to another. These data points help detect bots using JavaScript that automates human navigation. APIs query directly into an application, bypassing the need to navigate an app or webpage.

In addition, APIs are often not as tightly secured as web applications. Well-disguised API calls can elude legacy security controls such as web application firewalls or API gateways when attackers design these calls to be nearly identical to legitimate API calls from genuine shoppers. Even more troubling, exposed APIs allow attackers to bypass the client side of applications entirely and directly reach databases and application tiers. This creates far more exposure and risk because these assets may have steady access to sensitive information or the ability to alter application behavior in malicious ways.

Many ecommerce retailers are not optimizing security

Even as API risks rise, many ecommerce application development teams are still not correctly optimizing their code and architecture for enhanced API security.

For example, many ecommerce applications use the same API for receiving and responding to queries routed from their website, mobile apps, affiliates, or partners. Using a single API makes it easier for attackers to hide their identity and avoid detection. Standard detection measures are easier to tune if the API has a single use rather than multiple uses. This problem is multiplied with the newer generation of unified APIs powered by a query language called GraphQL. GrapQL can use APIs more efficiently, but GraphQL APIs are harder to lock down due to how they structure their calls and communications with external parties.

Another frequent oversight is not treating internal and external APIs with the same security measures. In theory, internal APIs are not supposed to receive external traffic. In practice, clever criminals are getting better versed in how to find and compromise internal APIs. For example, a growing number of attacks target the Amazon Web Services S3 storage service. Ecommerce applications often access S3 as an internal API, meant to be insulated from the outside world.

Application development teams often do not deploy standard security practices such as Transport Layer Security (TLS), which encrypts data to protect payment and personal information, on internal APIs. More broadly, application development teams do not spend as much time and effort auditing and securing their APIs because they still view direct attacks on their web applications as the biggest threat they face. Also, they tend to be less well-versed in the gritty details of API attacks. For these reasons, they are less likely to examine API query behaviors and are less aware of patterns of anomalies.

advertisement

How to shore up API security to prevent automated attacks

Ecommerce application development teams that want to shore up their API defenses can start by adopting established best practices. To begin with, application development teams with unified APIs should consider separating them into individual APIs for external traffic to address web apps, mobile apps, third-party partners, suppliers and affiliates. Because retailers may inadvertently expose internal APIs to the public Internet, all API traffic, including internal traffic, should be encrypted with TLS.

Another smart security practice is to rate-limit API calls. This practice can reduce the impact of automated brute force attacks by armies of bots. It can also help identify attacks more definitively. The rate limits can also be variable, depending on the trust level in the external party accessing the API and any identifiers attached to those calls. A third smart step is to create a bucket for API calls in log files and build API dashboards or regular reports to help security teams spot anomalies and outliers. Specifically, security teams should regularly monitor the percentage of fraud attempts via the API versus other channels.

The most advanced and powerful practice that security or application development teams can adopt is to leverage machine learning to identify patterns and behaviors of malicious API calls. Because machine learning can analyze far more data points than humans and far more quickly, this technology can determine which API calls are likely to be coming from attacking bots. They do so by analyzing hundreds of different data points including network or cloud host of origin, structure and type of call, and a targeted page or item on a retailer’s site. There are third-party services that can do this, or the security team can use existing machine learning tools to staff, build and maintain the capability in-house.

The urgency of building out an API strategy and improved API defenses are hard to overstate. As API attacks continue to increase in frequency and severity, this will likely become the preferred attack vector for criminals seeking to defraud your customers. Fortunately, there is a well-worn path to better API security that will protect your digital storefront now and in the future.

advertisement

PerimeterX provides security services for websites and mobile applications.

 

Favorite