The Cequence threat research team released its API security report for the first half of 2022, showing that nearly a third of malicious requests target shadow API.
The team analyzed over 16.7 billion API transactions and discovered that 31% or 5 billion malicious requests targeted unknown, unmanaged, or unprotected APIs called shadow API. According to Cequence, shadow API was the leading source of API security risks, followed by API abuse or OWASP API10+ and the “Unholy Trinity” of credential stuffing, shadow API, and sensitive data exposure.
Cequence noted that the wide adoption of API attracted subsequent targeting by threat actors, expanding the threat landscape. The researchers noted that APIs are popular with developers because of their flexibility, speed, and ease of use, unlike web services. Additionally, their flexibility derives from the fact that they do not require web application firewall configurations or third-party API gateways. Their popularity has led to many modern applications, such as shopping and financial apps, relying on APIs for transactions and seamless integration.
However, APIs are also popular with attackers because hackers can easily find coding errors to exploit or deploy bots to probe and attack them. Additionally, hackers can quickly deploy ephemeral rogue APIs on compromised public cloud environments for sensitive data exposure and credential-stuffing attacks.
API security risk #1: Shadow API abuse (OWASP API9)
Cequence API protection report discovered that shadow API abuse surged in 2022 and increased throughout the year. The firm identified various scenarios where attackers exploited shadow API.
“From the highly volumetric sneaker bots attempting to cop the latest Dunks or Air Jordans, to stealthy attackers attempting a slow trickle of card testing fraud on stolen credit cards, to pure brute force credential stuffing campaigns.”
Shadow APIs are particularly problematic in organizations lacking proper inventory management, quality assurance, or versioning systems.
Subsequently, attackers could quickly discover shadow API when endpoints are coded to accept parameters or wildcard input from URI. They could modify the inputs from well-protected APIs to discover other API endpoints or different versions of the same APIs under different hostnames. Attackers could also easily automate and monetize the process in shopping bots and credential stuffing.
API security risk #2: API abuse of properly coded endpoints (OWASP API10+)
Attackers also targeted perfectly coded API endpoints, a process called “API abuse” mapping to OWASP API10+.
According to Cequence’s API protection report, the threat ranked second with 3.6 billion malicious requests blocked, including:
Malicious shopping API requests targeting sneakers or luxury goods (3 billion)
Malicious gift card checking (290 million)
Fake account creation for romance scams, shopping bots, etc. (237 million)
Spam comment requests on critical business customer engagement platforms (37 million).
Cequence noted that API abuse or API10+ security threat was the reason for interlinking API security and bot prevention.
The firm pointed out that content scraping bots preceded API abuse scenarios, such as shopping bots and gift card attacks.
Some tactics employed by attackers to compromise properly coded APIs include abusing Broken Function Level Authorization (API15) to enable automating purchases using stolen credit card data.
API security risk #3: The “Unholy Trinity” of credential stuffing, shadow APIs & sensitive data exposure
While this API security risk paled in comparison (100 million) to shadow API abuse and API abuse, it still posed a significant threat.
This exploit leveraged several API security flaws, such as Broken User Authentication (API2), Excessive Data Exposure (API3), and Improper asset management (API9).
According to the researchers, the combination proved that “attackers are performing detailed analysis of how each API works, how they interact with each other, and the expected outcome.”
Key outcomes include credential stuffing, the discovery of shadow API, and sensitive data exposure. Credential stuffing results from broken user authentication involving APIs with checker functionality producing data that could be stolen after authentication, while the discovery of Shadow APIs resulted from improper asset management. Sensitive data exposure occurred from checker APIs that returned more data than necessary or when developers became complacent with the authentication process.
While shadow APIs were invisible to security teams, attackers could use known patterns for API discovery and perform subsequent credential stuffing or data exposure.
Partner ecosystems and shadow API risk
The report stated that third-party APIs also introduced potential security risks because they are usually introduced without the knowledge of security teams. Additionally, they create a single digital supply chain that attackers could target to obtain many victims.
Attackers also understood the one-to-many connections between central institutions and their partners. Instead of attacking the central institution, they could target the partner ecosystem and, by large, the partners themselves.
Additionally, while third-party APIs could be correctly coded, they could have implementation flaws that render them susceptible to attackers hiding in plain sight.
Cequence identified and blocked at least 50 million malicious requests in a week targeting partner ecosystems. The attacks originated from 250,000 IP addresses from Bulletproof proxies in the Middle East, North Africa, Korea, Russia, the Philippines, and Indonesia. Sometimes, the requests originated from regions where the target has little to no transactions.
Discovering and protecting APIs is a priority
The research noted that APIs had become the cornerstone of business, making API protection a priority.
“API protection needs to be treated holistically, with a uniform approach that begins with discovering, identifying, and inventorying your API footprint,” they wrote.
They recommended API discovery, continuous risk assessment to correct data exposure, broken authentication, and coding errors, applying countermeasures, and ongoing testing to eradicate risky APIs.