Trouble with interfaces API tricks move into the security focus
Intercepting traffic via APIs, identifying backend servers and business logic, and then working out potential gaps to attack: Hackers are increasingly working with bots, and a report by Barracuda suggests a professionalization of cybercriminals.
Companies on the topic
Around APIs, savvy hackers have some tricks in store.
(Picture: ra2 studio – stock.adobe.com)
Most apps are developed “API-first” these days. Putting the interfaces in the foreground usually leads to the fact that it can be “released” faster, practice shows. Another app trend is single page applications, i.e. apps that consist of a single HTML document and whose content is dynamically loaded. They are designed for mobile browsers and only simulate mobile apps without the need to install one.
Where is the business logic?
Tushar Richabadas, Product Marketing Manager, Application Security at Barracuda Networks, highlights the differences: “In a web application, the browser is an intermediary. He speaks to the application, and the latter performs certain actions based on the user’s request and responds to him through the browser. All the business logic is hidden in the application, and most of the attacks are known.”In the API-based application, data is queried via the API and then the business logic is executed on the end-client device based on this,” says Richabadas.
When someone intercepts the API traffic, they can identify the backend server, figure out the logic and perform various checks to identify vulnerabilities and attack the system.
APIs thus allow direct access to a lot of sensitive information. “Your bank API can provide access to sensitive private data, and an insufficiently protected API allows attackers to retrieve this information en masse,” says the security specialist. Cybercriminals are literally looking for open APIs. Very often you see companies that expose their test APIs with access to production data on the Internet. Once cybercriminals have discovered them, this can cause great damage, warns the manager.
Another problem is APIs that are insufficiently protected. It is relatively easy to test APIs, for example to see if they enforce a rating limit, explains Richabadas and advises IT security teams to first follow the OWASP (Open Web Application Security Project) top 10 recommendations on API Security of the ten most frequently exploited vulnerabilities to strengthen their defense. In this context, he recalls the massive data leaks, such as the vulnerability discovered in 2019 at T-Mobile.
A multi-layered defense with protections against bot, API and supply chain attacks is the best way to respond to these accumulating attacks.
Report by Barracuda
In his paper “The state of application security in 2021”, Barracuda took a closer look at application security. On average, more than two-thirds (72 %) of respondents were attacked at least once in the last twelve months. At 44 percent, bot attacks have overtaken traditional attacks via zero-day vulnerabilities and the top 10 vulnerabilities of the Open Web Application Security Project and have now become the most common attack vector.
The report shows that organizations are often attacked through their web applications. Almost half of the respondents, 46 percent, suffered a security breach several times and another 26 percent at least once. In addition to the frequency of attacks, Richabadas surprised the result of the survey that bot attacks seem to be increasingly difficult to repel in practice.