Business Logic Abuse Dominates as API Attacks Surge
APIs now comprise nearly three-quarters (71%) of web traffic, posing a significant threat to corporate cybersecurity by expanding the cyber-attack surface, according to Imperva.
The security company revealed the findings in its Imperva State of API Security Report, which was compiled from intelligence gathered by its products.
It found that attacks on the business logic of APIs accounted for the largest share (27%), followed by automation (19%).
Imperva said business logic attacks – which grew as a share of the total by 10% annually – could include credential stuffing, fake account creation and data scraping.
Read more on API threats: Attacks Targeting APIs Increased By 400% in Last Six Months
“API Business Logic abuse occurs when bad actors use automated attack agents to exploit the intended functionality of an API for malicious purposes, such as the exfiltration of sensitive data or disrupting a mission-critical application,” the report noted.
“Attacks targeting APIs’ business logic pose a significant threat to data security, and the repercussions extend to other areas of the business as well. Fraud costs escalate as malicious actors exploit vulnerabilities in APIs to gain unauthorized access. This leads to financial losses and compromises the integrity of transactions.”
The financial impact of such attacks can be significant, leading to extensive spending on incident response, customer support, compliance challenges and reputational damage, Imperva warned.
“Detecting API business logic abuse is challenging because these attacks often mimic legitimate API usage, making them difficult to differentiate from normal traffic,” it added.
The report also revealed a surge in account takeover (ATO) API attacks. Imperva said that 46% of all ATO attacks recorded last year targeted API endpoints. These typically occur when threat actors exploit vulnerabilities in API authentication to gain unauthorized access to user accounts.
The challenges associated with securing APIs are compounded by the fact that many organizations have incomplete visibility of their APIs.
Imperva estimated that each enterprise account has an average of 29 shadow APIs that are undocumented and/or undiscovered.
“Discovering every API in your ecosystem, including those previously unidentified, including unauthenticated and shadow APIs, is a critical step in the path to securing APIs,” it claimed.