How to keep APIs secure from bot attacks
Article by Radware vice president of technologies Yaniv Hoffman.
The widespread adoption of mobile and IoT devices, emerging ‘serverless’ architectures hosted in public clouds, and the growing dependency on machine-to-machine communication, are all reasons to make changes to modern application architectures.
Application programming interfaces (APIs) have emerged as the bridge to facilitate communication between different application architectures. APIs allow for quicker integration and faster deployment of new services.
In addition, DevOps requires end-to-end process automation that leverages APIs for service provisioning, platform management and continuous deployment.
Despite rapid and widespread deployment, APIs remain poorly protected, and automated threats are mounting. Personally identifiable information (PII), payment card details and business-critical services are at risk due to bot attacks.
Symptoms of bot attacks on APIs are:
- Single HTTP request (from a unique browser, session or a device)
- An increase in the rate of errors (e.g., HTTP status code 404, data validation failures, authorisation failures, etc.)
- Extremely high application usage from a single IP address or API token
- A sudden uptick in API usage from large, distributed IP addresses
- A high ratio of GET/POST to HEAD requests for a user/session/IP address/API token compared to legitimate users.
The key API vulnerabilities and automated attacks:
Authentication flaws and account takeover
Many APIs do not check authentication status when the request comes from a genuine user. Attackers exploit such flaws in different ways, such as session hijacking and account aggregation, to imitate legitimate API calls.
Attackers also reverse engineer mobile applications to discover how APIs are invoked. If API keys are embedded into the application, an API breach may occur.
API keys should not be used for user authentication. Cyber-criminals also perform credential stuffing attacks to take over user accounts.
Lack of robust encryption
Many APIs lack robust encryption between the API client and server. Attackers exploit vulnerabilities through man-in-the-middle attacks.
Attackers intercept unencrypted or poorly protected API transactions to steal sensitive information or alter transaction data.
Also, the ubiquitous use of mobile devices, cloud systems and microservice patterns further complicate API security because multiple gateways are now involved in facilitating interoperability among diverse web applications. The encryption of data flowing through all these channels is paramount.
Business logic vulnerability
APIs are vulnerable to business logic abuse. This is precisely why a dedicated bot management solution is required and why applying detection heuristics that are good for both web, and mobile apps can generate many errors — false positives and false negatives.
Poor endpoint security
Most IoT devices and microservice tools are programmed to communicate with the server via API channels. These devices authenticate themselves on API servers using client certificates.
Hackers attempt to gain control over an API from the IoT endpoint, and if they succeed, they can easily re-sequence the API order, thereby resulting in a data breach.
An API security checklist
The following top 9 best practices are a must for protecting API infrastructures against hacking and abuses:
- Monitor and manage API calls coming from automated scripts (bots)
- Drop primitive authentication
- Implement measures to prevent API access by sophisticated human-like bots
- Robust encryption is critical
- Deploy token-based rate-limiting equipped with features to limit API access based on the number of IPs, sessions and tokens
- Comprehensive logging of requests and responses
- Scan the incoming requests for malicious intent
- Supporting clustered API implementation to handle fault tolerance
- Track usage and journey of API calls to find anomalies.