To produce the report, the Cequence research team analyzed 20 billion API transactions in the first half of 2022. Of the 16.7 billion malicious requests made, around 5 billion, or 31 per cent, targeted unknown, unmanaged, and unprotected APIs, also known as shadow APIs.
These requests were made from a variety of bots, ranging from sneaker bots to credential stuffing campaigns, to test the use of stolen credit cards. Cequence Security noted that these attacks have continued to increase throughout the year.
But even well-coded APIs are not immune to threats. The report also warned that attackers are increasingly abusing the top 10 API threats described by the Open Web Application Security Project (OWASP), a non-profit organization that highlights the top 10 API vulnerabilities. The vulnerabilities in the list could lurk in any API, not just shadow APIs. Published in 2019, the list consists of the following:
- API1: Broken object-level authentication
- API2: Broken authentication
- API3: Excessive data exposure
- API4: lack of resources and rate limiting
- API5: Broken function level authentication
- API6: Mass assignment
- API7: Security misconfiguration
- API8: Injection
- API9: Improper asset management
- API10: Insufficient logging and monitoring
The second largest API security threat was API abuse, where attackers target improperly coded and inventoried APIs. There were 3.6 billion such attacks detected and blocked in 2022. The most blocked attacks are the staggering 3 billion shopping bots targeting sneakers and luxury goods, followed by 290 million gift card checking attacks, and then 237 million fake account creations on dating and shopping applications.
The third most pervasive threat to API security was the combination of API2, API3 and API9. According to the report, the combination of these attack vectors indicates that attackers are analyzing how the target APIs work, and how they communicate.
“The sample size of 20 billion alone means there is a high likelihood that enterprises across industries are impacted by these types of threats.”
–William Glazier, director of threat research at Cequence Security
Cequence also pointed out that partner ecosystem APIs also posed a threat, describing it as a “target-rich environment.” While they enabled useful functions for consumers, their interconnectivity and one-to-many connection also made them a prime target for attackers. In one case, attackers targeted a financial services partner ecosystem API to execute a series of coordinated credential stuffing attacks against multiple financial institutions simultaneously. In one of the weeks observed, Cequence blocked over 50 million malicious requests abusing these APIs.
These attacks often trace back to countries where genuine user interaction is non-existent, or from known malicious infrastructure. A hallmark of malicious requests includes high session rotation and high login failure rate. They’re also characterized by high proxy IP address rotation and requests made between specific time intervals.
“Our findings underscore the importance of IT and security leaders having a complete understanding of how correctly coded APIs, as well as those with errors, can be attacked,” said William Glazier, director of threat research at Cequence Security, in the press release. “The sample size of 20 billion alone means there is a high likelihood that enterprises across industries are impacted by these types of threats.”
In conclusion, the report urged organizations to check their APIs against the OWASP list, but also API10+, a category that describes even more ways well-coded APIs can be attacked.