Attacks on Web applications continue to grow, with the majority of malicious activity focused on Web application programming interfaces, or Web APIs, researchers report.
The findings, released Oct. 27 by Internet security firm Akamai, call out the growing attack surface posed by Web APIs. Researchers don’t actually differentiate between attacks on Web applications and attacks specifically using Web APIs but maintain that the growing attacks on Web applications are mainly coming through the APIs exposed by application servers. The top three Web attack vectors — SQL injection, local file inclusion, and cross-site scripting — account for nearly 95% of all Web attacks and often are carried out through APIs, according to Akamai’s report.
While developers are quickly adopting APIs as a way of architecting mobile, Web, and cloud applications, they don’t always consider security, says Akamai security researcher Steve Ragan.
“The lessons that Web application security [professionals] learned a decade ago, we are now seeing them in API security,” he says. “APIs are meant to increase the availability and access at scale. They are easy to deploy, so developers really love to tack on APIs when they can, [but] because APIs are dominating our lives, it is important to pay attention to their security.”
The growing attack surface area of Web APIs is not going unnoticed. Market research firm Gartner maintains that 90% of Web applications will be more vulnerable to attacks through exposed APIs than through the user interface, according to Akamai’s report. Another report, published by API security firm Salt Labs, says overall API traffic increased by more than 140% in the first half of the year, but malicious API traffic grew much faster, by nearly 350%.
The growing use of Web APIs by attackers led the Open Web Application Security Project (OWASP) to release a list of the Top 10 API security issues in 2019. In many ways, the issues on this list mirror those on the better-known OWASP Top 10 Web Application Security Risks list.
“The [Top 10 API Security list] purports to address the ‘unique vulnerabilities and security risks’ of APIs, but look closely and you’ll see all of the same web vulnerabilities, in a slightly different order, described with slightly different words,” Chris Eng, chief research officer for software security firm Veracode, said in an essay in the report. “We’re making all the same mistakes with API security that we made with web security 20 years ago.”
The Akamai report documents a slow increase in daily Web application attacks over the last 18 months, with the month of June 2021 showing a more significant peak, exceeding 113 million attacks in a single day. In addition, the average number of credential-abuse attacks, in which the attacker attempts to log in using stolen or guessable credentials, has also tripled over the past 18 months. Many of those attacks could be conducted through an application’s API.
“Going forward, you are going to see APIs as the first scans, when they are looking for entry into corporate networks,” Ragan says. “When they do credential stuffing attacks, they are using the APIs, and a lot of that stuff is not rate-limited, so you are seeing unlimited guesses.”
Surveys have shown developers are more focused on getting APIs working than making sure the interfaces are secure, according to Akamai’s report. About half of software development teams regularly push out code known to have vulnerabilities, with half pointing to a need to meet a critical deadline and an expectation that they would later patch the feature, according to a report by the Enterprise Strategy Group sponsored by Veracode.
“Don’t ignore the vulnerabilities, don’t ignore the testing, don’t hardcode passwords and tokens,” Ragan says. “All of those basics, you are still seeing those problems. We are seeing a lot of the problems now that we saw years ago, and it is completely avoidable.”
In addition to attacks targeting APIs and Web applications, Akamai also saw credential stuffing attacks rise to an average of about 800 million fraudulent login attempts per day in the first half of 2021, with a handful of days seeing 1 billion login attempts.
Distributed denial-of-service (DDoS) attacks grew as well: Akamai recorded 190 DDoS events in a single day in January, but attacks dropped off in June.
Attackers targeted networks and systems in the United States about six times as much as targets in the second most targeted nation, the United Kingdom. However, the US is also the source of the most attacks, accounting for four times the volume of attacks than the second most common source, Russia.