API Security Landscape: Protecting APIs from Automated Attacks and Abuse
APIs are emerging as a bridge to facilitate interoperability between different systems, networks, and applications. They also help drive a growing variety of devices and systems on the Internet of Things (IoT) to enable innovative functions that consumers, enterprises, and governments demand and expect.
Most IT ecosystems and architectures, from websites to mobile applications, rely on databases that are queried for user authentication, inventory checks, location services, payment card verification, and so on, which are dependent on APIs. The growing use of micro-service and cloud architectures, and the increasing reliance on specialized third-party services, including the providers that use Open APIs to initiate calls between applications, are making APIs more crucial than ever in facilitating convenient and seamless access to IT-enabled services.
Despite their rapid and widespread deployment, however, APIs remain poorly protected, which makes them vulnerable to attacks like enumeration, decompiling, insecure pagination or even accidental API key exposure that put business-critical data and services at risk, including Personally Identifiable Information, payment card data, and other confidential information.
According to Radware Bot Manager research, in 2019, bad bot hits on APIs steadily increased in each quarter:
Sophisticated bots take advantage of API vulnerabilities such as authentication flaws, lack of robust encryption, and poor endpoint security to perform malicious attacks like account takeover, application DDoS, carding, and various forms of API abuse. Most API gateways and WAFs fail to detect sophisticated human-like bots, making them vulnerable to sophisticated bot attacks by fraudsters, competitors, and intelligence-gathering agencies.
Symptoms of a Bot attack on APIs.
- Single HTTP request
- An increase in the rate of errors
- Extremely high application usage from a single IP address or API token
- A high ratio of GET/POST to HEAD request for a user/ session/ IP address/ API token compared to legitimate users
How can Radware protect your APIs from bad bot attacks?
Radware Bot Manager defends Web, mobile applications, and APIs against automated attacks. It ensures that only legitimate users and devices can access your Internet properties by leveraging proprietary Intent-based Deep Behavior Analysis (IDBA) and machine learning technologies to understand the intent behind every visitor, and to block malicious automated activities.
For APIs, Radware Bot Manager provides dedicated enterprise-grade protection from automated threats by:
- Addressing gaps in unique source identification in M2M communications through our API-Client SDK
- Preventing out of context API invocation (for Web and mobile APIs)
- Establishing authentication flows to validate legitimate access to assets
- Detecting anomalous navigation flows or access patterns
Originally published at www.radwarebotmanager.com on December 15, 2020