Enterprise cybersecurity teams have turned their focus to API security, and rightly so. In the digital economy, APIs are the front door to the business, an entry point for IoT devices, web and mobile apps, and business partner processes. Unfortunately, APIs are also the front door for criminals, many of whom use bots to carry out attacks. It is therefore critical for security teams to protect APIs and mitigate the bots used to attack them.
Looking at the Open Worldwide Application Security Project (OWASP) top ten API security vulnerabilities makes clear the centrality of bots to attacks on APIs. Three of the top ten API vulnerabilities are related to bots in a direct and obvious way.
- Broken Authentication: Bots break authentication through brute force, dictionary, and credential stuffing attacks that result in account takeovers, fraud, financial losses, and angry customers.
- Unrestricted Resource Consumption: It is bots that take advantage of unrestricted resource consumption, exhausting the memory and processing capacity of APIs. When bots target APIs designed for consumption by interactive applications—that is web and mobile applications used by humans—the impact on performance can be catastrophic.
- Unrestricted Access to Sensitive Business Flows: Excessive access to certain business flows may harm the business. Unauthorized resellers can buy out the stock of an item for resale at a higher price. Spammers can exploit a comment/post flow. Attackers can use a reservation system to reserve all available time slots. In each case, it is bots that cause the damage. Remember how fast Taylor Swift concert tickets sold out, crashing the Ticketmaster app and frustrating fans? It was bots that caused that uproar.
The other seven items on the OWASP API top ten list—vulnerabilities such as security misconfiguration, poor inventory management, broken authorization—are not so obviously related to bots, yet attackers rely on bots to effectively discover and rapidly exploit these vulnerabilities. In his book Hacking APIs, Corey J. Ball explains the use of several automated tools for API discovery (OWASP ZAP, Gobuster, Kiterunner) and fuzzing (Postman, Wfuzz, and Burp Suite). Using these tools, attackers send thousands of requests to APIs to ferret out vulnerabilities. To gain visibility into this snooping and reduce its chance of success requires an effective system for mitigating bots.
Bots do not impact all APIs in the same way. Those APIs that are machine-to-machine and accessed by automated processes (usually internal processes or those of partners) are typically protected by mutual TLS, in which case the risk of broken authentication is low and rate limiting can be enforced per authenticated client. Rather, it is those APIs that expect traffic only from interactive apps—that is web and mobile apps in the hands of humans—that are most vulnerable to bots.
For APIs expecting human-initiated traffic, defending against bots has become increasingly difficult. Open source libraries make it trivial to avoid detection through header finger printing, and widely available services are available to bot operators to defeat CAPTCHAs and proxy requests through networks containing tens of millions of residential IP addresses. With the old techniques of header analysis, IP deny lists, and CAPTCHA no longer effective, application security teams seeking to mitigate bots must rely on rich client-side signal collection, utilizing JavaScript and mobile SDKs, and sophisticated machine learning to distinguish attack tools and bot behaviors.
Which of your organization’s APIs are vulnerable to bots, what is the likelihood and cost of impact, and how can you design security controls to ensure the necessary protections against bots? These are good questions to address in threat modeling.
Discussion about this post