How to Keep APIs Secure From Bot Attacks
This post is also available in: Japanese
The widespread adoption of mobile & IoT devices, emerging ‘serverless’ architectures hosted in public clouds and the growing dependency on machine-to-machine communication are reasons for changes to modern application architectures.
Application programming interfaces (APIs) have emerged as the bridge to facilitate communication between different application architectures. APIs allow for quicker integration and faster deployment of new services. In addition, DevOps requires end-to-end process automation that leverages APIs for service provisioning, platform management and continuous deployment.
Despite rapid and widespread deployment, APIs remain poorly protected and automated threats are mounting. Personally identifiable information (PII), payment card details and business-critical services are at risk due to bot attacks.
Symptoms of Bot Attacks on APIs
• Single HTTP request (from a unique browser, session or a device)
• An increase in the rate of errors (e.g., HTTP status code 404, data validation failures, authorization failures, etc.)
• Extremely high application usage from a single IP address or API token
• A sudden uptick in API usage from large, distributed IP addresses
• A high ratio of GET/POST to HEAD requests for a user/session/IP address/API token compared to legitimate users
Key API Vulnerabilities & Automated Attacks
Authentication Flaws and Account Takeover. Many APIs do not check authentication status when the request comes from a genuine user. Attackers exploit such flaws in different ways, such as session hijacking and account aggregation, to imitate genuine API calls. Attackers also reverse engineer mobile applications to discover how APIs are invoked. If API keys are embedded into the application, an API breach may occur. API keys should not be used for user authentication. Cybercriminals also perform credential stuffing attacks to takeover user accounts.
Lack of Robust Encryption. Many APIs lack robust encryption between the API client and server. Attackers exploit vulnerabilities through man-in-the-middle attacks. Attackers intercept unencrypted or poorly protected API transactions to steal sensitive information or alter transaction data. Also, the ubiquitous use of mobile devices, cloud systems and microservice patterns further complicate API security because multiple gateways are now involved in facilitating interoperability among diverse web applications. The encryption of data flowing through all these channels is paramount.
Business Logic Vulnerability. APIs are vulnerable to business logic abuse. This is exactly why a dedicated bot management solution is required and why applying detection heuristics that are good for both web and mobile apps can generate many errors — false positives and false negatives.
Poor Endpoint Security. Most IoT devices and microservice tools are programmed to communicate with the server via API channels. These devices authenticate themselves on API servers using client certificates. Hackers attempt to gain control over an API from the IoT endpoint, and if they succeed, they can easily re-sequence the API order, thereby resulting in a data breach.
An API Security Checklist
These top 9 best practices are a must for protecting your API infrastructures against hacking and abuses.
• Monitor and manage API calls coming from automated scripts (bots)
• Drop primitive authentication
• Implement measures to prevent API access by sophisticated human-like bots
• Robust encryption is critical
• Deploy token-based rate limiting equipped with features to limit API access based on the number of IPs, sessions and tokens
• Comprehensive logging of requests and responses
• Scan the incoming requests for malicious intent
• Supporting clustered API implementation to handle fault tolerance
• Track usage and journey of API calls to find anomalies