What Is API Abuse?


What is an API?

An API (application programming interface) helps interconnect multiple applications or software systems across multiple devices, defines the kinds of calls or requests they can make, how the calls are made, the data formats that should be used, and what conventions should be obeyed. APIs have evolved to become essential interconnections that enable communication between different application architectures, promoting faster integration and deployment of new services.

They are also relied upon by software development programs for service provisioning, platform management, and continuous deployment. Modern application architectures, involving mobile devices, cloud data systems, and microservice design patterns require the use of multiple APIs as gateways that facilitate interoperability among diverse web applications.

What is API Abuse?

Attackers reverse engineer mobile and Web applications to hijack API calls, and program bots to invade your business APIs. They target APIs to take over accounts, scrape business-critical data, and perform application distributed denial of service (DDoS) attacks. Bots deluge the API server with unwanted requests. It’s essential to accurately distinguish between good API calls and bad API calls for online businesses.

Types of API Attacks

Vulnerabilities in APIs are abused by cybercriminals and nefarious parties to steal personally identifiable information (PII) and business-critical data, carry out account takeover attacks, and systematically execute website content scraping campaigns. The following are the key API attacks that are carried out by bots

  1. Application Distributed Denial of Service (DDoS)

    APIs can be attacked by hackers and cybercriminals who intentionally overload APIs with large volumes of bot traffic from multiple devices and IP addresses. For enterprises, business-critical services are thus put at risk, such as log-in services, session management, and other services that enable application uptime and availability for users.

    Attackers who carry out DDoS campaigns often use asymmetrical techniques through which they send small volumes of data to generate API calls, which usually result in servers being heavily overloaded because they have to answer such API calls with much larger volumes of data. Such attacks seriously tie up system resources and greatly increase server response times for all users of the system.

  2. Account Takeover

    Hackers deploy botnets to carry out account takeover attacks by programmatically sending API calls to test lists of stolen username and password combinations. Though API management systems do not accept invalid log-in attempts, they are generally not capable of stopping large volumes of bots originating from multiple IP addresses which keep trying out different combinations of credentials in the hope of finding the right log-in credentials. Sophisticated hackers are known to limit the rate at which their bots make API requests so that conventional security systems cannot detect them.

  3. Web Scraping

    Competitors, fraudsters and ‘fly by night’ operators who set up websites to defraud consumers often plagiarize an entire website’s content by carrying out systematic scraping campaigns using bots to extract data from APIs. Hackers also try to reverse-engineer web and mobile applications to hijack API calls and carry out scraping attacks.

How to Prevent API Abuse

The best practices to protect APIs against abuse are:

  • Monitor and manage API calls coming from bots

  • Stop using obsolete and insecure authentication methods

  • Implement measures to prevent API access by sophisticated human-like bots

  • Use robust encryption to safeguard log-in processes

  • Deploy token-based rate limiting equipped with features to limit API access based on the number of IPs, sessions, and tokens

  • Comprehensively log all system requests and responses

  • Scan incoming requests for malicious intent

  • Support clustered API implementation to handle fault tolerance

  • Track the usage and paths taken by API calls to find anomalies

Leading analyst organizations recommend that enterprises should implement effective API security measures. Radware Bot Manager’s Bot Mitigation Solution for APIs ensures you’re your critical business and customer data are protected from automated attacks.

Contact Radware Sales

Our experts will answer your questions, assess your needs, and help you understand which products are best for your business.

Already a Customer?

We’re ready to help, whether you need support, additional services, or answers to your questions about our products and solutions.

Locations
Get Answers Now from KnowledgeBase
Get Free Online Product Training
Engage with Radware Technical Support

Get Social

Connect with experts and join the conversation about Radware technologies.

Radware Blog
Security Research Center