According to a recent report from Imperva (a Thales company), organizations lose $94- $186 billion every year to vulnerable or insecure APIs abused by bots. The report highlights that this security threat accounts for up to 11.8% of global cybersecurity events and losses, highlighting a new trend in cyberattacks.
In this article, we want to provide an overview of these attacks and how to prevent them by implementing best practices for API protection.
What are API's?
APIs (Application Programming Interfaces) enable software systems to communicate and share data, particularly in web applications and cloud services. Their versatility and usability have made them a prominent feature in modern app development, especially for web and mobile applications, making them a prime target for attackers.
Common API vulnerabilities
Hackers can abuse APIs in various ways without any particular tool. With a simple browser, they can carry out the following common types of attacks:
BROKEN OBJECT-LEVEL AUTHORIZATION (BOLA)
In BOLA attacks, users can manipulate API endpoints to access data they should not have access to. This occurs when API requests don’t properly check whether the user is authorized to access a specific object (e.g., retrieving another user’s data by guessing object IDs).
Example:
GET /api/user/1234
If the API doesn’t verify the user’s object ownership (e.g., user ID 1234), attackers can change the ID to access other users’ data.
BROKEN USER AUTHENTICATION
Weak or improperly implemented authentication allows attackers to compromise user identities. This can happen through poorly stored credentials, weak password requirements, or lack of multi-factor authentication (MFA).
EXCESSIVE DATA EXPOSURE
APIs sometimes return more data than necessary, relying on the client to filter it. Attackers can exploit this and access sensitive information in responses. For example, an API might return a user’s full profile, including sensitive information, when only the username is needed.
MASS ASSIGNMENT
Mass assignment occurs when APIs automatically bind user input to internal objects, allowing attackers to modify sensitive fields that developers never intended to expose.
Example: A signup API may inadvertently allow users to assign themselves administrative privileges by submitting extra fields in a POST request.
{
"username": "user1",
"password": "password123",
"isAdmin": true
}
LACK OF RATE LIMITING
APIs without rate limiting allow attackers to send unlimited requests, enabling brute-force attacks, Denial of Service (DoS) attacks, or account enumeration attempts.
http {
limit_req_zone $binary_remote_addr zone=api_limit:10m rate=30r/m;
server {
location /api/ {
limit_req zone=api_limit burst=10 nodelay;
}
}
}
SQL INJECTION AND NoSQL INJECTION
Insecure user input handling allows attackers to inject malicious SQL/NoSQL queries through API endpoints.
Example of an SQL Injection:
GET /api/users?username=admin' OR 1=1 --
The query retrieves all users because 1=1 always evaluates to true.
cursor.execute("SELECT * FROM users WHERE username = %s", (username,))
How to prevent common API vulnerabilities
Besides attack-specific best practices, we strongly recommend to implement the following best practices to harden the working environment of your APIs:
Content-Security-Policy: default-src 'self'; script-src 'self' https://trusted-scripts.com
In addition to these basic practices, we also suggest some advanced security practices that will go a long way in strengthening your app security and users’ data:
Bot exploitation of APIs
Hackers can find exploiting APIs tedious because it’s a trial-and-error process. However, using bots makes this process much faster and more effective. This new trend primarily targets large organizations and can exploit APIs with the following techniques:
CREDENTIAL STUFFING
Operating at a massive scale, bots utilize stolen or leaked credentials to attempt authentication into APIs. This high-volume tactic preys on users who practice password reuse across multiple platforms.
How It Works: Attackers use automated bots to try combinations of username/email and password against login APIs to find valid credentials. Once they are successful, they can take over accounts, steal data, or commit fraud.
Impact:
- Account takeover (ATO)
- Fraudulent transactions
- Data theft
SCRAPING AND DATA HARVESTING
Malicious bots target APIs to extract large amounts of publicly or privately accessible data. This includes scraping for product prices, personal user information, intellectual property, or any valuable data.
How It Works: Bots make numerous API requests, usually at a fast rate, to systematically extract data from a platform. These bots often disguise themselves as legitimate users to avoid detection.
Impact:
- Intellectual property theft
- Loss of competitive edge
- Violation of privacy regulations (e.g., GDPR)
DENIAL OF SERVICE (DOS) AND DISTRIBUTED DENIAL OF SERVICE (DDOS)
Botnets can flood APIs with large requests, overwhelming servers and making them unavailable to legitimate users. In a DDoS attack, a distributed network of compromised machines (botnets) floods the API with traffic from many sources simultaneously.
How It Works: Attackers use networks of bots (botnets) to generate huge volumes of API requests, exhausting server resources like CPU, memory, or bandwidth and causing service outages.
Impact:
- Service disruptions
- Financial losses
- Reputational damage
geo $remote_addr $allowed_country {
default no;
123.456.789.000 yes; # Whitelist IP ranges
}
server {
if ($allowed_country = no) {
return 403;
}
}
INVENTORY HOARDING AND CARDING ATTACKS
Some bots are programmed to abuse eCommerce APIs by hoarding items in carts to create artificial scarcity or complete fraudulent purchases using stolen credit card information. These “inventory hoarding” bots reserve items without completing purchases, while “carding” bots test stolen credit cards by making small transactions through the API.
Impact:
- Reduced availability of products for legitimate users
- Fraudulent transactions
- Increased operational costs due to inventory mismanagement
ABUSING RATE LIMITS
Malicious actors may intentionally exploit misconfigured or absent rate limits to send an excessive number of requests, overwhelming the API backend and degrading other users’ performance.
Impact:
- Resource exhaustion (memory, CPU, bandwidth)
- Degraded API performance
FAKE ACCOUNT CREATION OR ACCOUNT ABUSE
Bots are often used to create fake accounts at scale, which are later used for spamming, phishing, or other malicious activities. This can also involve abusing the sign-up API by creating thousands of accounts in a short period of time.
Impact:
- Flooding systems with fake accounts
- Spam and malicious activities
- Skewing metrics and analytics
Costs vs benefits: the ROI of implementing API security best practices
Implementing best practices for APIs in the development phase can be costly and skew your budget or customer quote. So, is it all worth it?
Yes, it is. The benefits of implementing API security best practices, including defences against bot abuse, far outweigh the costs. These practices protect against immediate threats and enhance long-term operational efficiency, reduce financial risks, and improve customer trust.
Just consider that the average cost of a data breach for large corporations has reached an all-time high of $4.45 million globally, according to IBM’s 2023 Cost of a Data Breach report.
For SMBs, the average data breach cost is significantly higher when factoring in indirect costs such as customer turnover and reputation damage. A good planning number for a medium-sized business facing a modest breach of under 250,000 records is $8 million to $10 million, with about one-third of this cost attributed to lost business due to a damaged reputation.
