AppSec predictions 2021: Attackers increasingly pivot to APIs

This is the second in a three-part series of AppSec predictions for 2021.  You can read the complete series here.

Every year(ish), I publish our AppSec predictions about three of the threats that look to be the biggest problems in the upcoming year. In the past two years, the predictions were: credential stuffing/account takeover attacks, API attacks, and supply chain attacks. This year our predictions are informed by our augmented Threat Intelligence Service, which is a part of Barracuda Advanced Bot Protection. In short, we have significantly more data informing our conclusions.

Attackers increasingly pivot to APIs from web applications

Most apps are built API-first these days. Building them in this manner helps speed up development, and releases happen much faster. You also get newer forms of applications like Single Page Applications that are built to work with mobile browsers and simulate mobile apps without the need for installing an app.

“By 2021, at least one-third of enterprises will have deployed a multi-experience development platform to support mobile, web, conversational and augmented reality development.”​

Gartner’s API Strategy Maturity Model, Oct 2019​

The one major thing that happens with this type of app is that the actual application is directly exposed to the user. Let’s take a step back and look at how web applications versus API-based applications work. With a web application, you had the browser that was an intermediary. The browser would talk to the application, and the application would perform certain actions based on your request and respond to you via the browser. All the business logic is hidden in the application, and most attacks are well known. With the API-based application, the business logic is directly in the application. It asks for data using the API, and then performs the business logic on the end-client device. When someone intercepts the API traffic, they can then identify the backend server, figure out the logic, and perform various checks to identify holes and attack the system.

What makes APIs even more dangerous is the fact that they provide access to a lot of sensitive information directly. Your banking API may provide access to your social security number or national identification number or date of birth, and an improperly protected API will allow attackers to pull these numbers out in bulk.

“APIs Are The New Storefront, But Security Hasn’t Kept Pace.”

Forrester’s API Insecurity: The Lurking Threat In Your Software, Oct. 2020

As Forrester rightly puts it, APIs are here — but security has not kept pace. This is true of most emerging technologies. With APIs, we see some repeating patterns — lack of rate-limiting, lack of access control and authorization, lack of role-based controls — and most important of all, the public exposure of APIs that are being tested on the internet. This has led to a number of high-profile data breaches in the recent past, like with Airtel, Just Dial, etc.

Rise of the OWASP API Top 10

API attacks are now seen as dangerous enough that there is an OWASP Top 10 for APIs. The new OWASP API Top 10 has some familiar attacks from the web app lists over the years! Old attacks are new again, and in some cases, we don’t seem to have learned from the past. Some of the biggest threats are marked out here, and, for instance, rate limiting is a big one. You see this being a problem across the board. For example, there was a TMobile-Apple API for onboarding new phones two years ago that was not rate-limited. You could have any number of tries to figure out the PIN for a given user.

You also have injection attacks like SQL injection that have been at the top of the web lists for a very long time — and continue to plague API-based applications. The first one, BOLA, caused a big problem when Shopify exposed an API a few years ago without proper authorization controls. They didn’t check for permissions to access revenue data for shops hosted on their platform and ended up exposing the data from a lot of shops publicly.

That said, it is a very good thing that we now have the OWASP API Top 10 because it provides developers with a frame of reference against which to secure their APIs.

"APIs may get blamed when really it’s the app, infrastructure, or user at fault."

Forrester’s API Insecurity: The Lurking Threat In Your Software, Oct. 2020

This is particularly true with APIs. Developers end up exposing things like API keys on public GitHub repositories and then have a surprised Pikachu face when the API gets hacked.

Expect to see many high-profile API breaches (like the recent Parler iOS app breach before the shutdown) this year.

Come back next week for part three in this series. For more on application security, join our experts for an informative panel discussion about current cybersecurity trends, web application security, 2021 technology predictions, and a lot more. This webinar is free and available on-demand:

2021 applications security predictions: Bot, API, and supply chain attacks
Watch the webinar here