Currently there are many companies that use APIs, designed to be simple and fast communication channels between different platforms. But cybercriminals have identified them as a possible attack vector, and they use them frequently to carry out their misdeeds online. This is reflected in the report API: The Attack Surface That Connects Us All (API: The attack surface that connects us all), of Akamai, which points out that the priority being given to APIs for ease of use, which have become essential for many companies, has also made them a target for attackers, and that it is a mistake to assume that they are secure . In fact, according to the Gartner consultancy, las APIs will be the most frequent attack vector by 2022.
Spring Book is a popular API dependent framework for web application development. Akamai tested 5,000 Spring Book web apps, and found that they all had at least one vulnerability. Around 86% of detected vulnerabilities allowed attackers to inject malicious code into data or falsify connection details. Additionally, 68% released resources before they were available for reuse. And 47% had passwords that couldn’t be changed.
Akamai has also found that API calls account for 83% of web traffic, and the majority of API traffic corresponds to custom applications, which are the result of digital transformations and cloud-based application deployment. On the other hand, API security is relegated to a secondary position when it comes to bringing applications to market, and many organizations rely on conventional network security solutions to protect them, without being designed to protect the broader attack surface. that APIs can expose.
For the report, Akamai has reviewed 18 months of attack traffic from January 2020 to June 2021, discovering more than 11 billion attack attempts, with 6.2 billion recorded attempts, SQL injection continues being the most frequent attack, followed by Local File Inclusion, with 3.3 billion attacks, and Cross-Site Scripting (XSS) in third place with 1.019 million attempts. This leads to 88.7% of web attacks using the common SQLi and LFI API vulnerabilities.
Additionally, credential stuffing attacks tracked between January 2020 and June 2021 remained stable, with one-day peaks of 1 billion attacks recorded in January 2021 and May 2021. The United States was the target country. more times of attacks during the period, with six times more traffic than the United Kingdom, which came second in the ranking. The United States also topped the list of attack sources, with four times more traffic than Russia, which ranks second.
The report also states that DDoS attack traffic has remained in 2021 so far, with peaks recorded in the first quarter of 2021. Thus, Last January, Akamai logged 190 DDoS events in a single day, followed by 183 another in March.
Steve Ragan, Akamai Security Researcher, notes that “From broken authentications and injection failures to simple configuration failures, there are numerous API security concerns for anyone developing an Internet-connected application. API attacks, on the one hand, go unnoticed in terms of detection, and when they are detected, they are not communicated enough. While DDoS and ransomware attacks get a lot of prominence, those targeting APIs don’t get the same level of attention, largely because criminals use APIs less cumbersome than a well-executed ransomware attack, but that doesn’t. it means that you have to ignore them«.
Part of the problem is that APIs are often hidden in mobile apps, leading to the belief that they are safe from tampering, and developers assume that users will only interact with APIs through the interface of mobile user, but according to the report, that is not the case.
