General

Attacks on Shadow APIs Loom Large

Shadow APIs (Application Programming Interfaces) are now the biggest threat facing API security today. Analysis of more than 20 billion transactions from the first half of 2022 found 16.7 billion of these were malicious in nature and the majority (5 billion) were against unknown, unmanaged and unprotected APIs, more commonly referred to as Shadow APIs.

Many organisations have Shadow APIs because they’ve been spun-up without the IT team’s knowledge, effectively rendering them invisible to the security team. They’re a common problem if there is no proper inventory in place to monitor quality assurance and development API endpoints or the versioning system. They can also appear when endpoints are coded to accept variables, or wildcard inputs either within the uniform resource identifier (URI) path or at the end. 

Attackers can easily discover API endpoints that will interact with production data. They do this by analysing a production API which they then use to discover Shadow APIs. Even if the production API is well protected, it can still be used to betray its fellow APIs. By fuzzing or modifying the values of the known/protected API, the attacker enumerates through other API endpoints.

Enumerating APIs

Enumeration attacks are easily carried out using automation tools which can speedily run through different sequences. They’ll use a range of criteria, enumerating through different versions, the possibility that they may be listed under different host names, or that they will accept random characters at the end of the URI path, and the information this then yields is akin to giving the tacker the user manual to the API.

Shadow APIs can expose excessive amounts of sensitive data which can be used to carry out a variety of attacks. These range from the relatively slow-paced card testing fraud of stolen credit cards, to brute force credential stuffing campaigns that use compromised usernames/emails and passwords to gain unauthorised access to protected accounts, and high-volume bot attacks against retail websites that allow scalpers to snap up the latest must-have item where demand outstrips supply.

For example, during a recent promotion for a high demand item, a large footwear and apparel retailer detected and mitigated a bot attack that was 50 times higher than normal, with 200 million API requests coming from roughly 6 million unique IP addresses. The assault did not end there, however, because the attackers had done their homework and knew of the existence of a Shadow API.

This shadow API invoked the Apple Pay functionality on the retailers’ platform. To avoid detection for as long as possible, the attackers waited to attack the Shadow API until the last minute, and then as soon as the product launch began, the (Shadow) Apple Pay API was hit with more than 100 million malicious API requests, all from high-quality residential proxies. 

Rise in activity

While Shadow API abuse consistently topped the charts of attacks in the first half of the year, the report reveals that there was a significant surge in April and attacks have continued to rise ever since. The focus has been on high volume content scraping from these APIs which has then be used predominantly for both shopping bot assaults and gift card attacks.

What the rise in assaults against Shadow APIs tells us is that attackers are performing detailed analysis of how each API works, how they interact with each other, and can use that information to harness Shadow APIs, enabling them to rapidly pivot during an attack. At the same time, security teams are walking blind because they’re working with an unknown, unquantified risk. They simply don’t know the size or scale of the problem.

On speaking to a CISO recently, he estimated that the business had 25 APIs on its network when in fact the figure was more than three times that at 109. Without visibility into the API estate, it becomes impossible to assess and protect the these from attack. They slip under the radar which means the risk is then under represented on the risk register and the API infrastructure is then deprived investment, which is why the Forrester Group recently highlighted API security as a priority in its Planning guide 2023: Security and Risk report for 2023.

What can be done?

Research indicates that there’s little doubt that this is a growing problem. The number of Shadow APIs is growing, attackers are probing for them and utilising their functionality in a variety of ways. It’s a problem further fuelled by the fact that automated technology is enabling APIs to be analysed and sensitive data scraped at unprecedented rates.

The high volume of attacks on shadow APIs highlights the obvious – you cannot protect what you cannot see, so maintaining an accurate runtime inventory is key. But part of the problem also comes down to fact that API security has been seen as an extension of web application security. There’s been an emphasis on detecting attacks rather than a unified end-to-end approach.

API security needs to be treated holistically, with a uniform approach that begins with discovering, identifying, and inventorying your API footprint. Once the API estate is known, continuous risk analysis can be performed to uncover and remediate sensitive data, authentication or specification non-conformance related coding errors for production and non- production APIs. This middle phase of the API security journey also incorporates runtime attack detection using behavioural finger printing and countermeasures such as real-time blocking or deception, combined with ongoing testing to ensure risky APIs do not go live.

Therefore, it’s not just a matter of reducing the shadow API footprint but of adopting a much broader approach that seeks to secure these mechanisms throughout their lifecycle.

Print Friendly, PDF & Email
Andy Mills
VP of EMEA at Cequence Security | + posts

Andy Mills is VP of EMEA for Cequence Security and assists organisations with their API protection strategies, from discovery to detection and mitigation. He’s a passionate advocate of the need to secure the entire API lifecycle using a unified approach.

Prior to joining Cequence, he held roles as CRO for a major tax technology provider and was part of the original worldwide team of pioneers that brought Palo Alto Networks, the industry’s leading Next-Generation Firewall, to market.

Andy holds a Bachelor of Science Degree in Electrical and Electronic Engineering from Leeds Beckett University.

 

Andy Mills

Andy Mills is VP of EMEA for Cequence Security and assists organisations with their API protection strategies, from discovery to detection and mitigation. He’s a passionate advocate of the need to secure the entire API lifecycle using a unified approach. Prior to joining Cequence, he held roles as CRO for a major tax technology provider and was part of the original worldwide team of pioneers that brought Palo Alto Networks, the industry’s leading Next-Generation Firewall, to market. Andy holds a Bachelor of Science Degree in Electrical and Electronic Engineering from Leeds Beckett University.  

Leave a Reply

Your email address will not be published. Required fields are marked *