API6:2023 Unrestricted Access to Sensitive Business Flows
This threat has replaced Mass Assignment as number 6 on the OWASP API Security Top 10 list. It occurs when an API exposes a business flow without compensating for how the functionality could cause harm if used excessively through automation. In this new and prevalent type of API attack, business logic flaws are abused to allow malicious behavior.
To exploit this vulnerability, a bad actor will need to understand the business logic behind the API in question, find sensitive business flows and automate access to these flows in a way that can harm the business.
This issue usually stems from a lack of holistic view of an API. Understanding which business flow an API endpoint exposes and how sensitive that business flow is is essential in preventing this vulnerability. An API endpoint is vulnerable to this risk if it exposes a sensitive business flow, without appropriately restricting access to it.
Common examples of sensitive business flows and risk of excessive access associated with them include:
- An attacker can buy all the stock of a high-demand item at once and resell for a higher price.
- A bad actor can create a comment/post flow, spamming a company’s system.
- An attacker can reserve all the available slots for a given service and prevent other users from using the system.
This type of attack is notoriously hard to detect and protect against. Attacks in this category derive from a series of requests, in which each individual request is entirely legitimate. The attack can only be detected when looking at the sum of API requests in relation to the specific business logic context behind it.
API attacks that stem from Unrestricted Access to Sensitive Business Flows exploit business logic gaps across all business sectors, and each attack will be completely unique for each individual environment and each business logic.
Learn what it takes to secure APIs, how to evaluate API security offerings, and the capabilities needed to protect your business.
Download NowPotential Impact of Unrestricted Access to Sensitive Business Flows
This type of attack is typically carried out by automated scripts or bots that exploit vulnerabilities or weaknesses in APIs. Some potential impacts of this category of API attack include:
- Service disruption by overloading the API infrastructure with a high volume of requests, leading to denial-of-service (DoS) or distributed denial-of-service (DDoS).
- Exhausting server resources like CPU, memory, or network bandwidth, negatively impacting the performance and availability of the API and the underlying systems.
- Unauthorized access and data breaches if attackers gain unauthorized access to sensitive data or user accounts.
- Account takeover (ATO), if attackers target authentication and authorization APIs and are able to gain control of user accounts.
Real-life Examples:
Abusing an Airline’s Ticket System
A good example of how an attacker could exploit an Unrestricted Access to Sensitive Business Flows vulnerability would be by booking 90% of the seats on a flight online, taking advantage of the fact that the airline would charge no cancellation fee.
The attacker could then cancel all tickets simultaneously at no expense just a few days before the flight date, forcing the airline to put the tickets back on sale at a discounted price in order to fill the flight. The malicious user would then be able to buy a ticket at a much cheaper price, benefitting from the discounted price and causing financial damage to the airline.
While this scenario didn’t make the news, sources close to us verify that it did indeed happen!
Why Existing Tools Fail to Protect You Against Unrestricted Access to Sensitive Business Flows
While WAFs and API gateways often include bot detection capabilities, automated API attacks targeting business logic flaws can employ evasion techniques to mimic human-like behavior, making it difficult to differentiate between legitimate users and malicious users. Additionally, these security controls rely on rules and signatures that won’t give them enough context to detect and block automated threats where attackers often employ sophisticated techniques to evade detection, rendering traditional security solutions ineffective.
How to Protect Your APIs Unrestricted Access to Sensitive Business Flows Attacks
In order to detect and stop this type of attack, an API security solution must be able to detect business logic flaws by analyzing all API traffic and establishing a baseline of typical API behavior over time. Only through this continuous analysis and using AI algorithms that are tested over a significant period of time, can the API security solution look at the sum of API requests and identify automated attacks that are unique to each API’s business logic and each individual environment.
To learn more about how Salt can help defend your organization from API risks, you can connect with a rep or schedule a personalized demo.
