This threat has replaced Mass Assignment as number 6 on the OWASP API Security Top 10 list. It occurs when an API exposes a business flow without compensating for how the functionality could cause harm if used excessively through automation. In this new and prevalent type of API attack, business logic flaws are abused to allow malicious behavior.
To exploit this vulnerability, a bad actor will need to understand the business logic behind the API in question, find sensitive business flows and automate access to these flows in a way that can harm the business.
This issue usually stems from a lack of holistic view of an API. Understanding which business flow an API endpoint exposes and how sensitive that business flow is is essential in preventing this vulnerability. An API endpoint is vulnerable to this risk if it exposes a sensitive business flow, without appropriately restricting access to it.
Common examples of sensitive business flows and risk of excessive access associated with them include:
This type of attack is notoriously hard to detect and protect against. Attacks in this category derive from a series of requests, in which each individual request is entirely legitimate. The attack can only be detected when looking at the sum of API requests in relation to the specific business logic context behind it.
API attacks that stem from Unrestricted Access to Sensitive Business Flows exploit business logic gaps across all business sectors, and each attack will be completely unique for each individual environment and each business logic.
This type of attack is typically carried out by automated scripts or bots that exploit vulnerabilities or weaknesses in APIs. Some potential impacts of this category of API attack include:
A good example of how an attacker could exploit an Unrestricted Access to Sensitive Business Flows vulnerability would be by booking 90% of the seats on a flight online, taking advantage of the fact that the airline would charge no cancellation fee.
The attacker could then cancel all tickets simultaneously at no expense just a few days before the flight date, forcing the airline to put the tickets back on sale at a discounted price in order to fill the flight. The malicious user would then be able to buy a ticket at a much cheaper price, benefitting from the discounted price and causing financial damage to the airline.
While this scenario didn’t make the news, sources close to us verify that it did indeed happen!
While WAFs and API gateways often include bot detection capabilities, automated API attacks targeting business logic flaws can employ evasion techniques to mimic human-like behavior, making it difficult to differentiate between legitimate users and malicious users. Additionally, these security controls rely on rules and signatures that won’t give them enough context to detect and block automated threats where attackers often employ sophisticated techniques to evade detection, rendering traditional security solutions ineffective.
In order to detect and stop this type of attack, an API security solution must be able to detect business logic flaws by analyzing all API traffic and establishing a baseline of typical API behavior over time. Only through this continuous analysis and using AI algorithms that are tested over a significant period of time, can the API security solution look at the sum of API requests and identify automated attacks that are unique to each API’s business logic and each individual environment.