What is API Abuse?

Modern application programming interfaces (APIs) offer a great example of the law of unintended consequences. With their openness and ability to offer nearly universal connectivity between applications and data sources, they have transformed IT and the businesses that deploy them. However, that same openness also makes APIs ripe targets for abuse. This article explores the nature of API abuse and offers some solutions to address this most serious security problem.

What is API abuse?

API abuse, like most forms of hacking, involves making APIs do things they were not intended to do. When a developer creates an API, it will have a legitimate purpose, such as enabling API clients with proper permission to invoke the API to receive the data it represents. Pretty much any other use of that API could be considered abuse.

API abuse takes many forms, but it mostly involves either disrupting the API, gaining improper access to it, or changing the API or its clients for malicious purposes. Some API abuse exploits API security vulnerabilities, such as those caused by misconfiguration or poor version control. It is also possible, however, to abuse an API through otherwise legitimate means.

Types of API abuse

An attacker can abuse an API though a wide variety of techniques. The most common, though, are injection attacks, data scraping, Broken Object Level Authorization (BOLA), Broken Function Level Authorization (BLFA), exploiting vulnerabilities, and denial of service (DoS) attacks.

• Injection Attacks—A method of extracting unauthorized information from an API by submitting a query designed to “trick” the API. SQL injections are a common variant of this threat. They use malicious code in a SQL request to the API to get improper access to a SQL database. In addition to stealing data, a SQL injection can also damage or delete data.
• Data Scraping—The process of requesting data from an API using legitimate API requests but repeating the process so often that the attacker can amass a large amount of data. In some cases, like the notorious abuse of the Facebook API by the Cambridge Analytica firm, the attacker was able to get millions of user profiles without breaking any of Facebook’s security policies.
• Denial-of-Service Attacks—The overloading of an API with traffic to the point where it can no longer function. In a DoS attack, the attacker almost always achieves this outcome by creating bots and distributing them to different geographic regions. From there, they can send an overwhelming volume of traffic to the target. In an API DoS attack, the bots comprise API clients which hit the target API with more requests than it can handle.
• Exploitation of API Vulnerabilities—A mode of attack that takes advantage of any number of security weaknesses present in an API, e.g., It could be misconfigured, which makes it vulnerable to injection or DoS attacks. Or, an API could have a broken user authentication process, so an attacker can easily access it. An API might even become vulnerable through abandonment, which sometimes happens by accident. Unwatched, the abandoned “zombie” API provides attackers with an unknown and unmonitored backdoor into data.

In some cases, API abuse is entirely unintentional. The API is functioning securely, but it becomes so popular that it slows down or suffers from frequent outages. This can lead to operational and reputational problems for the business that created the API.

Consequences of API abuse

The consequences of API abuse are comparable to the negative impacts one suffers from cyber attacks in general. An abused API can result in a data breach or malicious destruction of data. It can lead to compliance problems, such as when an API attack causes a violation of consumer privacy laws. DoS attacks can cause system outages that affect other areas of IT and the business as a whole.

API abuse also has consequences for the APIs themselves and the people who are responsible for them. Abuse incidents are embarrassing and stressful to handle. They are a distraction, and could easily affect the careers of the people who were responsible for preventing them. Remediation requires money, which can starve other projects of resources.

More broadly, API abuse can negatively affect an entire business. Given that APIs are often the core of a digital transformation initiative, then problems with availability and security will diminish the transformation’s potential. And, once a transformation project’s reputation is tarnished, it can be difficult to reestablish its good name.

How to prevent API abuse

It is possible to mitigate the risk of API abuse to a great extent, and it’s not even that difficult if one has the right tools. Most API management and security solutions provide countermeasures that prevent the types of attacks described above. For example, API owners can block many forms of DoS attacks by enforcing a rate limiting policy, which restricts the number of API calls an API will handle from a single IP address.

Best practices to prevent API abuse include:

• Managing and inventorying APIs — to avoid abuse of zombie APIs
• Checking API configurations — with the goal of reducing abuse of misconfigured APIs
• Establishing and enforcing API usage policies — to reduce data scraping and other damaging, if permissible, use of APIs
• Using a modern authentication solution that integrates with identity and access management (IAM) systems — with the goal of preventing unauthorized users from abusing APIs
• Implementing technologies that can detect bots, e.g., rate limiting and similar policies that block DoS attacks
• Monitoring APIs for performance issues and anomalies, e.g., track the usage and paths taken by API calls to find anomalies
• Encrypting API traffic — with the goal of protecting the API from malicious log in attempts and reverse engineering
• Scanning API requests for malicious code — to prevent injection attacks
• Validating inputs in an API call against a specification — which defends against injection attacks
• Creating failover instances and clusters — to improve reliability and reduce the impact of a DoS attack or “friendly” API overload

Conclusion

APIs are vulnerable to abuse. Their openness and ability to interoperate almost universally make them a great target. Abuse can take the form of DoS attacks, injection attacks, and data scraping. Countermeasures are readily available, however. They include implementing controls over API access, rate limiting, and input validation. API abuse is a serious problem, but it is one that can be solved.