Akamai Report Surfaces Spike in Attacks Against Web Apps and APIs
A report published by Akamai Technologies suggested that in addition to launching attacks against web applications, more cybercriminals are specifically looking to compromise application programming interfaces (APIs).
Overall, the attacks against web applications and APIs grew 137% in 2022, with, not surprisingly, local file inclusion (LFI) attacks—most widely used for reconnaissance purposes—growing 193% year-over-year, the report found.
However, the report also noted that broken object-level authorization (BOLA) attacks are the top method being employed to compromise APIs. These attacks enable cybercriminals to access sensitive data without authorization by manipulating the ID of an object sent within a request to the API. In effect, cybercriminals are exploiting a flaw within the application logic.
Steve Winterfeld, advisory CISO for Akamai, said that while most cybersecurity teams are familiar with how to protect web applications, it’s now apparent that cybercriminals are shifting focus on APIs through which they can gain access to sensitive data.
Unfortunately, a general lack of API security expertise is making it simple for cybercriminals to exploit poorly defended APIs, he noted. Too many organizations don’t have an appreciation for the fundamental building blocks of API security, even though they already have guardrails in place for securing web applications, he added.
Akamai’s specific recommendations for protecting APIs include:
- Validate the token using a pre-defined algorithm before using it
- Use a separate private key for each authentication environment
- Use asymmetric algorithms with long and high entropy private keys when possible
- Generate a unique identifier for the kid parameter, if in use
- Avoid disclosing sensitive data on the payload. Save it in a database
- Record and monitor JWT violations
In general, the overall state of API security should improve as cybersecurity teams collaborate more with application development teams that adopt DevSecOps best practices to build and deploy applications and their associated APIs. However, most organizations are still in the early stages of adopting best DevSecOps processes, so the level of security applied to APIs remains inconsistent. In the meantime, cybersecurity professionals, as always, can expect to be held accountable for any breach that does occur.
The primary issue many cybersecurity teams are encountering, of course, is that so many APIs have already been deployed. Even before APIs can be secured there is a significant amount of effort required just to discover them all. It’s not uncommon for developers to have deployed a so-called zombie API that is no longer supported but that nevertheless can be accessed and manipulated by external threat actors.
Regardless of how an API came into being, however, the one thing that is certain is cybercriminals are now spending a lot more time and effort on finding ways to exploit any and all vulnerabilities—and they are becoming a lot easier for them to find.
