The Role of Bots in API Attacks

Written by venkateshsundar | Published 2023/05/09
Tech Story Tags: cybersecurity | api | bots | api-security | api-bot-attacks | api-attacks | security | bot-attacks | hackernoon-es | hackernoon-hi | hackernoon-zh | hackernoon-vi | hackernoon-fr | hackernoon-pt | hackernoon-ja

TLDRAPIs are the building blocks for modern-day applications and drive composable enterprise models and digital platforms. Currently, the total number of public and private APIs in use globally is estimated to be around 200 million. By design, they offer quick, easy access to data, resources, and functionalities; there is no way that attackers would miss them.via the TL;DR App

APIs are the building blocks for modern-day applications and drive composable enterprise models and digital platforms. As more organizations realize the importance of API integration, the use of APIs is skyrocketing.

Currently, the total number of public and private APIs in use globally is estimated to be around 200 million. Since APIs are so important and by design, they offer quick, easy access to data, resources, and functionalities; there is no way that attackers would miss them. And bots being key tools in the attackers’ arsenal, they are leveraging bots to orchestrate API bot attacks.

What exactly are API bot attacks? How do threat actors use bots to attack APIs? How do you protect your APIs from bots? Keep reading to find out.

API Bot Attacks

Let us first understand the basics of bots before delving into what API bot attacks are.

Bots are autonomous programs that are used for machine-to-machine communication. They can be programmed to perform functions and carry out web requests without human intervention. It sends HTTP traffic from an IP address to a system. Botnets are a collection of bots that work together and can leverage several IP addresses. The size of botnets varies from a few hundred to several thousand IP addresses.

In a bot attack, malicious actors leverage bots to manipulate, defraud, or disrupt a target website, app, end-user, or API. Bot attacks were initially used for spamming targets. But today, they have become much more sophisticated and can carry out complex attacks that closely mimic human behavior.

When these automated programs are leveraged to attack APIs specifically or when attackers leverage bots to increase API attacks' scale, impact, and sophistication, it is an API bot attack.

Why are Bots Used Against APIs?

Programmatic exposure of data, resources, and business logic:

Bots have been used in cyberattacks for ages. But why is it a cause for concern when they are used against APIs? It is because APIs are designed to connect diverse apps, provide programmatic access to data, resources, etc., and enable easy integration and sharing by multiple clients. By their very nature, they expose high-value functionalities and business logic and make resources discoverable. Thus, they increase the risk of exposure to sensitive information.

Lack of visibility:

APIs are attractive targets for bot attacks because organizations lack visibility into APIs across the lifecycle. And the fact that they work behind the scenes doesn’t help too much. When you don’t know APIs exist in your architecture, how will you scrutinize, manage and protect them? This leaves you with several vulnerable, shadow, zombie, rogue, and misconfigured APIs. As a result, they are often less secure than traditional endpoints and increase your risks exponentially.

You have a recipe for disaster when you add bots to this mix. Organizations may not know what APIs exist, who is using them, what resources they have access to, and what business logic they expose. But threat actors leverage bots to map the organization’s IT architecture and snoop around for weak spots in the APIs. Bots actually make the process quick, easy, and agile for attackers.

Bots of today are stealthy:

Bots are used for API attacks also because they can be extremely stealthy and avoid detection by traditional security tools. In fact, the more sophisticated bots of today can also avoid detection by more advanced security tools.

For instance, you may have temporarily tuned your API authentication rules to freeze an account after three failed login attempts. Bots will simply switch to another IP address after two failed attempts in a credential-stuffing attack. Using intelligent automation, they do all this without human intervention, making decisions on the go based on the rules they are programmed with and their learning over time.

Bots are used as smokescreens for other attacks:

API bot attacks are often used as distractions or smokescreens by attackers looking to orchestrate other kinds of API abuse. For instance, attackers may leverage botnets to trigger thousands of security alerts for security teams to follow up. But their intention is to enumerate IDs while security teams investigate the security alerts.

Threat actors leverage bots to attack APIs because it offers unmatched speed, flexibility, and agility in the process. For instance, credential stuffing or brute force attacks cannot be made manually without tripping off the security defenses. But bots make brute forcing and credential stuffing quick, easy, and scalable.

Here is another example of how bots help attackers target APIs. Attackers could send large volumes of API requests to an endpoint without authentication and gather large volumes of data within a short time.

Traditional tools are ineffective against modern-day bots:

Traditional security tools are found wanting even with regular bot attacks. But they are more ineffective in stopping API bot attacks because they aren’t designed specifically for APIs. Firstly, traditional tools cannot effectively distinguish between a bot and human activity and between good and bad bot activity. This severely limits their ability to protect APIs against bot-based attacks.

Secondly, with fewer clues that bots leave and fewer details that APIs collect, traditional tools can’t effectively decide if an API call is malicious or legitimate. Essentially, bots request the same data as they would with browser attacks.

The difference is that API bot attacks give no information about browser version, cookies used, device type, etc., used by traditional tools to detect bot activity. Since API attacks are completely virtual, bots can spin around the attacks, move between different clouds, rotate IP addresses, use proxy networks, and do much more to throw off traditional defenses.

Business Logic Flaws:

Developers tend to use generic rulesets and leave APIs with default configurations without considering the business logic. This creates business logic flaws bots can leverage to wreak havoc while evading detection through seemingly legitimate API requests.

Bot attacks on APIs are easier to mount:

Bot attacks on APIs are much easier and more cost-effective to orchestrate than bot attacks on mobile and web applications. While different apps need different approaches and bot capabilities, attackers can use the same infrastructure and attack mechanism for direct and web APIs. Plus, APIs enable attackers to get closer access to the core IT infrastructure and critical assets.

Further, bots, botnets, and attack toolkits are readily available for hire and often at low prices. So, attackers don’t need too many resources or deep technical knowledge to mount API bot attacks.

In What Ways Are Bots Used in API Attacks?

  1. Reconnaissance: Attackers leverage bots and botnets to unearth vulnerable API endpoints, test detection thresholds, map the attack surface, etc.

  2. Attacks: Bots and botnets are used to attack APIs. Some common API bot attacks are credential stuffing, brute force attacks, content scraping attacks, injections, etc.

  3. Evasion: In API-based attacks, bots and botnets are also leveraged by attackers to evade security defenses through their stealthy behavior or by creating distractions.

API Bot Mitigation: 5 Effective Ways

  • Collect intelligence and build a baseline for the normal behavior of bots with respect to your APIs.
  • Monitor all incoming API requests to unearth and stop anomalous behavior right at the reconnaissance stage.
  • The security tool deployed should be able to allow, block, flag or challenge incoming traffic intelligently on a case-to-case basis without much human intervention.
  • Leverage behavioral and pattern analysis, workflow validation, and fingerprinting to differentiate between human, good, and bad bot activity effectively.
  • Keep scanning, testing, and monitoring your APIs for misconfigurations, vulnerabilities, and business logic flaws.
  • Strengthen access controls and authentication mechanisms with zero-trust policies.
  • Always customize API rulesets.

Written by venkateshsundar | Founder and CTO at Indusface, who built the new-age Web application Scanner and Cloud WAF.
Published by HackerNoon on 2023/05/09
ABOUTHow hackers start their afternoons. We publish tech stories and build publishing software.

READEntirely free library read by hundreds of millions to learn anything about any technology.

WRITEHackerNoon elevates quality technology writing far and wide across the interwebs.

PARTNERHackerNoon works directly with tech companies to place ads by content relevancy