Rise in API attacks in 2023

The State of API Security in 2024 Report highlights how APIs and their increased usage are significantly changing the threat landscape. In 2023, the number of API-targeted attacks rose significantly.

  • 1 month ago Posted in

Attacks targeting the business logic of APIs constituted 27% of attacks in 2023, a growth of 10% since the previous year. Account Takeover (ATO) attacks targeting APIs also increased from 35% in 2022 to 46% in 2023. 

Based on data from Imperva Research Labs and Imperva API Security expertise, the report also provides insights into common API security challenges and offers practical API security recommendations for the year ahead.

API traffic is outgrowing web traffic

Application Programming Interfaces (APIs) play such a pivotal role in application modernization that API-related traffic is outgrowing normal web traffic. According to the report, API traffic constituted over 71% of web traffic last year. There are many benefits of APIs—facilitating seamless connectivity, enhancing online experiences, and driving innovation—but their widespread adoption is presenting organizations with a whole new range of security challenges that they’re not always equipped to deal with.

API Calls and Automation – A Recipe for Abuse

The report reveals that the average number of API calls to enterprise sites is 1.5 Billion.  High volumes of non-human automated traffic are undeniably linked to a rise in automated attacks on APIs and calls for robust security measures to defend against attacks by bad bots and other automated attacks, such as Distributed Denial of Services (DDoS) attacks and Account Takeover (ATO). 46% of all Account Takeover attacks targeted API endpoints. Attackers are becoming more savvy in their strategies too, with 28% of all DDoS attacks on APIs targeting financial services organizations, the top targeted industry for this type of attack.

As organizations grow more dependent on APIs, it has never been more critical to fully understand the risks that APIs can introduce to your application infrastructure. The State of API Security in 2024 Report unravels the top challenges, spotlighting key issues like Shadow APIs, Business Logic Abuse, Data Leakage, and a concerning API Security skill shortage.

Discovery, A Crucial First Step

The report recognizes an urgent need for organizations to have visibility into their API ecosystems to enable meticulous identification of every API. API Discovery emerges as a crucial initial step in establishing a robust API security posture. Leveraging advanced techniques and machine learning, our analysis has uncovered an average of 613 APIs per organization, highlighting potential risks such as deprecated endpoints and Broken Object Level Authorization (BOLA), recognized as one of the OWASP Top 10 API Security Risks in 2023.

Automated Attacks and Business Logic Abuse

Automated attacks constitute a significant threat to APIs due to their fundamental makeup which is, by design, oriented towards automation and agnostic to human intervention. Attackers are increasingly leveraging automated attacks, or bad bots, to target API business logic or the core functionality of the API. By mimicking regular automated API traffic, attacks go undetected, enabling threat actors to carry out their malicious activities uninterrupted. In 2023 a staggering 27% of all API attacks targeted business logic.

Traditional Security Measures Alone Cannot Detect API Abuse

Traditional security tools, like a Web Application Firewall (WAF), struggle to detect and mitigate this form of abuse, as API attacks adeptly masquerade as regular traffic. So while APIs bring welcome enhancements to digital services and online experiences, they have also introduced a new type of security challenge that isn’t as easy to detect and block as the type of attacks we have been used to.

Protection Against Bad Bots: A Critical Step

The Imperva Threat Research team uncovered a growing correlation between API abuse and malicious bots, emphasizing an urgent need for heightened visibility into API infrastructures. This visibility is vital to enable a comprehensive assessment and the implementation of the necessary security solutions, such as Imperva Advanced Bot Protection and API risk assessment tools.

A Comprehensive Approach to API Security

The Report examines the myriad challenges and vulnerabilities organizations face in securing their API infrastructure, reinforcing the paramount importance of a comprehensive API Security strategy, combining Web Application Firewall (WAF) and API Discovery with Advanced Bot Protection and advanced API Security measures, including risk assessment, anomaly detection, and mitigation. advocating for an integrated approach crucial for ensuring the robust protection of APIs.

By Ciaran Luttrell, Head of Security Operations Centre EMEA, eSentire.
By Jon Lucas, co-founder and director of Hyve Managed Hosting.
By Emmanuel Routier, VP Smart Industries, Orange Business.
By Niall McConachie, regional director (UK & Ireland) at Yubico.
By Karl Mattson, Field CISO at Noname Security.
By Frank Catucci, CTO and Head of Security Research, Invicti Security.
By Jim Downey, Senior Product Marketing Manager, F5.