OWASP classification (API6:2023)

According to the OWASP page: API Specific. Exploitability: Easy. Prevalence: Widespread. Detectability: Average. Technical Impact: Moderate. Business Impact: Business Specific. (Note from the OWASP page: a technical impact is generally not expected - the damage is business-specific.)

How the attack works

The attacker first understands the business model behind the API and identifies sensitive business flows. They manually determine which resources (e.g. endpoints) are involved in the target workflow and how they interact.

They then automate access to this flow. Each individual request is legitimate and authenticated, but the volume or speed of execution would be unrealistic for an actual human.

If protection mechanisms are already in place, the attacker looks for ways to bypass them (e.g. distributing requests across many IP addresses and locations). APIs used directly by machines (developer and B2B APIs) are particularly at risk, since they often don't implement all the necessary protection mechanisms.

1. Starting pointSensitive flow without throttling (purchase, booking)
2. AttackExecute automated and at scale (bots)
3. ResultBusiness damage: scalping, sellouts, spam

A permitted flow gets abused through automation.

Example

Scenario (scalping, OWASP Scenario #1): A technology company announces that it will release a new game console with high demand and limited stock for Thanksgiving.

  1. The attacker writes code that automatically carries out the entire purchase process and completes the transaction.
  2. On the day of sale, they run the code distributed across different IP addresses and locations.
  3. The API implements no suitable protection and allows the attacker to buy up most of the stock before legitimate users get a chance.
  4. The attacker then resells the product on another platform at a significantly higher price.

Each individual HTTP purchase request is valid and authorized - what is abused is the business flow, through automated mass use.

Impact

A technical impact is generally not to be expected; the damage hits the business. Examples according to OWASP: legitimate users are prevented from purchasing a product, or there is inflation of a game's internal economy.

Concrete business consequences from the scenarios:

  • Scalping (Scenario #1): buying up the entire stock and reselling it at inflated prices.
  • Price manipulation (Scenario #2): manipulating ticket prices through mass booking followed by simultaneous cancellation.
  • Referral program fraud (Scenario #3): automated mass registration to collect credit - free rides or selling the accounts.

How to protect against it

  • Business level: identify business flows that could harm the business if used excessively.
  • Engineering level: choose suitable protection mechanisms to mitigate the identified business risk.
  • Device fingerprinting: deny service to unexpected client devices (e.g. headless browsers) to make attacks more effortful and expensive.
  • Human detection: use CAPTCHA or more advanced biometric solutions (e.g. typing patterns).
  • Non-human patterns: analyze the user flow for non-human patterns (e.g. 'add to cart' and 'complete purchase' in under a second).
  • Consider blocking IP addresses of Tor exit nodes and known proxies.
  • Secure APIs consumed directly by machines (developer and B2B APIs) and limit their access, since they often don't implement all the necessary protection mechanisms.

Sources

Keep reading