Most of us already know that the threat potential is widening across today’s interconnected software landscape. And with so many applications depending upon the internet, analyzing incoming web traffic is a productive way to discover and prevent potential risks. Monitoring these requests is becoming more of a priority as hackers attempt to exploit newer technologies, like API endpoints, which may not have the proper protection in place.
Cloudflare recently released interesting data on application security trends. Cloudflare, the company behind the popular reverse proxy, says that 32 million HTTP requests pass through its network every second — w3tech estimates this accounts for 19.3% of all websites. With such a broad perspective on the state of web traffic, the metrics produced by Cloudflare internal systems can be thought of as benchmarks for the web as a whole.
Below, I’ll review data from the latest Cloudflare application security report, which compiles web application security data collected from December 1, 2021 to March 1, 2022. As we’ll notice, there is a high prevalence of non-human actors hitting web applications, including bot traffic and structured data requests to API endpoints—it can be difficult to decipher when this traffic is malicious and when it’s not. Simultaneously, HTTP anomalies and SQL injection attacks are becoming increasingly common among API endpoints.
API Attacks Become More Commonplace
First off, Cloudflare noticed a significant uptick in API requests. APIs, or application programming interfaces, have become a standard glue to hold applications together on the web. These backend interfaces are fundamental for linking data and functionality across applications. They help sync databases, connect partners, integrate third-party SaaS, and power public-facing open data initiatives. APIs will arguably play an essential role within incoming metaverse projects as well.
API traffic is now the highest growing type of web traffic, accounting for 55% of total requests. Cloudflare reports a 20% rise in API traffic in 2021. API endpoints are also increasingly a target for hackers, often due to a lack of proper authorization control, among other common vulnerabilties. Web APIs often connect to sensitive information and payment details, making them a valuable commodity for data exfiltration. As such, Cloudflare has noticed that API endpoints receive more malicious requests compared to typical web applications.
If we examine the types of API attacks, we see that SQLi injection is the most common attack type, making up 34.5% of all API attacks. This is most likely due to hackers attempting to discover and exploit vulnerabilities with backend databases, surmises the report. Other common API attack types include HTTP anomalies (18.2%), Vendor-Specific CVE (14.5%), Command Injection (14.3%), and XSS (7.3%).
Bot Traffic is Considerable
Much of the traffic on the internet isn’t initiated by humans at all. Instead, much of it is comprised of machine-to-machine connections or automated workflows. Bot traffic now accounts for 38% of all HTTP requests, and 10% of this bot traffic is accessing API endpoints. Some bots, like search engines, might be conducting verifiable traffic, but much automation is unverified traffic. This includes custom-built automated tools like scanners, crawlers, and bots built by hackers, which tend to get blocked by web application proxies.
Looking at the more general attack types, we see that HTTP anomalies, such as malformed method names, made up over 50% of the blocked requests. This demonstrates a constant effort by hackers to discover exploits by testing HTTP requests. They may place common undocumented identifiers in the URI to test whether they can access specific fields. Or, an attacker may attempt to request undocumented methods to weigh the frailty of a system.
HTTP anomaly detection is thus imperative for a web application. When blocking malformed HTTP requests, such a proxy often searches for things like:
- A missing user agent
- HTTP requests that don’t conform to the expected HTTP verb for the endpoint, like
GET,POST, orPUT. - Attempting to access a non-standard port
- Invalid UTF-8 encoding
Over a third of non-verified bot HTTP traffic is often blocked outright. In addition to HTTP anomalies, other types of attacks include software-specific CVE-based attacks (11.8%), information disclosure (10.4%), SQLi (7.0%), and XSS (6.1%).
IP-Based Protection is Outdated
Interestingly, many of the “users” online aren’t human at all. Bots and calculated attack automation are often used as surveillance across web endpoints at a large scale. The data above demonstrates the top potential risks to look out for when exposing services online. To prevent malicious HTTP traffic in its tracks, Cloudflare encourages organizations to stop using an outdated IP address-based approach for protection, as IP addresses can easily be spoofed, and instead adopt a more zero-trust posture.
Furthermore, the Cloudflare report is not the only study noticing a rise in API attacks in recent months. Another study conducted by Salt Labs confirmed an even sharper increase in API attacks — the group traced a 681% increase in API attacks over the past 12 months, with a 321% increase in overall call volume. This traffic can be challenging to spot since web application firewalls tend to generate many false positives. Furthermore, large enterprises likely have many shadow APIs, or undocumented integrations, lurking across their portfolio. This makes auditing the potential attack surface a bit murky.
The fact that API endpoints receive more malformed requests than normal web applications substantiates that improving your API security posture is a top priority. In order to thwart this incoming rise, it’s a good practice to follow the industry-leading API security best practices. These include techniques such as using an API gateway, adopting OAuth 2.0 with a centralized server, carefully using tokens, and using scopes for access control.
Want more cybersecurity insights? Visit the Cybersecurity channel:
