Business logic attacks escalating

A new warning from Imperva says organisations must address a growing risk domain: attacks targeting an application’s business logic.

The security firm found that in 2022, 17% of attacks on application programming interfaces (APIs) — the underpinning of digital modernisation -— came from ‘bad bots’ or automated traffic abusing business logic vulnerabilities.

Business logic is the backbone of any application, dictating how it operates and interacts with users and other systems. Business logic attacks (BLA) are a type of cyber attack where cybercriminals exploit an application’s intended functionality and processes rather than its technical vulnerabilities.

Business logic vulnerabilities are highly specific to individual applications and APIs. Using a traditional WAF to apply generic security rules based on common signatures to broadly stop these attacks is largely ineffective, as there isn’t a common attack pattern to monitor.

Complicating matters, an application without a business logic vulnerability today may become vulnerable in subsequent software releases. This is typically due to the application’s capabilities and functionality extending beyond what developers and designers originally scoped, adding unforeseen complexity.

As more organisations in Asia–Pacific automate and connect their services with other firms to enhance their usefulness and user experience, attacks that target the inherent business logic behind these digital connections are an insidious hazard that can no longer be ignored.

There are three common ways business logic is exploited:

1. ​​Function misuse: Within an application, legitimate functions are leveraged to perform malicious actions, such as issuing escalated privileges or granting access to unauthorised data.
2. Security controls bypass: Alters the flow of an application to bypass security controls or engage in unauthorised actions.
3. Cross-user data leakage: Exploits the input to an API to access data belonging to other users. This is difficult to prevent and can be highly lucrative for attackers who are looking to exfiltrate sensitive information.

Businesses must implement proactive safeguards to combat BLAs because such attacks cause financial loss, damage reputation and erode customer trust. Bad actors can identify and exploit poorly validated application business logic, gain unauthorised access to critical data and tamper with application functions to cause disruptions to operations without triggering security alerts. In some instances, the damage caused by these attacks cannot be mitigated.

“Today, most reconnaissance by attackers is automated. This allows them to swiftly cover extensive ground and sweep application environments for the markers they are looking for,” said Reinhart Hansen, Director of Technology, Office of the CTO, Imperva.

“Most attacks are automated, and many of them target the business logic exposed by an API endpoint. APIs and API-driven applications are critical business enablers for all online enterprises.

“Traditional signature-based defences aren’t enough to stop these targeted attacks. What’s required is a fundamental shift in both mindset and security strategy to protect businesses more effectively. Organisations need a multi-layered approach that scans for vulnerabilities, monitors behaviours and protects websites, applications and APIs from BLA activities. Adding bot management and API security to existing WAF deployments is imperative for effectively identifying automated attack activity, even when it does not conform to known attack signatures,” Hansen said.

Here are a few steps organisations can take to tackle BLAs:

• Understand their business logic. Firms must understand their applications’ workflows, processes and expected user behaviour to identify potential weaknesses and vulnerabilities. Even after application code is put into production, tools like runtime application self-protection (RASP) and interactive application security testing (IAST) can help identify potential business logic weaknesses and vulnerabilities.
• Apply access restrictions tailored to user roles. Organisations should limit the scope of their APIs and implement access controls based on user roles to minimise potential damage in the event of a successful attack. One effective strategy for this is the principle of least privilege (POLP). This principle advocates for a user to be given the minimum access or privileges required to perform their tasks. API gateways can be used to enforce authentication and authorisation in line with POLP.
• Implement anomaly detection. Monitor for anomalies, such as flagging when a user adds many high-value items to their cart or the same user logs in from different geos within a short timeframe. By establishing baselines for normal user behaviour and analysing anomalies, businesses can identify suspicious activities that may indicate an exploitation of business logic.
• Employ behaviour-based analysis techniques. This can identify abnormal patterns or sequences of actions within an application’s workflows. By understanding the expected behaviour of an application and employing anomaly detection algorithms, organisations can detect and flag suspicious interactions that indicate potential BLAs.
• Implement strong access controls and authentication mechanisms. This helps prevent unauthorised access to critical application functionalities. Continuously monitor user activity, flagging sudden changes in behaviour patterns, unusual access attempts or unauthorised actions.
   

Image credit: iStock.com/onurdongel