In an earlier blog post, we looked at the OWASP API Security Top 10 and explored how you can use Citrix solutions to mitigate each threat.

We reviewed how Citrix ADC can help to mitigate SQL injection, mass assignment, security misconfiguration, and more. We also explored best practices for authenticating your APIs using strong authentication and authorization controls and how to throttle unwanted API requests by using rate-limiting controls.

In addition to the OWASP-defined threats, API abuse can play a significant role in undermining API security. For example, according to a recent Akamai report, up to 75 percent of all credential abuse attacks against the financial services industry targeted APIs directly. And the largest credential stuffing attack, a form of an API abuse, recorded 55 million malicious login attempts.

Reports suggest that the average cost of a data breach is now $3.92 million, with implications that can disrupt the business and have an impact that goes beyond the balance sheet, leading to indirect costs to the organization’s brand and reputation.

OWASP-defined threats typically result from underlying vulnerabilities. But API abuse often relies on legitimate access to an API resource and occurs under the threshold of what traditional signatures and rules can detect.

For example, in some instances of API abuse, authenticated, legitimate users download more data than is typical but stay under predefined rate-limiting rules. Such users are difficult to detect using traditional means.

Let’s take a closer look at how attackers can take advantage of excessive data exposure. Below is an illustration of how an attacker can abuse an API by obtaining excessive amount of data.

In a normal scenario, an application retrieves information about a user by sending an API request to the user service API and includes the username as parameter that is passed to the API.

In response to this API request, the user service API returns information about the user identified in the username field. Such a response falls within a specific response band size.

But if a motivated malicious attacker sends a request to a vulnerable API by replacing the username field with “all,” a vulnerable API will send information about all the users. This could result in a very large response that falls outside of normal response band size.

Now, with the help of Citrix ADC, a SecOps admin can view all such security violations that include attempts to download excessive amounts of data by navigating to Analytics → Security → Security Violations in the Citrix Application Delivery Management (ADM) service.

The image above provides a visualization of the security violation being detected in Citrix ADC. Admins have access to details such as affected APIs and total occurrences. The blue line indicates a machine learning-based predicted limit of the download data while the red dots show the anomalies, or excessive download attempts. (Click the image to view larger.) You can also access details such as the time of each violation along with a link to the anomalous download.

If you would like to learn more about how Citrix ADC can help manage and protect your APIs against API abuse and other forms of attacks, please reach out to your account team to schedule a demo.