LAST UPDATED April 11, 2024
No. 6 on the 2023 OWASP API Top 10 Vulnerabilities list — Unrestricted Access to Sensitive Business Flows is both a common and easily exploitable API security vulnerability.
OWASP says of this vulnerability,
“When creating an API Endpoint, it is important to understand which business flow it exposes. Some business flows are more sensitive than others, in the sense that excessive access to them may harm the business. Common examples of sensitive business flows and risk of excessive access associated with them:
- Purchasing a product flow – an attacker can buy all the stock of a high-demand item at once and resell for a higher price (scalping)
- Creating a comment/post flow – an attacker can spam the system
- Making a reservation – an attacker can reserve all the available time slots and prevent other users from using the system
The risk of excessive access might change between industries and businesses. For example – creation of posts by a script might be considered as a risk of spam by one social network but encouraged by another social network.
An API Endpoint is vulnerable if it exposes a sensitive business flow, without appropriately restricting the access to it.”
Understanding Unrestricted Access to Sensitive Business Flows
This vulnerability is not a specific implementation bug, but rather an exposure of business flow that can be abused in an automated fashion. Unrestricted access to sensitive business flow has a few common examples explained by OWASP such as: purchasing a plane ticket, creating new users to abuse a referral program, or automatically buying a new gaming console impacting the availability to consumers to be resold for higher prices online. Sensitive, in this context, means that excessive access to the flow might harm the business.
Exploiting this vulnerability is most commonly associated with malicious bot traffic, attackers’ pervasive use of bots has increased risk to APIs and there are many recent examples that have caused financial and brand damage for some high-profile organizations. For example, the lawsuit against Live Nation and Ticketmaster. With Taylor Swift’s New Eras tour, the president and chief financial officer of Live Nation testified that the biggest problem it faced when selling the new Eras tour tickets to concert goers was the on slaughter of bots that attacked the Ticketmaster servers impacted concert goers ability to actually obtain tickets because they were getting bought out by bots.
Prevention for Unrestricted Access to Sensitive Business Flows
While WAFs and API gateways often include bot detection capabilities, automated API attacks targeting business logic flaws can employ evasion techniques to mimic human-like behavior, making it difficult to differentiate between legitimate users and malicious users. Additionally, these security controls rely on rules and signatures that won’t give them enough context to detect and block automated threats where attackers often employ sophisticated techniques to evade detection, rendering traditional security solutions ineffective.
To prevent exploitation of this vulnerability, OWASP explains that organizations should be thinking about this in two layers;
- identifying which APIs that can harm the business if used excessively
- and choosing the right protection mechanisms.
Identifying, securing, and limiting access to APIs that are facilitating sensitive business operations directly from machine to machine is crucial because those APIs are easy targets for attacker’s to interrupt operations, reduce product availability, and endanger organization’s application performance.
How ThreatX Can Help
ThreatX can help provide effective protection to identify and block exploitation attempts targeting APIs that manage sensitive business flows without interrupting operations. Due to our platform’s real-time, risk-based blocking, ThreatX can detect legitimate traffic from automated abuse based on behavior and block calls based on risk.
How Our Approach is Unique
Business logic enforcement
ThreatX can detect threats using a variety of techniques, including flow-based analysis that can ensure API users hit endpoints in a specific workflow that you define, while protecting against attackers attempting to abuse business flows. For example, the ThreatX platform can block threats targeting a specific API endpoint, like ticketmaster.com/purchase/ticket whereas a legitimate user would first, visit ticketmaster.com, then select a concert and seat, then lastly; attempt to purchase a ticket.
Rate limiting based on time
Not only can ThreatX block attacks based on risk, but the ThreatX platform can rate limit or restrict the number of requests an API can process, regulating legitimate users while protecting API that are responsible for sensitive business operations while stopping abuse. This capability is especially effective for APIs that manage operations during specific times of date, for example if a technology provider limits third-party integrations based on number of requests within a specific amount of time, ensuring that their systems aren’t flooded.
Automated vs. real traffic
ThreatX uses a combination of techniques to detect a wide range of automated threats without introducing additional friction like CAPTCHAs and other bot mechanisms that negatively impact customers’ experiences. ThreatX challenges suspicious actors with active interrogation to see how they react when tar pitting traffic or returning web cookies. Additionally, ThreatX automatically profiles API’s and application’s “normal” behavior by monitoring usage and underlying services, enabling early identifiers of usage deviation.
Risk-based blocking
The ThreatX platform is always monitoring, assessing, and blocking attacks – automatically. ThreatX uses attacker fingerprinting to track threat behavior over time no matter if they attempt to evade detection by cycling IP or user agents. Based on the detected threat and their tracked behaviors, the ThreatX platform will apply and continuously adjust that threat actor’s risk score. When an attacker’s behavior increases in volume or risk, ThreatX will instantly block traffic, based on risk.
