At this year’s RSA conference, Akamai Senior Vice President Rupesh Chokshi shared a topic entitled Spotlight on latest web application and API attack data, highlighting the latest web application vulnerabilities and API attack trends. This article will explore this topic, starting from the data trends of application vulnerabilities and API attacks in recent years, describing the main reasons leading to data leakage, and then introducing the statistics of attacks on various industries. Finally, updates to some existing risks, as well as new additions to the API security risks, have been presented in the recent OWASP API Security Top 10 2023 Release Candidate (RC).
Application Vulnerability Development Trend Analysis
Rupesh Chokshi first introduced the number of attacks received each year in recent years through statistics. Relevant data shows that since October 2022, there have been 161 million attacks from application vulnerabilities and API vulnerabilities. The average enterprise uses 1061 applications, which shows that the attack surface continues to grow. From 2021 to 2022, the attack volume has increased by 2.5 times, mainly due to the faster application development efficiency of enterprises and the frequent exposure of a higher number of vulnerabilities. These vulnerabilities can eventually lead to massive data breaches. Rupesh Chokshi explained the main reasons leading to data leakage from four aspects.
1. Server-Side Request Forgery(SSRF)
SSRF (Server-Side Request Forgery) is a malicious attack technique that mainly exploits communication vulnerabilities between the client (usually a user of a web application) and the server to perform unauthorized operations on the server. In terms of attack principle, attackers often send legitimate requests to the server by constructing malicious client requests, so that the server can perform the operations the attacker wants. These actions can be opening malicious websites, downloading malware, stealing confidential information, etc.
In March 2021, Microsoft announced multiple high-risk vulnerabilities (CVE-2021-26855 and CVE-2021-27065) in Microsoft Exchange. Attackers can remotely obtain server permissions without authentication by exploiting these vulnerabilities in combination. Security researcher Orange Tsai discovered this series of vulnerabilities at the end of 2020 and named them “ProxyLogon”. ProxyLogon is one of the most influential vulnerabilities in the history of Exchange. Thousands of Exchange servers have been implanted with Webshell backdoors. According to Akamai statistics, customers using its AAP (App & API Protector) product suffer an average of 14 million SSRF attacks per day.
2. Supply Chain Security
Supply chain attacks have been increasingly prevalent in recent years. Due to the inherent nature of the supply chain, malicious software can be installed at any point, making it susceptible to attacks. These attacks have the potential to impact designated targets, and when suppliers with a large customer base are attacked, the number of affected individuals or organizations can significantly and rapidly increase. Furthermore, detecting supply chain attacks poses a challenge due to the reliance on trusted and widely distributed software within the supply chain.
In December 2020, the US security company FireEye reported that an attacker had infiltrated their network by implanting a Trojan horse program in the SolarWinds software. This Trojan horse program was equipped with a legitimate digital signature and was distributed alongside a software update. Taking advantage of the characteristics of the software supply chain, the APT attacker organization gained unauthorized access to the target organization, establishing long-term control and continuously exfiltrating critical data. Within a mere week of the incident, over 200 significant institutions worldwide were affected, including sensitive organizations in technologically advanced regions. The United States accounted for more than 60% of the impacted institutions, with government agencies such as the US Department of State, Homeland Security, Defense, and Treasury being compromised. This incident also had a substantial impact on several government agencies in China, magnifying the overall consequences of the attack.
In November 2021, a remote command execution vulnerability was discovered in the Log4j2 function, which allowed attackers to trigger remote code execution by constructing malicious requests. This vulnerability was named Log4Shell. On December 9, 2021, the official verification method for the Log4Shell vulnerability was announced, leading to a rapid spread of cyber attacks exploiting this vulnerability worldwide. The impact of the vulnerability was significant, and it caused a “nuclear explosion” in the network security industry. The triggering condition for the vulnerability was remarkably simple, requiring no special configuration, which elevated the risk level. Numerous major manufacturers fell victim to this vulnerability. What is even more alarming is that the impact extended beyond Earth, as even the “Smart” unmanned helicopter used by NASA for Mars exploration contained software with this vulnerability. Therefore, Log4Shell can rightfully be referred to as a “cosmic-level” vulnerability.
According to statistics from Akamai, Log4j vulnerabilities accounted for two-thirds of the affected Java servers. It is predicted that supply chain attacks will continue to increase in the coming years. Therefore, enterprises are strongly advised to prepare and implement preventive measures to mitigate the risks associated with Log4j vulnerabilities.
3. Attacks Against the Manufacturing Industry
Relevant statistics from Akamai reveal that attacks against the manufacturing industry have become increasingly common in recent years. Attackers are actively deploying malware through supply chain attacks to disrupt the entire manufacturing sector. With the advancement of the Internet of Things and the proliferation of large-scale data collection, attacks targeting the manufacturing industry are on the rise, reaching a staggering rate of 76%.
4. Attacks Against Healthcare IoT Devices
Rupesh Chokshi has mentioned that attacks on IoT healthcare will become a new attack surface. According to relevant statistics from Akamai, there are an average of 15-20 connected devices in each ward of the US medical system. The convenience of using IoT technology lies in reducing costs and unified management to improve efficiency and reliability. However, there are also certain risks associated with third-party vulnerabilities in the equipment that can be exploited by hackers. Currently, there are many healthcare regulations in the United States, including the proposed Healthcare Security Act of 2022, which provides guidance, guidelines, and strategies that can be used as a reference for enterprises.
Statistical Analysis of Attacks Against Various Industries
From the perspective of the development trend of application security vulnerabilities, various industries have been affected to varying degrees. In this topic, Rupesh Chokshi also proposed the main affected industries, as shown in the following figure:
Figure 1: Industries affected by web application attacks
Industries affected by web attacks from 2021 to 2022 include business, high-tech, finance, manufacturing, healthcare, gaming, media, and more. Among them, business, high-tech, finance, and manufacturing are the most impacted, with a 5% increase compared to the previous year.
In the commercial industry, attackers are accustomed to shortening the attack path to adapt their strategies promptly when facing resistance. Akamai data shows that from the third quarter of 2021 to the third quarter of 2022, there was a 300% increase in local file inclusion (LFI) attacks.
Regarding attacks on the financial industry, Rupesh Chokshi mentioned that attacks on applications and APIs have increased by 3.5 times in the past year. It is predicted that by 2027, the financial industry will reach a scale of $182 billion and will face larger-scale cyber-attacks by then.
New API Risks From OWASP
Finally, Rupesh Chokshi mentioned the OWASP API Security Top 10 risks newly released by OWASP in 2023 and compared them with the version released in 2019. It can be seen that some new risks with API characteristics have been proposed, and the original categories have been updated on a basic basis, as shown in the following figure.
Figure 2: Comparison of Old and New Versions of OWASP API Security Top 10
We summarized the changes in the new and old versions as proposed by Rupesh Chokshi. The summary can be divided into three aspects. First, there are some added risks, which include new types of vulnerabilities, new attack vectors, and new features of the API. Secondly, the original risks have been updated, with some risks being strengthened or new detection methods for these risks being added. Finally, certain risks have been removed either because they are no longer important or because they have been largely fixed.
1. New Risks
1)Top6: The risk of request forgery on the server side. As can be seen from the impact of the CVE-2021-26855 vulnerability mentioned above, SSRF attacks have now become a major risk in the Top 10.
2)Top8: Lack of automated threat protection. We have learned that business risk control, crawler, and bot protection have become more and more common in recent years. It seems that the need for automated threat protection is also imminent.
3)Top10:Insecure third-party APIs. In the application development process, developers often use third-party APIs, which leads to supply chain risks due to a lack of verification.
2. Risk Definition Updated
1)Top 2: Changed from “user identity authentication invalidation” to “identity authentication invalidation”, the new version removes the concept of user, and the risk scope extends to identity authentication at multiple levels of human and machine.
2)Top 3: The object attribute identification authorization is invalidated, and the original Top3 excessive data exposure and Top6 batch allocation are merged.
3)Top4: Changed from “unlimited resource access” to “unlimited resource consumption”, with more emphasis on denial-of-service attacks at the application layer.
4)Top9: Changed from “improperly managed assets” to “improperly managed stock assets”, emphasizing stock assets, i.e. zombie APIs, etc.
3. Risks removal
1)Top8: Remove injection risk
2)Top10: Deleting Logs with Insufficient Monitoring
Conclusion
This article analyzes the overall trend of web application and API attacks from three aspects: the development trend of application vulnerabilities, the statistics of attack data in various industries, and the OWASP Top 10 API security risks. It can be observed that the trend of attacks is constantly changing, so enterprises must remain vigilant at all times and take effective security measures to protect their applications and APIs.
References
[1] Spotlight on Latest Web Application and API Attack Data
[2] OWASP API Security Top 10 2023RC
