Under Attack?
Search
Menu

How Bots Use APIs to Infiltrate the Online World

By RadwareSeptember 18, 2019

The online world is as vast as it is complex, but when you boil it down, bots use three primary channels to infiltrate it: APIs, mobile apps and websites.

These channels are highly interconnected — with APIs playing a major role and fueling major risks when it comes to bot management.

API Growth

APIs are software intermediaries that make it possible for systems to communicate with each other. Use of web APIs has grown exponentially since 2005. In fact, it’s safe to say that APIs are — and will continue to be — everywhere. They are critical enablers of countless systems and services. APIs power organizations’ back-end systems, mobile apps and increasingly even websites — and will become even more critical as the IoT continues to connect everything from toasters to cars.

[You may also like: 5 Simple Bot Management Techniques]

API growth has been significant to date, and several industry trends will further fuel use of APIs:

  • IoT: The industry is poised for an IoT explosion through 5G. IoT and industrial IoT solutions will connect to clouds directly. Cloud APIs supporting telemetry registration (sensors) and rich functionality (example: If This Then That (IFTTT), Alexa and Google Assistant) will be exposed directly.
  • Mobile apps: IoT and 5G networking will also fuel the growth in mobile applications and their reliance on APIs.
  • Cloud migrations: As these migrations continue accelerating, multicloud environments are a fact of life. Applications can mix and match best-in-class services from Amazon Web Services (AWS), Azure and Google Cloud. All these interconnecting cloud applications require APIs.
  • As organizations create APIs to power their businesses, they sometimes decide to make the API available for sale and use by other enterprises. This practice is fueling a fast-growing “API economy” alongside the trends in IoT, 5G and the cloud.

The Trouble with APIs

The trouble is, APIs can be highly vulnerable, making them frequent attack targets. And because APIs are powered by machine-to-machine communication, it can be far more difficult to determine if an API call is originating from a good source for a helpful purpose — or from a bad actor with ill intentions for your business and your customers.

[You may also like: Threats on APIs and Mobile Applications]

That’s because APIs are built for machines to talk to, making the threshold for bots interacting easier with an API than with a website. Bots don’t have to mimic users or scrape and decode PDFs or HTML tables; they can simply “speak” the computer language with the API and obtain all the information they need.

Mobile apps, websites and even desktop applications regularly rely on third-party data or functionalities that they consume through web APIs. Web APIs provide applications with otherwise inaccessible resources, such as access to global social networks (examples: web APIs provided by Twitter, Facebook or LinkedIn), advanced machine learning capabilities (examples: web APIs provided by IBM Watson or Google Cloud’s AI) or complex transaction processing (examples: web APIs by Stripe or PayPal for payment processing or the Flight Booking API).

Although most companies are well-versed as to where their web applications reside, they may have little to no visibility into the full complement of APIs on which their businesses depend.

[You may also like: How to Prevent Real-Time API Abuse]

In other words, application developers now rely heavily on third parties — entities beyond their control sphere — for core functionality of their applications. User experience and, by extension, application reputation are directly affected by actions and nonactions of the API provider(s). Service-level agreements (SLAs) might come into play for commercial API offerings, but by and large, developers are no longer in control of their apps. And APIs make it much more difficult to distinguish good bots from bad bots.

APIs Under Siege

Scammers exploit API vulnerabilities to steal sensitive data, including user information and business-critical content. Modern application architecture trends — such as mobile devices, use of cloud systems and microservice design patterns — complicate security of APIs because they involve multiple gateways to facilitate interoperability among diverse web applications.

[You may also like: Adapting Application Security to the New World of Bots]

What’s more, extensive deployment of internal APIs, combined with mobile access and increased dependence on cloud-based APIs, means that web application security defense systems that defend only the external perimeter are ineffective. Also, as businesses continually add and consume new APIs, API security cannot be a one-time exercise.

Read “The Ultimate Guide to Bot Management” to learn more.

Download Now

Posted in: Application SecurityTags:

Radware

Contact Radware Sales

Our experts will answer your questions, assess your needs, and help you understand which products are best for your business.

Contact Us Now

Already a Customer?

We’re ready to help, whether you need support, additional services, or answers to your questions about our products and solutions.

Locations
Get Answers Now from KnowledgeBase
Get Free Online Product Training
Engage with Radware Technical Support
Join the Radware Customer Program

CyberPedia

An Online Encyclopedia Of Cyberattack and Cybersecurity Terms

CyberPedia
What is WAF?
What is DDoS?
Bot Detection
ARP Spoofing

Get Social

Connect with experts and join the conversation about Radware technologies.

Blog
Security Research Center
Close

What are you looking for?