The push to move from self run infrastructure and applications to cloud services along with developing and bringing online new applications that fully digitize and streamline the consumer experience are just a few examples.
As these accelerated programs progress, they often leave behind a wave of application business logic flaws. Attackers, looking to target and exploit the intended business logic and flow of an application, do so with the intent of getting the application to do something that is unintended by the developer. Often this leads to data exfiltration, the ability to access information that should otherwise be kept private, as well unauthorised data modification affecting the integrity of data and the overall service the application is supposed to deliver.
Business logic attacks themselves are not new; however, the rise of business logic attacks is a result of expanding API ecosystems, which rely on business logic.
In this article we will look at the types of business logic attacks faced by Australian organisations, and how IT leaders can mitigate their risks with multiple defence options.
The dangers of business logic attacks (BLAs)
Cyber threats are always evolving and attackers are always on the hunt for new ways to gain access to valuable information.
A business logic attack (BLA) seeks to exploit an application’s (or API) intended functionality and processes, rather than technical vulnerabilities. In retail for example, attackers exploit business logic to manipulate pricing, or access restricted products. For example, if a customer orders more than five items, then they get a 15% discount. When programmed into software applications, this conditional logic automates business decisions.
“The paradigm shift towards automated attacks targeting business logic mandates a departure from traditional, signature-based defences,” says Kane Fraser, Area Vice President at Imperva. “In today's complex environment, relying solely on Web Application Firewalls (WAFs) is no longer adequate to protect applications.”
How big is the problem? A lot bigger than most people realise. Data curated from Imperva’s global Application Security Network over the past year, shows BLAs accounted for most attacks on Australian retail sites, including a significant surge with a 118 percent increase in volume compared to the same period in the prior year.
Adding to the challenge is automation. Most attacks on business logic are automated and often focused on abusing API connections. If you can detect and eliminate unwanted and undesirable BOT based automation from interacting with your application, it can drastically reduce the risk of falling victim to a BLA.
The 2023 Imperva Bad Bot Report found 17 per cent of all attacks on APIs came from “bad bots” abusing business logic.
Three common ways business logic can be exploited are:
- Function misuse: Within an application, this exploits legitimate functions to perform malicious actions, such as issuing escalated privileges or granting access to unauthorized data.
- Security controls bypass: Alters the flow of an application to bypass security controls or engage in unauthorized actions.
- Cross-user data leakage: Exploits the input to an API in order to access data belonging to other users. This is difficult to prevent and can be extremely lucrative for attackers who are looking for sensitive information.
BLAs are dangerous because traditional security monitoring and defence tools were not designed to combat them and often fall short of any real protection. Attack patterns don’t exist to monitor for these types of exploits, and it’s impossible to apply a generic rule and assume all application and API deployments are secure.
IT leaders need to have the right internal and external controls to ensure end-to-end security and a single type of defence, such as a firewall, is not enough to prevent a compromise of a business process.
Start with a multi-layered approach
With business logic attacks becoming increasingly prevalent, especially during peak trading seasons, IT leaders must adopt a multi-layered security approach to keep them at bay.
Start by going through your business logic, including your application’s workflows, processes, and expected user behaviour to identify potential weak points and areas of possible exploitation.
Implementing advanced application security options will help identify risks like broken authorisation. In addition, monitor and analyse end-user behaviour, including application usage patterns, to detect suspicious activities that might indicate a potential BLA.
Other defences include access control to limit the scope of your APIs (and which roles can access them) to minimize the damage in the event of an attack; and advanced bot protection and API security, is crucial.
“To counter these evolving threats effectively, businesses must embrace a proactive and multi-layered security approach. For example, organisations should adopt a robust combination of Web Application Firewalls, Bot Protection, and API Security. By proactively implementing these layers of defence, organisations can significantly enhance their resilience against the evolving threat landscape posed by Business Logic Attacks,” Fraser says.
This multi-layered approach was adopted by SA Power Networks in South Australia. With a WAF already in place to protect its web applications, the team at SA Power Networks reviewed how exposed APIs were the cause of a breach at another large Australian company.
To avoid being susceptible to such an attack, SA Power Networks evaluated its current technologies and deployed Imperva API Security for Cloud WAF, which enables API visibility for security teams without requiring development to publish APIs via OpenAPI or by adding a resource-intensive workflow.
“One of the good things about Imperva is that if an API was unauthenticated, it told you what it was missing and how you could fix it. We got the POC running, it returned a list of a few endpoints that were unauthenticated, and then that allowed us to take it back to the relevant teams, application teams, support teams, and get that sorted,” said Nikil Kathiravan, Cybersecurity Specialist at SA Power Networks.
Like the team at SA Power Networks, IT leaders can stay a step ahead of BLAs by taking the time analyse business processes and invest in comprehensive application security, including APIs.
A multi-layered approach capable of scanning for vulnerabilities, monitoring behaviour, and protecting websites, applications, and APIs from BLA activity is essential. Augmenting WAF platforms with bot management and API security solutions is imperative to be able to effectively identify attack activity, even when it does not conform to known attack signatures.
Learn more at imperva.com
