How To Avoid API Business Logic Abuse

Posted in

The 2023 OWASP Security Top 10 introduced some new security risks and vulnerabilities threatening APIs. These new additions are common threats and security risks that have arisen since OWASP published its first list of top API security risks in 2019. One of the new additions, API6:2023 Unrestricted Access to Sensitive Business Flows, reveals an alarming new trend of abusing an API's business functions.

Business logic abuse has the potential to put a company at risk for some very expensive mistakes. To make matters even worse, OWASP lists Business Logic Abuse as very easy to exploit. It's also extremely prevalent and moderately difficult to detect.

To help ensure that your API is safe and secure from this API security risk, we've put together some tips on how to avoid API Business Logic Abuse. Let's start by learning about business logic itself.

What Is Business Logic?

Business logic means something specific when it comes to APIs. Generally speaking, business logic is all interactions between a user, a business, and its infrastructure. Dataflow is an example of business logic. So are database interactions.

Regarding APIs, business logic can sometimes be referred to as business flows or process flows. These alternate titles reveal some risks a vulnerable business process poses. It also offers a hint about some preventive measures that can be taken. A ticket reservation endpoint is an example of a business process flow, for example. Each interaction might modify the database, request payment from the user's wallet of choice, and serve up a captcha for human verification.

API endpoints that conduct business transactions often perform a number of processes, which is why they're called flows. To help ensure API security, it's vital that you understand each component of a business flow and how they work together.

The Risks of Vulnerable Business Logic

According to OWASP, attackers often begin by determining which API handles business processes. They use this information to create automations that can exploit these vulnerabilities. This puts your organization at risk in several different ways, depending on which business process is being targeted.

Say that you have an item in high demand in your inventory, for example. This could be anything from concert tickets to an especially trendy item of clothing. If there are no limitations in place, an attacker could exploit a business logic endpoint to automatically purchase all available stock and then immediately turn around and re-sell it. A reservation system is another example of a business logic flow that's particularly susceptible to exploitation. An attacker could simply book all available slots through the Reservations endpoint, leaving nothing for actual paying customers.

Both of these scenarios reveal another risk caused by business logic flaws. Sensitive business flows can also cause serious damage to a company's reputation. It wouldn't take long for people looking for a hotel to look elsewhere if someplace is always listed as booked.

Examples of API Business Logic Abuse

OWASP offers some other theoretical examples of API business logic abuse that help make the concept much more concrete. The first is the concert ticket scalping scenario we mentioned previously. That's just one potential scenario that cybercriminals could take advantage of, though.

OWASP also mentions another hypothetical example involving a business logic flow for making purchases. In another rhetorical example, they bring up a scenario where someone uses an endpoint to purchase all of the available tickets for a flight when there are no cancellation fees. In this scenario, the attacker then returns the ticket much closer to the flight. The airline is then forced to sell all the tickets at a deep discount to try and fill the vacancies. The attacker could then get a ticket much cheaper than the standard fare.

Finally, OWASP mentions a situation where a ride-sharing app might offer a user credits for referring new users. In this scenario, an attacker might write a script crediting every new registered user to their account. They could then use these credits for indefinite free rides or even sell their account for cash.

How To Avoid API Business Logic Abuse

OWASP recommends breaking API business logic into two sections and addressing each to help prevent API business logic vulnerabilities. They recommend dividing a business logic flow into a business side and an engineering side.

For the business side, OWASP recommends identifying every component that can perform a business function. To ensure API security against business logic abuse from the business side, start by taking a thorough inventory of each business process as well as each component. Then, identify which ones could put your business at risk. Once you have these insights, protecting your business from malicious actors is much easier. In the ticket scenario we mentioned earlier, for example, you might put a simple restriction in place that would return an error if a user tries to conduct more than five transactions.

The engineering side of the equation deals with the logistics of how to prevent API Business Logic Abuse. You'll spend a lot more time on this side of the equation, naturally, but the business component is still a vital part of preventing vulnerabilities due to faulty business flows.

OWASP recommends several ways developers can help prevent business logic abuse on the engineering side of things. Inserting a captcha solution into the dataflow is one way to help prevent automated attacks, for instance. If you want an even more robust security solution, you might even implement advanced biometric analysis, such as detecting human typing patterns.

You can monitor the inhuman, as well. Taking less than one second to go from adding an item to a shopping cart to completing a purchase is a dead giveaway an automated script is attacking a purchase endpoint. Simply blocking the IP addresses of TOR exit nodes and well-known proxies is an easy way to deter cybercriminals looking to exploit vulnerable business flows, as well.

When setting up API testing scenarios, pay special attention to your business logic endpoints. Put plenty of preventive measures in place, as well, like validating all user input, no matter where it comes from. Monitoring and logging user input and data is also a good touch, as it will give you records of attempted attacks on your business logic flows.

Many business logic flaws are caused by faulty design and messy coding. Simply documenting the processes and data flows of business logic processes is an easy way to prevent improper access and vulnerabilities. Restricting user access and following the principle of least privilege (PLOP) is an example of how solid design can help prevent business logic flaws. Good, clear documentation is another simple way to avoid business logic errors. Taking regular inventory of your network is yet another way to ensure system security, as it limits the risk of shadow and zombie APIs that might provide access to sensitive assets.

Final Thoughts on Preventing API Business Logic Flaws

API security can be the weak point in an organization's cybersecurity network. Even careful and canny developers can sometimes overlook vulnerabilities they'd never miss in a monolithic scenario. It's vitally important to ensure every API endpoint is as safe and secure as possible, even if it's only available for internal use.

It only takes one business logic vulnerability to do severe damage to an organization. Luckily, it's not hard to secure your business flows when you know what you're looking for and what to do about potential problems when you find them.