Cybercriminals are identifying and attacking poor business logic in applications, APIs and websites: is this trend a ticking cyber time bomb?

In 2022, one cybersecurity firm noted that 17% of attacks on application programming interfaces (APIs) came from ‘bad bots’ or automated traffic that were aimed at exploiting vulnerabilities in business logic.

Business logic is a software application’s backbone that dictates how it operates and interacts with users and other systems. Business logic attacks (BLA) are a type of cyberattack where cybercriminals exploit an application’s intended functionality and processes rather than its technical vulnerabilities.  

Business logic vulnerabilities are highly specific to individual applications and APIs. Traditional web application firewalls based on detecting common code signatures are largely ineffective against BLA because there are no common attack patterns involved. Complicating matters, an application without a business logic vulnerability today may become vulnerable in subsequent software releases. This is typically due to the application’s capabilities and functionality extending beyond what developers and designers originally scoped, adding unforeseen complexity. 

How BLA works

Bad actors can identify and exploit poorly validated application business logic, gain unauthorized access to critical data, and tamper with application functions to cause disruptions to operations without triggering security alerts.

In some instances, the damage caused by these attacks cannot be mitigated. The attacks can come in three forms:

    • Function misuse: Within an application, legitimate functions are leveraged to perform malicious actions, such as issuing escalated privileges or granting access to unauthorized data
    • Security controls bypass: Alters the flow of an application to bypass security controls or engage in unauthorized actions
    • Cross-user data leakage: Exploits the input to an API to access data belonging to other users. This is difficult to prevent, and it can be highly lucrative to attackers who are looking to exfiltrate sensitive information

According to Reinhart Hansen, Director of Technology, Office of the CTO, Imperva, which publicized this piece of BLA research: “Today, most attacks are automated, and many of them target the business logic exposed by an API endpoint. APIs and API-driven applications are critical business enablers for all online enterprises. To stop these targeted attacks what is required is a fundamental shift in both mindset and security strategy to protect businesses more effectively.”

According to the firm, organizations need a multi-layered approach that scans for vulnerabilities, and exhaustively monitors system behavior and protects website/applications/APIs from BLA activities. Even when automated attacks do no conform to know attack signatures, existing legacy web application firewalls can be supplemented by bot management and API security.