OWASP Top 10 API security risks: Unrestricted access to sensitive business flows

Unrestricted access to sensitive business flows came in at number six on the Open Worldwide Application Security Project® (OWASP) Top 10 API Security Risks for 2023.

Unrestricted access to sensitive business flows occurs when API endpoints do not restrict functionality when used excessively, exploiting gaps in business logic.

Attack vectors

Typical attack vectors are created when threat actors learn how APIs handle business flows. Using automation, the API exploits the weakness to cause harm to the business. Unfortunately, unrestricted access to sensitive business flows is fairly easy to exploit.

Security weaknesses

Security weaknesses are widespread, especially when developers have not anticipated the impact of excessive demand. Developers that do not have a holistic view of the API to support business requirements and analyze the potential attack vectors are particularly vulnerable.

Attackers identify which endpoints are involved in workflows and how they work together (or fail to work together) to find security gaps.

Business impacts

Businesses can be impacted in several ways, such as preventing legitimate users from using the system or completing a purchase. For example, an attacker might reserve every available time slot, preventing any other user from accessing the system, or they might buy up all the tickets for a performance and resell them at a higher price.

OWASP rates the business impact as moderate, but for some businesses, it can be significant.

How unrestricted access to sensitive business flows works

Attackers probe the business logic behind APIs to find sensitive flows, then automate calls to exploit the weakness. Without placing limits on the number of calls allowed to sensitive business flows or authorization rules to stop users from using too many resources within a short period, attacks are difficult to detect. Each individual request may be a legitimate request, allowed by the system. It’s only when requests are placed at volume that the trouble begins. As such, it can be difficult to detect without looking at API requests as a whole.

Unrestricted access to sensitive business flows can lead to:

• Automation exhausting system resources, impacting performance
• Overload of API infrastructure with requests leading to denial of service (DoS)
• System exploitation, allowing unintended actions
• Unauthorized access to sensitive data or user accounts

Real-world examples

OWASP offers several examples of how attackers might exploit business logic, including:

• A ride-sharing app that offers referral credits. An attack writes a script to automate the registration process and adds fictitious users, which adds credits to the attacker’s account.
• An attacker books 90% of the seats on an airline that offers no cancellation fees and then cancels them all right before the flight.
• A company offers a limited number of items for sale amid high demand. Using automation, attackers buy up the majority of the items, denying others access, and then resells them at a profit.

The Federal Trade Commission (FTC) fined three people $3.7 million for using automated bots to buy thousands of concert and event tickets and then resell them. Though “digital scalping” is illegal under the BOTS Act in the U.S., the practice is still fairly common. Many fans trying to buy tickets to Taylor Swift’s most recent concert tour were forced to buy tickets on the resale market at inflated prices due to what Ticketmaster said was a bot attack that crashed its site and bought up a large volume of tickets.

Even cybersecurity company Symantec was the victim of an unrestricted access to sensitive business flows breach. Attackers exploited access control in the business logic of a reseller to expose private keys, leading to more than 20,000 SSL certificates being revoked.

Detecting unrestricted access to sensitive business flows vulnerabilities

Logic flaws are often invisible if you aren’t specifically looking for them. Legitimate traffic must be allowed, but attackers find ways to use APIs that were not intended.

Constant monitoring of API access with flags for suspicious use can help detect excessive API calls. For example, flagging non-human patterns, such as repeat purchases, actions within seconds, or consumption of a large number of resources within a short period.

Preventing unrestricted access to sensitive business flows vulnerabilities

Logic flaws in business flows typically occur because developers think about how authorized users will interact with an application, but they fail to account for threat actors. When someone deviates from expected behavior, the application fails to prevent it. Such flaws are common in complex systems and are often only discovered after the fact.

Adding to the challenge is that some code components may be the domain of specialists or code was developed over time by different engineering teams. Someone working in one area of an application might inadvertently make an assumption about how another area works.

As such, there needs to be a holistic approach to preventing unrestricted access to sensitive business flows. Prevention requires regular code reviews focusing on API access controls and limits for excessive use. Developers need to think like an attacker and the ways they might exploit systems by creating too many resources within a particular period.

Protecting sensitive business flow means testing across scenarios. Other strategies include:

• Requiring reauthentication for each API call
• Employing multifactor authentication (MFA), captcha, or biometric identification
• Blocking of IP addresses associated with Tor exit nodes and proxies
• Denying access to unexpected client devices using device fingerprinting
• Limiting or capping repeat activities for sensitive business flows

Finally, secure and limit API access by machines, such as B2B APIs, which often do not implement effective protection.