Saltar al contenido

Expect the unexpected: increased functional attacks

Expect the unexpected: increased functional attacks

When ships face bad weather and turbulence, they sail side by side because they are more likely to withstand the storm once tied. Together, they are less likely to tip over. People and companies are not so different. We are ready to open up to new collaborations when difficulties arise (pun).

As change around us accelerates, we need new and improved ways of working together. It is therefore understandable why API adoption is so strong in many industries. Use cases differ, but all lead to greater information exchange, collaborative work, and a shift to open ecosystems. What the shows a recent survey by Imvision , 4 out of 5 organizations already allow partners (B2B) or users (B2C) to access their data with external APIs.

The well: Image Enterprise API Security Survey

But this growing exchange of information is not without risks. Publishing and consuming multiple APIs also means more functionality. The business logic that was once hidden within an application can now be accessed and potentially manipulated directly. Not only is the attack area increasing, but also the increasing complexity of the relationships between functions and data objects creates new vulnerabilities.

Take a Domino’s Pizza incident to realize the vulnerabilities created by the relationships between functions. In this case, the attacker managed to bypass the application and go directly to the API, starting a false verification process and manually activating the order confirmation function.

The lack of validation from the server (order confirmation comes only after successful payment) made this fraud possible. Due to the process of approving the exposed payments, the «customers» with technical knowledge managed to manipulate the system to accept invalid payments, offering them free pizza.

New technology, new vulnerabilities

Attackers looking for API cracks can use a new attack style, which the application’s traditional security tools cannot detect: functional attacks. Understanding what these new functional attacks are is essential for security professionals who want to protect their organization’s data, assets, and customers.

APIs are considerably more vulnerable to functional attacks targeting the expected API call flow. These appear to be normal requirements for all purposes and are often not designated as such by standard safeguards. Unfortunately, this also means that security solutions for general purpose applications, such as Web Application Firewall (WAF), are not sufficient for absolute API security.

While security measures such as WAF excel at detecting and blocking malicious API calls that match known generic vulnerabilities, they do not detect functional attacks. This is mainly due to the fact that, on the surface, functional attacks are simply calls made by real users. Only when the behavior of the application is analyzed, suspicions begin to appear.

API attack landscape

A closer look at the landscape of API attacks provides a better understanding of the risks that APIs pose. We can divide them into four different categories:

  • OWASP Top 10 API : API Security has a dedicated list of OWASP top 10 , which provides a detailed and well-researched breakdown of the common vulnerabilities that have been exploited for API abuse. Many of the vulnerabilities are more technical and application-like, while others target the exploitation of poorly designed functionality, such as authentication and authorization defects.
  • Functional attacks – Directs the proprietary business logic that governs the functionality of the API, causing the APIs to perform actions that they should not do.
  • User behavior – Various subcategories, including data mining, execution of rare actions, failure to perform joint actions and other cases indicating that the user is acting maliciously.
  • Recognition – This is not an attack vector per se, but hackers leave the crumbs behind while learning how an API works and vulnerabilities can be identified so that the attack can be stopped before it happens.

The US Postal Service suffered a functional attack which showed abuse of use for data scraping purposes. In this case, attackers have realized that they can abuse a certain API transaction by slightly changing the call parameters with each request.

This made it extremely easy for hackers to automate and distribute the attack through various credentials and thus access the data they were trying to recover. They succeeded without being detected, because the calls seemed normal; high-volume, high-frequency requests did not appear to be abnormal behavior for the popular application of the postal service.


The move to Open everything accelerated the creation of open ecosystems and the implementation of transformative digital initiatives. APIs play an important role in this transformation.

While APIs have incredible benefits, they also present significant risks. Each API represents a specific function. This means that only one API can communicate with another API and each API is actually a single access point to the internal workings of an application.

API attacks are fast becoming a common attack vector. Hackers eager to wreak havoc create functional attacks that manipulate the business logic of the API to gain access to the private and confidential data of others. In addition, there is a lack of custom security measures developed to protect APIs. Functional attacks targeting API business logic are often overlooked because they appear as standard API calls.

It is imperative to have a security solution that learns the unique business logic of each API and detects abnormal behavior around functional attacks. The ability to automatically discover, test, and protect your APIs has become more important than ever.