>myctrl.tools
Preferences
Under active development Content is continuously updated and improved

API6Unrestricted Access to Sensitive Business Flows

>Control Description

When creating an API Endpoint, it is important to understand which business flow it exposes. Some business flows are more sensitive than others in the sense that excessive access to them may harm the business. Common examples of sensitive business flows and the risk of excessive access associated with them include purchasing a product flow that could allow an attacker to buy all limited-stock items and resell at a higher price (scalping), creating a comment/post flow that could enable spam, and making a reservation that could enable an attacker to reserve all available time slots. The risk of excessive access might change between industries and businesses. For example, creating posts by a script might be considered spam by one social network but encouraged by another.

>Prevention & Mitigation Strategies

  1. 1.The mitigation planning should be done in two layers: Business - identify the business flows that might harm the business if they are excessively used.
  2. 2.Engineering - choose the right protection mechanisms to mitigate the business risk.
  3. 3.Device fingerprinting: denying service to unexpected client devices (e.g. headless browsers) tends to make threat actors use more sophisticated solutions, thus more costly for them.
  4. 4.Human detection: using either captcha or more advanced biometric solutions (e.g. typing patterns).
  5. 5.Non-human patterns: analyze the user flow to detect non-human patterns (e.g. the user accessed the 'add to cart' and 'complete purchase' functions in less than one second).
  6. 6.Consider blocking IP addresses of Tor exit nodes and well-known proxies.
  7. 7.Secure and limit access to APIs that are consumed directly by machines (such as developer and B2B APIs). They tend to be an easy target for attackers because they often don't implement all the required protection mechanisms.

>Attack Scenarios

#1Gaming console scalping

A technology company announces they are going to release a new gaming console on Thanksgiving. The product has very limited stock. An attacker writes code to automatically buy the new product and complete the transaction using multiple IP addresses distributed across different locations. On release day, the attacker's script runs and buys all available stock before legitimate customers can purchase the product. Later, the attacker sells the entire stock on another platform for a much higher price.

#2Airline ticket price manipulation

An airline offers online ticket purchasing with no cancellation fee. A user with malicious intent books 90% of the seats on a desired flight. A few days before the flight, the user cancels all tickets at once, which forces the airline to discount ticket prices in order to fill the flight. The user purchases a single ticket at a much lower price than the original.

#3Ride-sharing referral fraud

A ride-sharing app provides a referral program offering credit for inviting new users. The credit can later be used for rides. An attacker exploits this flow by writing a script to automate the registration process, with each new account adding credit to the attacker's wallet. The attacker then either enjoys free rides or sells the accounts with excessive credits.

>References

Ask AI

Configure your API key to use AI features.