Ivan Novikov, CEO at Wallarm, is an API security expert, bug hunter, security researcher, and blackhat speaker with 24 years of experience in the cybersecurity field. He spent decades in this industry and witnessed exploits as well as growth.
Read ahead to understand Ivan’s API Security journey and how he sees the current progress of this field as a whole. You will get to know about how API Exploits are still a threat to those who are not alert or are unaware of the API-related cyber threats trends.
About the Research
His main aim was to gather the old and new insights in the API Security field during this research. The reasons behind doing so are:
- To figure out which threats still persist (1988-2022);
- To collect essential data for later reuse;
- To prepare a comprehensive set of information on API exploits & problems;
- To class the data and remove redundancies;
- To build visual statistical figures to illustrate it better;
- To make more accurate predictions for the industry.
This research is the reason why Ivan could come up with a report that has very precise OWASP Top 10 2021 predictions and Top 10 2022 statistical proposal.
His data sources are:
- Data from 1998-2022 (throughout his career)
- ~10’000 CVE, BugBounty reports and exploits
Now, let us see a few quick glimpses of the research.
If you have noticed, API vulnerabilities are not categorized appropriately through any official institution. For example:
- Hierarchy in CWE (Common Weakness Enumeration) is complex to understand.
- There are overlaps in OWASP 2017 & 2021 Top 10 with its 2019 list.
The “Classic” 2021 Top 10 list by OWASP is more like API Security OWASP if you see it from a different perspective. It’s because more than 90% of the issues - classified in the report for web solutions - are applicable to the API domain too. After all, there is no web without APIs today.
The First and Last API Exploit
You can say that Ivan has been operating in the cybersecurity industry since the era of the dinosaurs, and even in that period, his focus was API. Let’s know about the earliest and latest API Exploits with him:
Reported on: 04/03/1998
IRIX (if you remember it) was the first Directory traversal vulnerability in pfdispaly.cgi program (or “pfdisplay”). A Path traversal vulnerability in the SGI’s Performer API Search Tool (performer_tools) gave remote attackers the authority to read arbitrary files.
Reported on: April 18th, 2022
It is, again, a path traversal exploit, and its result is remote code execution too. Certain WSO2 products had a flaw that enabled threat actors to upload files via RCE. For this, a /fileupload endpoint with a content-disposition directory traversal sequence (to the root directory) is all that an attacker needs.
Let us give you 3 general findings of the research before detailing the analysis regarding them:
- 5 API Exploits Happen Everyday. The speed has been higher since 2015.
- Use of Non-Web APIs is Rising.
- CVSS Score is ~6.0 Since 1998; Denotes High Risk.
Keeping the above in mind, there are 2 crucial points to analyze for you:
- The Threat is Bigger than what CVSS Shows
From 1988 to 2022, the CVSS Score remained around 6.0, indicating a somewhat high risk. However, as it depends on impact as well as exploitability and as all exploitable points won’t be impacted, it belittles the actual threat level. You must see the exploitability (which has a score above 9.0) that confirms that APIs are at super high risk.
- API Protocol Trends
Upon glancing at the adoption of API protocols, you will realize that 46% of organizations still make do with legacy API/Web protocols in comparison to other options. And if we split the legacy vs. other API exploits, it is clear that legacy API/web solutions are at high risk.
To be honest, it’s the security and functional ability that should make you pick a protocol for the API. A more robust protocol will guard you against multiple vulnerabilities already.
Exploits related to APIs are increasing every day, and by APIs, we mean web as well as non-web APIs. Businesses that own or use APIs must not overlook this fact. You must understand that CVSS exploitability Score for APIs is 9.0, which is very high.
To avoid troubles, it is better to avoid more vulnerable APIs, such as the legacy ones that still contribute to 50+ percent of APIs, surprisingly. For a better understanding of APIs among its users and implementers, we will still need a better classification framework, helping us deal with exploits more speedily.
Want more details?
Take a quick look at this presentation and move ahead as a well-aware API owner. It will help you secure your APIs and gather interesting information alongside. Businesses that own or use APIs should definitely have this knowledge.
If you liked our presentation and are interested in receiving such updates more frequently, you can: