Akamai has reported a surge in attacks on poorly coded web applications that exploit the API revolution. The content delivery network giant reported that the volume of daily web application attacks it monitors can reach well over 100 million on bad days.
Local file inclusion (LFI) is the vector driving the most growth in web app and API attacks, with a 193% year-over-year growth rate.
According to Akamai, PHP-based websites are generally found to have LFI vulnerabilities, and nearly 8 in 10 websites that use server-side programming use PHP. An LFI attacker could change the PHP file path to obtain sensitive content stored on a web server or engage in remote code execution without filtering.
LFI attacks have now surpassed previous top vectors, including cross-site scripting and SQL injection.
This surge in attacks was predicted by Cloudflare in late 2021, who warned that exponential API growth over the past half-decade was not being matched by security measures. Gartner predicted in early 2020 that API abuses would move from being infrequent to being the most frequent attack vector within the next two years.
The OWASP Foundation has proposed a list of top 10 security vulnerabilities for 2023 that include a number of API vulnerabilities, including “unsafe consumption of APIs.”
Developers tend to trust data received from third-party APIs more than user input, especially for APIs offered by well-known companies. This tendency can lead to weaker security standards, particularly in input validation and sanitization, as warned by OWASP.
With the rise of APIs and LFI attacks, it is essential that developers prioritize web application security measures and stay updated on the latest vulnerabilities and threats.
