Bots are Exploiting Business Logic Vulnerabilities. Is Your Web App Secure?
Recent headline-making shopping bots may have CISOs asking “Is our business at risk of a targeted bot attack?” and “What can I do to prevent it from happening to us?” Nike and Sony are not the first, nor will they be the last, brands to experience reputational damages due to a successful shopping bot attack. CISOs, therefore, must begin to weigh the risks and rewards of making more substantial investments to secure their high criticality business applications.
The State of Application Security Today
When it comes to securing web applications, we’re all, at this point, familiar with the risks associated with vulnerabilities in the software code itself. These exploits have been well-documented by organizations like OWASP and are typically carried by automated bots hoping to strike gold with one of their thousands of targets. It’s ultimately a numbers game. If you have an application connected to the internet, you have likely encountered such an attack.
The good news is that, with the right culture of security, prevention and detection measures are fairly routine to implement. At minimum every app will need some type of protection like a web application firewall.
Use of bots, however, is no longer limited to exploiting vulnerabilities in software code. As applications become more critical to business operations, attackers are seeking out business logic vulnerabilities to gain access to high value digital properties. Such an attack requires a highly specialized bot that’s designed to carry out a very specific attack on a specific set of targets. The more valuable the target, the more time an attacker will spend looking for weaknesses. In fact, it’s now estimated that the majority of bot traffic on the internet have a moderate or advanced level of sophistication as opposed to more basic automations like BASH scripts that spray and pray requests to web applications.
Complicating matters, these advanced bots often mimic human behavior, which can make it difficult to distinguish bot traffic from real user traffic. If you’re in an industry like retail, finance or even grocery delivery who experienced a spike in online business over the last year, you may not think much when a flood of new user accounts are created. Or, in the case of Nike and Sony, when a hot product sells out almost immediately.
If you have a high criticality app that could be the target of fraud, abuse or business logic attacks, the fact of the matter is: a simple WAF isn’t going to cut it anymore. And prevention is going to take coordination across the organization.
Business Logic Attacks: Shared Risks, Shared Responsibility
A successful attack on business logic vulnerabilities has a ripple effect across the enterprise. The most far-reaching and visible is going to be the impact to the brand when an attacker abuses your service and devalues the customer experience. Attackers won’t care if your service is disrupted, as long as they’re turning a profit, but customers absolutely will, potentially resulting in long-term losses in revenue and retention. And that will certainly catch the attention of the C-suite.
Beyond threats to brand reputation, sophisticated bot attacks pose a number of very tangible threats to business, availability and security, and mitigation of those risks should be approached holistically across the line of business, IT and security owners within the organization.
Risks to the business – An attack on business logic pollutes data and site metrics, making it hard to understand who your actual customers are. Bots can also scrape intellectual property from the application for their own use and profit. Or, they may completely copy your web application to create their own malicious version with the goal of gathering user credentials or stealing business away from your site.
Risks to availability – Most commonly when we talk about bots and automated attacks in relation to availability of service, we’re talking about denial of service attacks, which come with obvious financial and reputational risks. Degradation of performance and denial of inventory pose similar threats to availability.
There is also a very real risk of incurring significant infrastructure costs. Say, for example, a bad bot targets an app hosted on AWS. The bot is going to flood that application with unwanted traffic, and you’re going to end up with a huge AWS bill for traffic you don’t even want.
Risks to security – A targeted, automated attack poses several new security risks that aren’t present in more common attack vectors and vulnerability exploits. Those risks include site footprinting and reconnaissance, site-specific vulnerability scanning and exploits and credential stuffing. Credential stuffing, which uses an automated web injection to take over user accounts, is an emerging threat that is particularly dangerous for both the enterprise and its customers.
Weighing the Risk vs. Reward of Anti-Bot, Anti-Fraud Investments
Taking these risks into consideration, CISOs, and ultimately the enterprise as a whole, need to understand the potential return on investment for anti-bot and anti-fraud technologies. It’s not something every application in your suite is going to need, especially if the application has little to no potential value to an attacker. For your high value, high criticality apps, however, such technologies could prevent significant enough financial losses to warrant investment.
It’s important to consider the likelihood of the attack in your assessment as well. A high cost, high risk attack with a high likelihood of occurrence would take top priority. Whereas a low cost, high frequency attack and a high cost, low frequency attack may share priority.
Finally, though web application security initiatives may be CISO-driven, buy-in from line of business owners and IT owners is essential and may even open up new P&Ls to make the necessary security investments.
This article summarizes key points from a recent Kudelski Security webcast “Application Security Protection. F5 provides application security services in conjunction with Kudelski Security.