What are malicious API calls, and how can you combat them?

Application programming interfaces (APIs) act as a bridge between different software programs and platforms with different architectures. They’re a core tool in seamless system integration.

Unfortunately, just like any other program or application, they’re not immune to cyberattacks.

That’s where the illicit practice of malicious API calls comes in. But what are malicious API calls, and how can you combat them?

What are API calls?

Before understanding what malicious API calls are, it’s worth clarifying what an API call itself is (malicious or otherwise).

An API call encompasses the process of:

  • A client application submitting a request to the API in question
  • The API retrieving the requested data
  • The data getting delivered back to the client

Essentially, it’s the name for each, individual time that the API is used.

What makes them malicious?

So, what makes an API call malicious? The answer is all about the behaviour — and the intent behind it.

Broadly speaking, malicious API calls are ones that target your system for nefarious purposes. They could include, for example:

  • Malicious injections

A perpetrator can inject a malicious script into a vulnerable API, or insert malicious commands into an API message. (I.e., a command that deletes tables from a database.)

An attack on a web API that attempts to overwhelm it. This may be via a sudden deluge of concurrent connections, or by sending/requesting high volumes of data in each request.

  • Data theft (MiTM)

A ‘man in the middle’ attack in which the perpetrator sits in the middle of a connection and intercepts communications

Unfortunately, though these activities may sound obviously malicious, it’s not always easy to tell which behaviours are malicious and which are legitimate. This is because some legitimate user behaviour can look malicious, and vice versa. (Particularly in the case of unskilled or confused users.)

Detecting malicious API calls

This all brings us to how you can combat malicious API calls. As with any cyber threat, the first challenge lies with detection.

Because it’s the behaviour and intent behind the API use that makes a call malicious or friendly, this is not a simple task. What may be considered malicious behaviour most of the time, could just be a confused user, and vice versa.

To detect malicious API calls, the typical advice is to create a sliding scale of behaviour. This would have user behaviour that you expect on one end, and the obviously malicious on the other. The middle grey area applies to the API calls that may or may not be malicious — working on a balance of probability.

What to look out for?

More specifically, though, what kind of behaviour should you be looking out for?

  • Privilege escalations

Keep an eye out for accounts or users of an API that get more access rights than you expect. Any attempts at excess access — successful or otherwise — should be monitored. This behaviour may be pointing toward malicious API calls.

  • High request rates

I.e., lots of API calls in a short amount of time (particularly from one source). Too much traffic or high-volume requests can cause an API to slow down or stop working. It could result in the API suffering buffer overrun and so on.

High request rates are highly suspicious behaviour when it comes to API calls. It can point to an ill-informed user, but typically it falls under unexpected behaviour, which requires more scrutiny.

  • Mapping attempts

There are reasons a developer might want to map an API. But, particularly when the API endpoints are internal or undocumented, it can suggest malicious intent. Namely, someone looking for weaknesses.

How to combat high traffic/high volume malicious API calls

Combatting malicious API calls isn’t just about knowing how to detect them. It’s also about putting preventative measures in place.

One of the most notable behaviours that suggest malicious API calls is sudden high traffic/high volume requests. Unchecked, these result in the slowing of your API, or even total denial of service.

One way to combat it is to limit the volume of requests that a user can trigger in a given time. Make high volume API calls attainable through your premium or higher priced packages and features. This way, it’s more likely that the high traffic is coming from legitimate, expectable need, rather than malicious intent.

Combat malicious API calls through vigilance

Another key aspect of combatting malicious API calls revolves around monitoring and vigilance.

That is, you need to track behaviours outside of expected parameters — accounts, location, etc. Be sure to check any unknown or non-developer accounts with unexpected privileges. Does the location data from the API call make sense? Keep an eye out for mapping attempts — this could be a sign of a bad actor looking for a weakness to exploit.

By remaining vigilant, you make malicious API calls much harder to happen. This acts as a deterrent for bad actors and can block some bot attacks. Plus, it provides an early warning to the IT security team if an attack does come through your API — allowing them to stop it before it becomes a huge problem.

Authenticate and authorise

Combatting malicious API calls also means verifying unexpected or suspect behaviour. As such, having good authentication and authorisation practices can help keep bad actors away.

Authentication helps make sure only intended users are accessing the API. It helps prevent account takeovers. It also helps to guard against privilege escalations — you know which users have any given privileges.

TL;DR: Malicious API calls

In short, malicious API calls are cyberattacks that happen on or through your API. They’re the uses of the API that are malicious in nature — and that can look obviously malicious, or more unclear.

Meanwhile, the core of the prevention tactics is to know what user behaviour is expected, reasonable, or explainable. And, from there, to monitor (or outright prevent) any deviations from that acceptable use.

Useful links