API Security Concerns Explode, Says AkamaiHackers Target PHP Websites With Local File Inclusion Vulnerabilities
Hackers have seized on the API revolution to drive a surge in attacks that exploit poorly coded web applications, reported Akamai, in a warning echoed by other cybersecurity experts.
The content delivery network giant reports the volume of daily web application attacks it monitors can reach well over 100 million, on bad days. Among the recent victims of an API attack was Australian telecom provider Optus (see: Optus Attacker Halts AU$1.5 Million Extortion Attempt).
The vector driving the most growth in web app and API attacks is local file inclusion - an attack that relies on the absence of proper filtering of PHP file requests from websites.
"PHP-based websites are generally found to have LFI vulnerabilities," wrote Akamai in a quarterly report assessing the state of the internet. W3Techs data shows that nearly 8 in 10 websites that use server-side programming use PHP. "It is no surprise that we see an influx of attacks year after year," Akamai said.
Without filtering, an LFI attacker could change the PHP file path to obtain sensitive content stored on a web server or engage in remote code execution. "LFI attacks are on a massive upswing with 193% year-over-year growth," Akamai wrote. That surge made LFI attacks surpass previous top vectors, including cross-site scripting and SQL injection.
Akamai's data is less of a surprise than a prediction fulfilled. In late 2021, Cloudflare warned about exponential API growth over the past half-decade not being matched by security measures. In early 2020, Gartner predicted that within the next two years, API abuses would move from being infrequent to being the most frequent attack vector. Akamai itself has more than once sounded alarms about growing API vulnerabilities.
The OWASP Foundation's proposed top 10 security vulnerabilities for 2023 include a number of API vulnerabilities, including "unsafe consumption of APIs."
"Developers tend to trust data received from third-party APIs more than user input. This is especially true for APIs offered by well-known companies. Because of that, developers tend to adopt weaker security standards, for instance, in regards to input validation and sanitization," OWASP warned.