An analysis of customer data collected by content delivery network and internet services giant Akamai found that attacks targeting web applications rose by 137% over the course of last year, as the healthcare and manufacturing sectors in particular were targeted with an array of API and application-based intrusions.
Local file intrusions — in which attackers spoof a web application in order to either execute code remotely on a web server or gain access to files that they shouldn’t — were the most common attacks seen against Akamai’s customers in 2022, and the company warns that its high level of popularity means that it’s a technique that likely remains common in 2023.
“The rise in LFI means the attackers are having success using it, so you should prioritise testing to see if you are vulnerable,” the report said.
Local file intrusions (LFIs) rise by 193%
LFI-based attacks grew by 193% between 2021 and 2022, in no small part because PHP-based websites are generally vulnerable to them. Eight out of 10 websites run the PHP scripting language, according to the report.
Overall levels of web application attacks were substantially higher in 2022 than in 2021, averaging less than 50 million per day in 2021 and closer to 100 million in 2022.
“[Attackers] are using LFI to gain access and they’re doing so with growing frequency,” said Steve Winterfeld, advisory CISO at Akamai.
On the API side, the top-ranked vulnerability cited by Open Web Application Security Project (OWASP) is now BOLA, or broken object-level authorisation. This flaw can allow attackers to manipulate the ID of an object in an API request, in effect letting unprivileged users read or delete another user’s data.
Akamai said that this is a particularly high-risk attack, given that it doesn’t require any particular degree of technical skill to execute, and intrusions resemble normal traffic to most security systems.
“The detection logic must differentiate between 1-to-1 connections and 1-to-many connections among resources and users,” the report said. “Postevent BOLA attacks are difficult to see because of its low volume and it does not show a strong indication of any behavioral anomalies, such as injection or denial of service.”
One vertical that might find itself particularly in the crosshairs of web application and API attackers in 2023 includes healthcare, which has seen an influx of new devices under the internet of medical things aegis, and an associated app and API ecosystem spring up around them, Akamai said. Another is manufacturing, which, similarly, has seen IoT devices and associated systems proliferate, leading to a 76% increase in median attacks in 2022.
Akamai urged all users to be cognizant of the growing threat posed by application- and API-based attacks and update organisational playbooks used for coping with them.