According to research from Akamai, the number of attacks against applications and APIs grew by 137 percent in the past year compared to 2021. The attacks increased in frequency, as well as complexity. Akamai argues that attackers are always looking for new ways to exploit the growing attack surface. In the past year, the attacks mainly focused on the trade sector, the technology sector, and the financial services sector. The healthcare sector is also facing more attacks.
The most common application and API attack type was Local File Inclusion. These attacks increased by 193 percent compared to a year earlier. Attacks on exploits in open-source software also increased. Broken Object Level Authorization (BOLA) attacks are also on the rise. These types of attacks are easy to carry out because cybercriminals can scan vulnerable API endpoints. These attacks can easily steal (personal) information from other users, and they are often difficult to distinguish from legitimate network traffic.
Other emerging application and API attacks include Side Template Injections (SSTI). Log4Shell, Spring4Shell, and the security vulnerabilities found in Atlassian Confluence are examples of this. Furthermore, Server-Side Request Forgery (SSRF) attacks are also increasing. Akamai identified approximately 14 million SSRF attacks per day against customers’ applications and APIs by 2022.