Is business logic abuse a growing problem for APIs? [Q&A]

Tricking applications into altering their processes or surrendering information is a highly efficient way for attackers to carry out theft or fraud while minimizing the risk of detection.

We asked Mohammad Ismail, VP of EMEA at Cequence Security, to explain how this business logic abuse is carried out and why it’s becoming a growing problem.

BN: What is business logic abuse fraud and why are APIs in particular at risk?

MI: Business logic abuse describes a technique that seeks to subvert the functionality of an application or API. Strictly speaking, it’s not an attack at all as it uses legitimate calls to achieve malicious ends such as Account Take Over fraud (ATO). Bots use stolen user credentials, infrastructure such as proxies and servers, and management toolkits from the Dark Web to execute such attacks. These then use the compromised API to complete account sign up forms, account logins, or partially execute online purchases or make reservations.

APIs are a prime target because they are primarily designed to enable access and are privy to sensitive data and operational processes. As this is their prime aim, even APIs that meet the demands of recognized API protocols can be susceptible to abuse. This is because the way in which the API can be exploited doesn’t stem from a lack of security controls i.e. authorization but from flawed business logic and assumptions by the developer over how the API will be used.

BN: Can you give us some examples of business logic abuse in action?

MI: Examples of business logic abuse include manipulating access controls such as URLs, session tokens, cookies or hidden fields to escalate privileges and obtain access to sensitive data or access to other systems. Input validation can see bots repeatedly sign up, login, or execute purchases in order to validate credentials, access unauthorized data, or commit fraud by changing a parameter such as price, while session tokens or the poor handling of session data can lead to hijacked sessions. The attacker may even try to bypass built-in constraints to business logic by reviewing points of entry such as form fields and coming up with inputs that the developers may not have planned for. For example, bypassing the purchasing workflow could allow an attacker to purchase a product without paying.

BN: Why is it a growing problem? Are attacks becoming more ambitious?

MI: Business logic abuse makes up the majority of attacks against APIs, with industry reports suggesting 27 percent fall into this category and as API use continues to explode (API calls currently make up 71 percent of internet traffic and growing) it’s a problem that’s only going to get worse. It’s so broad an issue that it can be classed as a threat that permeates many of the attack types identified by the OWASP API Top 10 API Security Risks, although the most relevant is Broken Function Level Authorisation (API5: 2023).

Attacks are definitely becoming more ambitious with us recently detecting a massive case of business logic abuse against a Fortune 500 hospitality provider in the UK. The attack saw a botnet of over 11 million unique IP addresses used to make API calls to the company’s login systems. These sought to execute a credential stuffing attack to identify valid user accounts and associated payment details.

The attack was timed to coincide with Valentine’s Day because that was when the company would typically expect to see a surge in traffic. Moreover, residential proxy networks were used to imitate legitimate traffic so that although the attack generated over 28 million security events in total, this was only equivalent to three events per unique IP address which meant it would not be regarded as a volumetric attack by the company’s systems and trigger an alert.

BN: If even perfectly coded APIs are susceptible, is it possible to protect against this abuse?

MI: Business logic abuse is extremely hard to detect and defend against. The attack referred to above was not detected and blocked using network security solutions which use IP-based detection such as Firewalls, IPS, WAFs and Security Gateway solutions. These will all struggle to spot business logic abuse because to all intents and purposes it appears legitimate and is syntactically correct.

Bot mitigation tools originally attempted to address the problem by using application instrumentation. They injected JavaScript code into the application or, the case of a mobile app, compiled it with SDK but such approaches added to development and QA cycles, created friction for the end user, and did nothing to address the problem at the API level.

In contrast, using behavioral analysis requires no adaptation. A behavioral fingerprint is made by automatically applying global machine learning models to analyze API header and payload while local models determine behavior and intent. The fingerprint continually tracks the attack as the attacker takes action and pivots to avoid detection. In the case of the attack against the UK hospitality provider, just a single fingerprint was identified as malicious and a single policy was used to block the attack.

BN: Do you think business logic abuse has a high enough profile?

MI: Business logic abuse can be automated and massively scaled up using bots and can prove highly costly in terms of data loss, theft and fraud not to mention loss of customer and reputational damage. It’s undoubtedly a major threat but there’s a lack of awareness out there over how these attacks manifest and how prevention and detection has moved on since the first generation of bot management solutions.

Thankfully, we are now starting to see the topic given more attention, most recently by the OWASP industry group which founded the OWASP Top 10 on Business Logic Abuse project in February 2025 and which was in incubator phase at the time of writing. The project promises to create a reproducible methodology and empower developers to design secure systems by, for example, producing a prioritized list of the most critical business logic abuses which should greatly help raise the profile of a systemic issue.

Image credit: denisismagilov/depositphotos.com