John Green, System Engineer, Radware.
According to Radware’s new Global Threat Analysis report, web applications and APIs have become prime targets for exploitation, with EMEA the second-most targeted region for these attacks.
The report indicates that applications and APIs have become a significant attack surface, making advanced application protection crucial, says Uri Dorot, senior product marketing manager at Radware, a Gold sponsor of the upcoming ITWeb Security Summit in Johannesburg.
Radware’s report finds that in 2024, web application and API attacks climbed 41% compared to 2023, with vulnerability exploitation accounting for more than one-third of all malicious requests. North America experienced 66% of these attacks, followed by EMEA (26%).
There are a number of challenges associated with blocking these attacks, he says.
Dorot says: “This is a growing concern and many customers approach us because most applications nowadays are based on APIs, and the API matrix is very intricate. You’ve got lots of internal APIs for internal servers and services. You’ve got third-party APIs. In addition, most applications today are not self-sufficient when it comes to content, and much of the content comes from third-party services embedded in the applications. There’s a lot of reliance on API connections for different services and content. Hackers are abusing that. They are using AI on their end to do reconnaissance, to figure out the business logic of your application, and find flaws in the business logic, like in the sequencing of API calls, for instance.”
“Also, it has become harder to define the perimeter that you want to protect, and to understand what you’re trying to protect against. When it comes to APIs, for instance, there are two main types of attacks – embedded attacks, where hackers are trying to embed a malicious code in an API call and attack a specific API endpoint. The solution for that is what we call schema enforcement. You upload an OpenAPI schema file to your web application firewall and you basically tell your web application firewall what a healthy API call is supposed to look like, and then it blocks what doesn’t adhere to those characteristics. In case you don’t have proper documentation of your APIs, you apply API discovery,” he says.
“But the problem with the other type of API attacks – business logic attacks – is that the API calls are completely legit. The hackers are using GenAI tools to expose your applications’ business logic and then basically use it against you. And it’s not just attacking a specific API endpoint. They are attacking a group of endpoints, trying to abuse a certain sequence to get hold of a token, or take over an account, manipulate pricing, scrape data and exploit workflows. That’s the main concern today for organisations.”
Dorot says: “Often, we also find that the security teams and the DevOps teams operate in silos, which is a challenge. So the security teams are in charge of protecting the applications, but they are not in control of what’s going on with the APIs. We help them gain that visibility to get a map of what the APIs look like. Not only the API endpoints, but also the entire business logic of the APIs to understand the actual sequencing and the flow.”
Dorot says: “Even if you know what your vulnerabilities are and have tools for vulnerability discovery and patching, these are all offline tools, so post the event you can figure out what vulnerabilities to patch. But what do you do when there is a zero-day attack or never seen before attack? You need to be covered in real-time.That’s kind of the mindset shift the market is going through with regards to API protection: understanding that you need to be more on top of it, get better visibility, make sure you have runtime protection, make sure you understand the business logic of your application. And for that, AI must be leveraged.”
Radware’s solution for business logic attacks is powered by its EPIC-AI technology – advanced AI-based algorithms that enable continuous mapping of the application business logic, auto generation of security policy and runtime/real-time mitigation.
The Radware report also noted that Web DDOS attacks surged 550% between 2023 and 2024.
Radware takes several unique approaches to mitigating application DDOS attacks, he says.
“We use a behavioural-based approach, where we use advanced AI algorithms to generate granular signatures in real-time, so we block only the attack traffic. We don’t rely on Javascript challenges or CAPTCHAs to mitigate HTTP DDOS attacks, as they are only effective for protecting purely web-based applications. Our behavioural-based approach enables our web DDOS Protection solution to be completely agnostic to the type of application it protects, so it doesn’t matter whether it’s a pure web-based application, mobile application, pure API-based application or a hybrid application; we still generate that attack signature in real-time and block only the attack traffic.”
Dorot says attackers now launch attack campaigns against applications, using multiple attack vectors, and leverage GenAI tools to create them and enhance them: “For example, they would use a combination of bots to crawl applications and find vulnerabilities, run HTTP DDOS attacks or floods; then they use injections and server-side request forgeries to breach-data, and then, of course, all sorts of API embedded attacks and business logic attacks. And sometimes even client-side attacks like DOM XSS or formjacking.”
Security cannot be approached in silos, he says. “Traditionally, organisations might have had bot protection or API security in one area and web application firewalls in another. Now, it all has to be part of the same multilayered strategy with complete visibility in order to understand the attack story. Once you understand the attack story of the campaign, with the help of AI, you can automatically and pre-emptively block threats, as well as make faster and smarter decisions, what security policies to enable or disable, and what IPs to block and reduce MTTR (mean time to resolution).”
Radware is a Gold Sponsor of the ITWeb Security Summit 2025 at the Sandton Convention Centre, in Johannesburg, from 3-5 June, where John Green, System Engineer at Radware, will present a talk on application protection. Radware will also participate at the Security Summit at the Cape Town International Convention Centre on 27-28 May.
For information and to register, visit https://www.itweb.co.za/event/itweb-security-summit-cpt-2025/.
