Rethinking API Security

Making attacks visible with Honeypots.

05.02.2025

Julian Richter, Senior Cybersecurity Engineer, Consulteer InCyber

The number of APIs is skyrocketing - driven in part by the rapid adoption of artificial intelligence (AI).

According to the 2023 Postman State of API Report, there were already 1.3 billion active APIs. This number has likely grown even further in 2024. As a result, APIs are increasingly targeted by cyberattacks, surpassing traditional web applications as the primary attack vector.

To gain deeper insights into API attack methods and collect hard data, our partner Wallarm has developed a Distributed API Honeypot Architecture. While honeypots are a well-established cybersecurity tool, they have largely been missing in API security - until now.

API Honeypot Architecture

To gather actionable threat intelligence, Wallarm created a mock API in Golang, equipped with self-signed certificates. The honeypot logs all incoming requests, including their full request bodies, across multiple ports. To appear legitimate, it responds with valid replies based on the request type, such as REST or GraphQL.

Deployed at 14 locations worldwide, these honeypots operate without domain names - only IP addresses - making them an attractive target for automated discovery and attacks.

Findings

Just 20 days after deployment, the study delivered astonishing and unexpected results. Here are the key takeaways.

Time to Discovery.

Newly published APIs are discovered alarmingly fast (“Time to Discovery”). On average, a freshly deployed API is found within just 29 seconds.

New APIs are often less protected, as developers and project teams assume they will remain undiscovered for a longer period. The measured time for this metric starts from the opening of the port until the first API request is received at any endpoint (except “/”).

Even more impressive is the fact that the fastest discovery of an API took 16 seconds, while the slowest took 38 seconds. In summary: a newly published API receives its first request in less than a minute.

Most used Ports.

In addition to Time to Discovery, Wallarm also analyzed the ports that were targeted. The researchers assumed that port 80 would be a prime target for scanners and attackers—and they were not disappointed. 19% of all recorded activity was directed at the standard HTTP port, followed by port 26657 (RPC) at 4% and port 443 (HTTPS) at 3%.

While the top five most targeted ports included the usual suspects (No. 4: 8080, No. 5: 8443), some lesser-known ports also appeared in the rankings. These included the unencrypted Docker REST API port (2375) and the CWMP REST-based router port (7547), the latter of which was linked to the Mirai botnet in 2016, a variant that remains active today. Additionally, the standard MSSQL port (1433) made it into the top 20 list.

Most Used API Endpoints.

The more conventional an API structure is, the faster it is discovered. This insight comes from analyzing the most frequently targeted API endpoints.

Among the most commonly requested were /status and /v2/_catalog, the latter being a known endpoint for the Docker Registry API.

Overall, the honeypot recorded 337 unique API requests in the first few days. Wallarm was able to categorize the top 50 API requests into the following attack types:

Auth Check: 26%
Discovery: 34%
CVE Exploits: 40%

How fast can Data be stolen?

Another key aspect analyzed in the API Honeypot Report was the speed at which attackers could extract data and its impact on targeted APIs. The findings were striking.

Based on patterns of API misuse, Wallarm estimates that with a small cloud infrastructure (costing $50–$150 per month), an attacker could rapidly steal large volumes of user data while consuming far less bandwidth than a typical DDoS attack.

This makes fraud detection significantly more difficult, as a key indicator of an attack - a sudden surge in traffic - is no longer present. Combined with the speed of data extraction, this poses a major security risk.

Estimated Time to extract Data.

Wallarm estimates that stealing 10 million user records would take:

66 seconds using a single-request attack with a 20 Mbit/s bandwidth
6 seconds using API batching, even at the same bandwidth

Summary

In conclusion, API security is becoming increasingly critical. APIs are now more frequently targeted than traditional web applications. What is particularly alarming is how quickly newly deployed APIs are discovered and attacked. The assumption that an API is safe as long as it is only accessible via an IP address is no longer valid.

Protecting only ports 80 and 443 is insufficient, as APIs can be exposed on a wide range of ports. With the rapid growth of APIs and the potential for vulnerabilities to accelerate data theft, API security should be a top priority for every organization.

What is a Honeypot?

A honeypot is a cybersecurity tool designed to act as a decoy for attackers. It is an IT system that deliberately simulates vulnerabilities to attract attacks and analyze hacker behavior. In cybersecurity, this "honey trap" is used to lure attackers into a controlled environment, without putting real systems or data at risk.

How does a Honeypot work?

Honeypots mimic real IT systems, such as servers, networks, or databases, making them appear as attractive targets for cybercriminals - much like a honey jar attracting bees. These systems are isolated and closely monitored, recording all activity to gather insights into attack methods, vulnerabilities, and exploited security gaps. The goal is to understand attacker behavior and strengthen security measures accordingly.

There are different types of research and production honeypots, used by security teams in organizations or research institutions. In addition to the main honeypot categories, there are also specialized honeypots, such as spam honeypots, email traps, and malware honeypots, designed for specific threat intelligence purposes.

Types of Honeypots

Server Honeypots

Client Honeypots

Low-Interaction Honeypots

High-Interaction Honeypots

Conclusion

Honeypots are a versatile tool in IT security. Whether as simple low-interaction honeypots for early threat detection or high-interaction honeypots for in-depth analysis, they provide valuable insights into attacker behavior, help identify vulnerabilities, and support the development of targeted security measures.

By actively contributing to the fight against cybercriminals, hackers, and cyberattacks, honeypots enhance overall cybersecurity. Their benefits are particularly significant in security research, where they play a crucial role in the development of effective cybersecurity strategies.