Administrators know the importance of monitoring an environment, but they need to know infrastructure exists to add it to agent monitoring. To identify infrastructure, a complete audit is necessary for administrators to monitor their entire attack surface. As an environment grows, it’s possible for developers and operations to lose track of IT infrastructure. If developers have autonomy to deploy infrastructure, it’s possible that operations staff are unaware of new software deployed to servers. 

A zombie API (also referred to as a shadow API) is infrastructure that becomes unmonitored but still runs like typical production software. Without monitoring, an API and all its endpoints could be a target for attackers and administrators would never be alerted to misuse. Attackers could scan and test for vulnerabilities endlessly without warning. Zombie APIs aren’t a new development, but they are becoming much more prominent as businesses strive to compete with mobile apps and web applications. 

How Do Zombie APIs Occur?

In large development teams, developers are given access to their own environments to experiment and test their code. Some developers have access to production, but operations might be involved in deploying applications to the public web. Part of deployment should be adding API endpoints to monitoring agents. If this doesn’t happen, it’s possible for an endpoint to be forgotten and become a zombie API. 

As more applications are released and APIs are deployed to support them, this new infrastructure must be audited and added to monitoring systems. All logic is hidden behind an API, but endpoints can still be vulnerable to the same exploits as other web applications. For example, attackers will certainly send malformed SQL queries to an endpoint to identify if it’s vulnerable to SQL injection.

What makes zombie APIs unique from standard exploitable web applications is their state of being unmonitored. With a monitored web application, vulnerabilities might not be known but any events indicating an exploit would be logged. Using intrusion detection infrastructure (or any other event logging analysis monitors), administrators are alerted to anomalous traffic. Administrators can look further into an issue and determine if a threat is present, or they can write off an event as a false positive.

Intrusion detection and a human reviewer verify if anomalous traffic is a threat based on monitored activities. Zombie APIs have no monitoring in place, so administrators are unaware of any strange requests or network activity. Should a malicious event happen, your organization would not have any incident response to review it. The “shadow” term refers to an API running on your environment without being seen, and being “seen” is critical for your environment’s cybersecurity.

What Can Happen with a Zombie API?

Most people think of an API as a safe endpoint to pull data. APIs are used internally for mobile applications or business-related software, but they can also be offered to customers to integrate your business APIs into customer applications. Even with business logic and database queries hidden behind a publicly accessible endpoint, the right request could result in a data breach or disclosure of sensitive data. 

In addition to potential data breach exploits, misconfigured APIs might not require authentication to return sensitive data, which could lead to enumeration and exfiltration of business data without any limitations. These endpoints are usually the most dangerous when they become zombie APIs. Without monitoring or authorization rules, anyone on the internet can enumerate data long-term until the zombie API is detected and disabled.

As with most infrastructure, the type of exploit available to attackers depends on the vulnerability. For example, as attackers scan for vulnerabilities on your API endpoints, they will most likely test for SQL injection. Malformed SQL statements will be sent to endpoints to identify if a denial-of-service (DoS) can be triggered, or –even better for the attacker– return a dump of table data. 

Suppose your API endpoint inserts content into a table that then displays the stored content to other users. An attacker might use the API endpoint to insert executable JavaScript or other cross-site scripting (XSS) code. XSS could allow for session fixation from cookie theft or allow attackers to steal data from a user in an authenticated page. 

When any API endpoint isn’t monitored, any of these vulnerabilities could be exploited with no restrictions. An attacker knows that most infrastructure is monitored, so threats are built for quick exfiltration of data. Local threats (e.g., ransomware) might sit silently on the environment, but many common web-based attacks are meant for quick exploitation and exfiltration to extract as much data as possible before detection and containment.

Blackbox testing –meaning scans against an API without knowing its code or structure– takes time and often requires multiple attempts at exploitation before finding a vulnerability. Proper monitoring detects ongoing scans and stops attacks, but a zombie API has no monitoring in place. The absence of monitoring gives attackers plenty of time to find an opportunity to exfiltrate data or exploit other vulnerabilities.

What You Can Do to Stop Zombie APIs

Currently, there is no optimal way to reactively find zombie APIs. You can try to detect them but placing agents on specific infrastructure and evaluating traffic does not find abandoned APIs. You need a way to enumerate API endpoints as they are deployed to your production environment and track them as they change.

The p0 solution monitors your code for new and current API endpoints. Administrators have access to a dashboard where they can see potential zombie APIs. Alerts for potential zombie APIs then give administrators the ability to further review them to determine if they are no longer needed and should be disabled. If the API is still needed, administrators know to add it to their monitoring systems.

P0 determines when a current API endpoint is a zombie endpoint by cross-referencing code with log files. When an endpoint is referenced in code but has no log events, it’s possible that you have a zombie API that needs further review. What you do after notification depends on your own business decisions. It might be best to disable the API altogether, or it might just need more monitoring installed. 

To find out more about what p0 can do to stop zombie APIs in your environment, reach out to us using the form below.