Radware, a WAF solution provider has published an interesting article titled "Why there is no API security" where they make the following key points:
No single part of the application, nor any part of normal Internet filtering firewall defense, has enough visibility into the context to stop business exploits. Some examples of business logic exploits are:Radware's perspective clearly shows that WAFs have to extend their world-view to address API security. It's not just about protecting websites - with APIs becoming a connective tissue of all portal, device, and cloud communications, corporations are looking at Next Generation WAFs to now include significant API-awareness and API-borne threat mitigation capabilities.
- Modification of authentication flags and privilege escalations Business constraint exploitation/modification or business logic bypass to generate fraudulent transactions
- Requested parameter modification Developer’s cookie tampering and business process/logic bypass
Business logic attacks are not trivial in their consequences and are successful on even the largest organizations. A few of the large organizations that fell victim to business logic flaws are Facebook, Nokia, and Vimeo.
- LDAP parameter identification and critical infrastructure access