Modern application delivery relies on the extensive use of application programming interfaces (APIs) to exchange data and services with external and internal entities. Though the interface offers several benefits that reduce the effort overhead of integrating different services, API security remains a crucial concern, as a security flaw on one API endpoint can compromise the entire application layer. Improper assets management (OWASP API9: 2019) is a prevalent vulnerability due to the lack of oversight and ownership of production API endpoints.
This article delves into improper asset management vulnerability, scenarios that lead to the vulnerability, and prevention techniques.
What is Improper Assets Management Vulnerability?
APIs enable the access and management of digital services using programming calls and create-read-update-delete (CRUD) operations. Unlike other security risks in APIs that arise from coding mistakes, improper asset management results from human errors in API management. Improper management of APIs refers to instances when the production APIs are built, utilized, and then no longer managed without being terminated. Such API endpoints remain unpatched and may use older libraries with outdated versions of security controls. This grants unlimited access to production data over the API environment, allowing malicious actors to compromise and exploit information flows of the application layer.
The improper assets management vulnerability also allows malicious actors to access non-production versions of the API, including the APIs used within testing, staging, and development environments. A common attack pattern is to misuse these endpoints for switching to other production APIs without user authentication.
Improper Assets Management Vulnerability Example Scenarios
Some common scenarios that cause improper assets management flaws include:
Lack of ownership for API endpoints
Ownership is a critical factor for API security that determines API resources’ accountability, operating mechanism, context, and dependencies. API endpoints remain susceptible to various asset management attack scenarios when an organization purchases a turnkey API solution but fails to assign its ownership for recurring configuration updates and security administration.
Lack of API documentation
Each endpoint should include accompanying documentation that helps developers manage and reuse the code effectively while embracing appropriate API security best practices. Accurate API documentation is essential in managing and securing the underlying services exposed by an API. Besides accuracy, outdated documentation also introduces security misconfiguration flaws because of missing/incorrect information on service correlation among disparate components. Inaccurate documentation also misses the latest security improvements and security fixes added to the API.
Using outdated versions of the API
Outdated API versions lack the latest security fixes built to address emerging API security anti-patterns. Unpatched systems are often soft targets and are commonly used as attack vectors to compromise an entire network. Some API professionals tend to retain older versions of APIs long after more secure versions have replaced them. A typical scenario that introduces vulnerabilities within a framework is when such outdated versions are no longer managed or owned by anyone in the team but are still used to access production and non-production data.
Lack of assets inventory
An incomplete or outdated API inventory list expands the attack surface since it is challenging to know which API versions are secure and which need decommissioning. An incomplete version history makes it challenging to establish backward compatibility between different API versions, reducing the effectiveness of security patches applied to active endpoints. In the absence of an asset inventory, API professionals may fail to retire assets, which grants attackers the ability to target vulnerable endpoints and access sensitive data or application logic.
API Vulnerability Prevention Guide
Learn how to detect and prevent API vulnerabilities.
How to Prevent API9:2019 Improper Assets Management
Preventive measures against improper assets management include:
Enforcing a tight inventory
It is crucial to constantly update the asset’s inventory to ensure that every newly deployed API endpoint is accounted for while removing those no longer in use. To help quickly block attacks exploited over API components, the inventory should include essential information such as the API hosts, security features enabled, the API owner, and the backend API services exposed.
Use of security firewalls
A security firewall filters out unwanted API traffic by blocking blacklisted requests and allowing whitelisted requests. It is recommended to deploy a robustly administered web application firewall over API hosts to block malicious responses that do not match the API definition, preventing command injection and DDoS attacks on the application layer.
Enforcing API rate-limiting mechanisms
API-level rate limiting mechanisms assess API traffic from all sources to ensure they do not exceed a defined limit. Without a rate-limiting mechanism, all requests to the API endpoint from public APIs are accepted and served, allowing malicious actors to orchestrate Denial-of-Service attacks, which overload API services to serve genuine requests. Optimal rate limiting protects the API environment by preventing spikes in the number of calls made to the API without impacting user experience.
Continuous vulnerability scanning
Continuous threat monitoring and vulnerability scanning help identify security misconfigurations as they emerge within a production environment. An efficient vulnerability scanning tool helps API management teams mitigate API security risks before they are exploited to orchestrate attacks.
Crashtest Security Suite helps automate testing and vulnerability scanning to help enterprises identify API anti-patterns and reduce security risk exposure. The suite integrates with most modern development frameworks seamlessly and gets started with scanning web applications and APIs within minutes.
To know more about how Crashtest Security can help eliminate API security blind spots of your tech stack, try a free 14-day trial here.
What is the difference between improper assets management and excessive data exposure?
Improper assets management is a human-induced error that arises from outdated APIs and those with missing security features, leading to unauthorized data access and exposure of sensitive information.
On the other hand, excessive data exposure represents a group of vulnerabilities that occur when APIs are treated like generic data sources, emanating responses with more information than the user initially requested. Exploiting the vulnerability, attackers can issue direct API calls and orchestrate attacks based on the unfiltered information passed in return.
What should be included in API documentation?
The API inventory and related documentation should contain information that easily highlights rogue/outdated APIs. This information includes:
- User authentication flows
- Permissive Cross-Origin Resource Sharing policy triggers
- Security patches
- Number of active users