Improper Assets Management

In the Analyzing API Endpoints module, we created a Postman collection for crAPI. In this module, we will use this collection to test for Improper Assets Management.

Testing for Improper Assets Management is all about discovering unsupported and non-production versions of an API. Often times an API provider will update services and the newer version of the API will be available over a new path like the following:

  • api.target.com/v3

  • /api/v2/accounts

  • /api/v3/accounts

  • /v2/accounts

API versioning could also be maintained as a header:

  • Accept: version=2.0

  • Accept api-version=3

In addition versioning could also be set within a query parameter or request body.

  • /api/accounts?ver=2

  • POST /api/accounts

{
    "ver":1.0,
    "user":"hapihacker"
}

In these instances, earlier versions of the API may no longer be patched or updated. Since the older versions lack this support, they may expose the API to additional vulnerabilities.

For example, if v3 of an API was updated to fix a vulnerability to injection attacks, then there are good odds that requests that involve v1 and v2 may still be vulnerable.

Non-production versions of an API include any version of the API that was not meant for end-user consumption. Non-production versions could include:

  • api.test.target.com

  • api.uat.target.com

  • beta.api.com

  • /api/private

  • /api/partner

  • /api/test

The discovery of non-production versions of an API might not be treated with the same security controls as the production version. Once we have discovered an unsupported version of the API, we will test for additional weaknesses.

Similar to unsupported software vulnerabilities, improper assets management vulnerabilities are an indication that there is a greater chance for weaknesses to be present. Finding versions that are not included in API documentation will be at best a vulnerability for insufficient technical documentation (CWE-1059) and at worst a gateway to more severe findings and the compromise of the provider.

If you haven’t done so already, build a crAPI Postman collection and obtain a valid token. See the Setup module for instructions.

PreviousAssessmentNextFinding Improper Assets Management Vulnerabilities

Last updated