Improper Assets Management

Severity: Medium
Test name: Improper Assets Management
Test ID: improper_asset_management
Summary

Improper Assets Management vulnerability allows an attacker to get access to old API version. It is possible if a new API version is released, but the old one is left to keep backward compatibility or by mistake. In addition, it can be a case if unknown or forgotten API requests are not documented, so they are typically not monitored or protected by security tools.
It may also occur if APIs that are in development have access to data in the production environment. For example, when a user is authenticated in a staging environment and may access the production APIs with the same authentication token.

Impact

This vulnerability allows the attacker to:

  • Gain sensitive information
  • Get full access to the server through old vulnerable versions of APIs
Location

The issue can be found in the source code on the server side.

Remedy suggestions
  • Separate data for production and non-production environments.
  • Remove old API or limit access to it if a newer version is released. Force all clients to move to the latest version if possible.
  • All API requests should be documented: Hosts, API endpoint, HTTP method, API parameters and their data types, permitted user roles.
  • Each API endpoint should have limited access if the endpoint is not public.
  • API security tools must be able to analyze all API traffic and continuously discover APIs.
Classifications
  • CWE-284
  • CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
References