Test name: Improper Assets Management
Improper Assets Management vulnerability allows an attacker to get access to old API version. It is possible if a new API version is released, but the old one is left to keep backward compatibility or by mistake. In addition, it can be a case if unknown or forgotten API requests are not documented, so they are typically not monitored or protected by security tools.
It may also occur if APIs that are in development have access to data in the production environment. For example, when a user is authenticated in a staging environment and may access the production APIs with the same authentication token.
This vulnerability allows the attacker to:
- Gain sensitive information
- Get full access to the server through old vulnerable versions of APIs
The issue can be found in the source code on the server side.
- Separate data for production and non-production environments.
- Remove old API or limit access to it if a newer version is released. Force all clients to move to the latest version if possible.
- All API requests should be documented: Hosts, API endpoint, HTTP method, API parameters and their data types, permitted user roles.
- Each API endpoint should have limited access if the endpoint is not public.
- API security tools must be able to analyze all API traffic and continuously discover APIs.