And why missing documentation is a vulnerability.
You’ve probably heard of the OWASP top ten or the top ten vulnerabilities that threaten web applications. OWASP also periodically selects a list of top ten vulnerabilities that threaten APIs, called the OWASP API top ten. The current API top ten are Broken Object Level Authorization, ****Broken User Authentication, Excessive Data Exposure, Lack of Resources & Rate Limiting, Broken Function Level Authorization, Mass Assignment, Security Misconfiguration, Injection, Improper Assets Management, and Insufficient Logging & Monitoring. Today, let’s talk about Improper Assets Management, and why it’s a security issue that you should not ignore.
First of all, what even is Improper Assets Management?
Although “improper assets management” sounds complicated, it’s essentially this: not keeping track of your API endpoints. This can either be due to incomplete API documentation, or a complete lack of API documentation. But why is the lack of API documentation an issue?
An API usually has many different versions, functionalities, endpoints, and a lot of parameters that affects the behavior of that endpoint. And if you don’t keep track on all of this functionality, you become unaware of the security vulnerabilities hiding within the unknown endpoints. You cannot secure what you don’t know about.
Besides incomplete or missing documentation, inaccurate documentation is also a security issue. Even if you have documentation detailing the API endpoints, does it tell you what each endpoint does? Are there any behaviors of the endpoint that are not documented in the docs, such as accepting alternate HTTP methods? Are there any undocumented parameters that can affect the endpoint’s functionality? Inaccurate documentation can make you think that the endpoint is secure, when it is not really behaving the way you think it is.
Some examples
For instance, let’s say you discovered a sensitive information leak on an API endpoint. But you are unaware that an older version of the API with the same information leak vulnerability is also available to the public. So you did not mitigate the vulnerability in the older version, and attackers can still exploit the vulnerability via the older API.
Or you might want to restrict the access of some sensitive endpoints to the site’s admins. But without detailed records of each endpoint and its functionalities, you have no way of deciding which endpoints should be restricted.
Sensitive data leaks, authorization issues, the OWASP API top ten, and many other vulnerabilities often manifest themselves in an API. But you have no way to test and secure the endpoints that you don’t know about.
What should I do to secure my API?
The best way to prevent the security blind spots caused by improper assets management is to have detailed documentation about your API hosts, versions, endpoints, and its parameters and expected behavior. Document consistently, and document everything! Make sure that others who work on the API has access to appropriate documentation. And as always, scan your API for common vulnerabilities, and routinely audit the security of all of your API endpoints.
Improper Assets Management might not seem like an issue at first. But in the long run, it is actually extremely dangerous to not have comprehensive documentation of your API. Next time, let’s take a look at another vulnerability caused by improper documentation and management, OWASP API top ten #10, Insufficient Logging and Monitoring, and why and when it becomes an issue.
What other security concepts do you want to learn about? I’d love to know. Feel free to connect on Twitter @vickieli7.
Want to learn more about application security? Take our free OWASP top ten courses here: https://www.shiftleft.io/learn/.