Skip to content

Commit d4fb750

Browse files
PauloASilvaPauloASilva
committed
refactor: Update "A9:2019 - Improper Assets Management"
1 parent 0f67e88 commit d4fb750

File tree

1 file changed

+29
-9
lines changed

1 file changed

+29
-9
lines changed

2019/en/0xa9-improper-assets-management.md

Lines changed: 29 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -2,28 +2,48 @@ A9:2019 Improper Assets Management
22
==================================
33

44
| Threat agents/Attack vectors | Security Weakness | Impacts |
5-
| -- | -- | -- |
6-
| Access Lvl : Exploitability ? | Prevalence ? : Detectability ? | Technical ? : Business |
7-
| | | |
5+
| - | - | - |
6+
| API Specific : Exploitability **3** | Prevalence **3** : Detectability **2** | Technical **2** : Business Specific |
7+
| Old API versions are usually unpatched and are an easy way to compromise systems without having to fight state of the art security mechanisms that might be in place to protect the most recent API versions. | Outdated documentation makes it more difficult to find and/or fix vulnerabilities. Lack of assets inventory and retire strategies leads to running unpatched systems and leakage of sensitive data. | Attackers may gain access to sensitive data or even takeover the server through old, unpatched API versions connected to the same database. |
88

99
## Is the API Vulnerable?
1010

11+
The API is vulnerable if:
12+
13+
* There is no documentation or the existing documentation is not updated.
14+
* There is no retirement plan for each API version.
15+
* Hosts inventory is missing or outdated.
16+
* Old or previous API versions are running unpatched.
17+
1118
## Example Attack Scenarios
1219

1320
### Scenario #1
1421

15-
After redesigning their apps, a local search service left an old API version
16-
running, unprotected and with access to the user database
17-
(`api.someservice.com/v1`). While targeting one of the latest released apps an
18-
attacker got the API address (`api.someservice.com/v2`). Replacing `v2` by `v1`
19-
in the url gave the attacker access to the old and unprotected API, exposing
20-
over 100 Million user’s personal identifiable information (PII).
22+
After redesigning their applications, a local search service left an old API
23+
version (`api.someservice.com/v1`) running, unprotected and with access to the
24+
user database. While targeting one of the latest released applications an
25+
attacker got the API address (`api.someservice.com/v2`). Replacing `v2` with
26+
`v1` in the URL gave the attacker access to the old and unprotected API,
27+
exposing the personal identifiable information (PII) of over 100 Million user.
2128

2229
## How To Prevent
2330

31+
* Document all aspects of your API such as authentication, errors, redirects,
32+
rate limiting, cross-origin resource sharing (CORS) policy and endpoints,
33+
including their parameters, requests and responses.
34+
* Include documentation of your code review practice.
35+
* Generate documentation automatically by adopting open standards. Include the
36+
documentation build in your CI/CD pipeline.
37+
* Make API documentation generally available.
38+
2439
## References
2540

2641
### OWASP
2742

2843
### External
2944

45+
* [CWE-1059: Incomplete Documentation][1]
46+
* [OpenAPI Initiative][2]
47+
48+
[1]: https://cwe.mitre.org/data/definitions/1059.html
49+
[2]: https://www.openapis.org/

0 commit comments

Comments
 (0)