API-09 Improper Inventory Management

Skip to Primary Menu Skip to Utility Menu Skip to Main Content Skip to Footer

Get a Demo

Katie Paxton-Fear

Anyone who’s worked in API security will probably recognise this returning API security issue. It’s very easy for APIs to get out of control with new endpoints and versions being deployed constantly. Asset inventories and management are often pieces of documentation that get left behind. This vulnerability class covers the forgotten API versions, parameters or endpoints, APIs that are considered private or internal only being external and public-facing, or documentation that should be private is public.

Why is this a security issue? Older versions of APIs often contain fixes for software bugs and vulnerabilities. However, to avoid issues with 3rd parties or internal applications, this older version is sometimes still available despite the fixes. If these older versions aren’t patched or shouldn’t be accessible, we can have a security issue that impacts the latest versions. Similarly, APIs are often created for a specific function and left online even if that function is no longer needed or has been implemented differently, a kind of zombie API or endpoint.

Over the past few months, Suzy’s Social has seen a huge overhaul thanks to the newly hired software engineers. After overhauling some frameworks from the last post, they’re now on version 2.0! While you can’t see any changes from the outside, the API has been completely rewritten, and instead of the old /api/create_new_post endpoints, we now have proper RESTful endpoints. The team celebrates their first victory over out-of-date software with a depreciation date of a month from now just in case any old software was relying on them. Our attacker Adam like, always looks on from the outside as they make these radical API changes. Adam realises these APIs haven’t been turned off yet, and while he doesn’t know when they will be switched off, they are still accessible. While Suzy’s social has been busy updating the various security issues he’s found, they never actually turned off the vulnerable endpoints. Adam continues his attacks with Suzy’s team none the wiser.

This is a tricky vulnerability to truly ‘fix’ because the vulnerabilities have already been fixed! These are our unknown unknowns of API security. The best way to mitigate these is to keep on top of your APIs using an asset inventory and compliance around API deployment. You may even find yourself fixing vulnerabilities in legacy or not for public consumption APIs. Never assume that older software is completely out of scope for security because it has a planned deprecation date, particularly if it is a legacy API for a currently running product, as these can still impact the same data as your current API.