OWASP API Security - Improper Assets Management (API9:2019)

📋 Overview

Improper Assets Management is a critical vulnerability in API security that occurs when organizations fail to maintain a comprehensive inventory of their API assets. This vulnerability is particularly dangerous in modern environments where companies deploy multiple API versions across different customers and environments.

                Key Concept: Organizations must maintain complete visibility and control over all API
                versions, endpoints, and environments to prevent security gaps and unauthorized access.
            

🎯 The Challenge

Consider a company that develops and deploys multiple APIs across various customer sites. The complexity multiplies rapidly:

API Version Distribution Scenario

Customer A

Version 1.0

→

Customer B

Version 2.0

→

Customer C

Version 3.0

→

Customer D

Version 3.1

Each customer may require different API versions, creating management complexity

⚠️ Critical Issue: When dealing with API gateways and microservices architectures, the complexity increases exponentially. Without proper asset management, shadow APIs and deprecated versions can remain accessible, creating security vulnerabilities.

🔍 Essential Questions for Every API Endpoint

For every API endpoint in production, security teams must continuously evaluate:

1. Should this endpoint be available at all?
Determine if removing the endpoint would cause application failures or if the system can function without it.

2. Does this API need to be in production?
Evaluate whether the entire API is necessary for production operations or if it can be retired.

3. Who should access this API?
Define access controls and consider whether the API should be exposed to the public internet or restricted to internal networks.

                Best Practice: When working with API gateways, expose only the gateway itself, not the
                individual APIs directly. All API communication should flow through the gateway for proper control and
                monitoring.
            

❌ Root Causes of Improper Asset Management

1. Lack of Documentation

Many organizations struggle to maintain accurate documentation of their API landscape. Without comprehensive records, it becomes nearly impossible to determine:

Which APIs exist in which environments
What versions are deployed where
Which APIs are actively used versus dormant
Dependencies between APIs and services

2. Silent APIs

APIs that don't send or receive regular traffic can remain undetected in production environments for extended periods, creating security blind spots.

3. No Retirement Plan

Critical Gap: Organizations often lack formal processes for retiring outdated APIs. Without a retirement plan, old APIs accumulate in production, each representing a potential security vulnerability.

🛡️ Real-World Attack Scenarios

Scenario 1: Version Exploitation

An attacker discovers a security challenge asking users to find an admin interface. Most security researchers check the current API version:

/api/v2/resource/books/all

However, the vulnerability exists in an older, unpatched version that few think to check:

/api/v1/resource/books/all

Key Lesson: Always check older API versions. They often contain functionality and vulnerabilities that have been patched in newer versions but remain exploitable if the old version is still accessible.

Scenario 2: Third-Party Library Vulnerability

A company implements a new feature requiring a third-party library. Unknown to the organization, this library uses outdated API endpoints.

Impact: Due to inadequate asset management, the organization had no visibility into these legacy API endpoints. The exposed functionality contained a remote code execution (RCE) vulnerability.

Resolution: The issue was discovered by an ethical hacker during a security assessment. The company had to be notified externally because their internal systems failed to detect the rogue API.

✅ Mitigation Strategies

1. Implement Comprehensive Inventory Management

Establish a robust inventory management system that tracks all API assets with detailed metadata:

Attribute	Description	Example
API Name & Version	Unique identifier and version number	PaymentAPI v2.1.3
Environment	Deployment location	Production, Staging, Development
Network Accessibility	Which networks can reach the API	Public Internet, Internal VPN, Private Network
Third-Party Integrations	External dependencies	Stripe Payment Gateway, AWS Services
Owner/Contact	Responsible team or individual	Platform Team, [email protected]
Authentication Method	How the API authenticates requests	OAuth 2.0, API Keys, JWT
Rate Limiting	Request throttling configuration	1000 requests/minute per IP

2. Document Critical Infrastructure Elements

Your inventory should capture important technical details that assist in security monitoring and incident response:

Error Responses: How the API handles and reports errors
Authentication Flaws: Known authentication weaknesses or bypass methods
Rate Limiting Behavior: How rate limits are enforced and can be triggered
Redirect Mechanisms: URL redirection patterns and configurations
CORS Policy: Cross-Origin Resource Sharing settings and triggers
Firewall Rules: Web Application Firewall (WAF) configurations and triggers
HTTP Status Codes: Particularly 403 (Forbidden), 401 (Unauthorized), and other security-relevant responses

3. Leverage OpenAPI Specification

✓ Automation Advantage: Modern API development using OpenAPI specification enables automatic documentation generation, significantly reducing the risk of undocumented or rogue APIs.

However, automation is not foolproof. Even with OpenAPI specifications, manual reviews and audits remain essential to catch APIs that may have been deployed outside standard processes.

                Documentation Availability: If you generate Swagger UI definitions or OpenAPI
                documentation, make them readily available to API users. Clear documentation enables proper API usage
                and helps users understand security requirements.
            

4. Deploy External Security Measures

API Firewalls

Implement API firewalls as a critical security layer:

Deploy API firewalls in front of ALL internet-exposed environments

⚠️ Common Oversight: Organizations often protect production APIs with firewalls but neglect testing and staging environments that are also exposed to the internet. This is a critical mistake, especially in remote-work scenarios where test environments may be internet-accessible.

Security Coverage Checklist

Production APIs: Always protected with API firewalls and security controls
Staging Environments: Apply same security measures if internet-accessible
Testing Environments: Protect if exposed to external networks (especially relevant in remote work scenarios)
Development Environments: Should typically NOT be internet-accessible, but if they are, must be protected

5. Establish Version Update Procedures

When releasing new API versions, follow a structured approach:

                Step 1: Risk Analysis

                Conduct thorough risk assessment before deploying new API version
                Evaluate security improvements in the new version
Identify breaking changes that could affect existing integrations
Assess impact on dependent services and applications

            

                Step 2: Testing & Validation

                Verify new version doesn't break existing functionality
                Run comprehensive integration tests
Perform security testing on new version
Validate backward compatibility where required

            

Step 3: Prioritize Security Updates
Install security patches as soon as possible after validation

If a new API version includes security fixes, prioritize its deployment. The window between vulnerability disclosure and patch deployment is when your systems are most vulnerable to attack.

📊 API Lifecycle Management Diagram

Proper API Version Lifecycle

Stage 1: Development
API designed, coded, and initially tested

↓

Stage 2: Testing
Security testing, integration testing, documentation

↓

Stage 3: Production
Active use, monitoring, maintenance

↓

Stage 4: Deprecation
Announce end-of-life, migration period

↓

Stage 5: Retirement
Decommission, remove from production, archive documentation

🎯 Key Takeaways

1. Maintain Complete Visibility

It's incredibly easy to lose track of APIs in complex environments. Implement comprehensive inventory management from day one.

2. Document Everything

Every API, every version, every environment must be documented with sufficient detail for security assessment and incident response.

3. Regular Audits are Essential

Conduct regular inspections of your API inventory. Identify dormant APIs, outdated versions, and potential security gaps.

4. Plan for Retirement

Establish formal processes for retiring old APIs. Unpatched legacy APIs represent significant security risks.

5. Security by Default

Apply security measures (firewalls, monitoring, access controls) to ALL environments exposed to networks, not just production.

🔗 Testing Commands & Techniques

When testing for improper asset management vulnerabilities, use these approaches:

Version Enumeration

curl -X GET https://api.example.com/v1/endpoint curl -X GET https://api.example.com/v2/endpoint curl -X GET https://api.example.com/v3/endpoint

Test multiple version numbers to discover older, potentially vulnerable API versions that may still be accessible.

Common Path Discovery

curl -X GET https://api.example.com/api/v1/admin curl -X GET https://api.example.com/api/v1/internal curl -X GET https://api.example.com/api/v1/test curl -X GET https://api.example.com/api/v1/debug

Search for administrative, internal, or debugging endpoints that should not be publicly accessible.

Documentation Discovery

curl -X GET https://api.example.com/swagger.json curl -X GET https://api.example.com/api-docs curl -X GET https://api.example.com/openapi.json curl -X GET https://api.example.com/docs

Locate API documentation endpoints that may reveal the complete API structure and available endpoints.

🎓 Conclusion

Improper Assets Management (API9:2019) represents a foundational security challenge in modern API ecosystems. As organizations deploy increasingly complex API architectures across multiple environments and versions, maintaining comprehensive visibility becomes both more critical and more difficult.

The key to addressing this vulnerability lies in establishing robust processes: comprehensive inventory management, detailed documentation, automated discovery tools, and formal retirement procedures. Without these foundations, organizations will inevitably face shadow APIs, unpatched vulnerabilities, and security blind spots.

                Remember: Asset management is not a one-time task but an ongoing process. As your API
                landscape evolves, your inventory and security measures must evolve with it. Regular audits, automated
                monitoring, and a security-first culture are essential for maintaining proper asset management.
            

Stay vigilant, maintain comprehensive documentation, and always ask yourself: "Do we really know what's running in production?"