OWASP API Security - A9: Improper Assets Management

📋 Overview

Improper Assets Management is a critical security vulnerability that occurs when organizations fail to maintain a comprehensive inventory of their API endpoints, versions, and associated infrastructure. This lack of visibility creates significant security gaps that attackers can exploit to gain unauthorized access to systems and data.

⚠️ The Real-World Scenario

Imagine a server running multiple API services without proper documentation or tracking. The administrator has various systems running on different ports, testing environments mixed with production code, and no centralized repository to manage these assets. This chaotic situation represents a textbook case of improper assets management.

🎯 What is Improper Assets Management?

Improper Assets Management refers to the lack of proper inventory, documentation, and lifecycle management of API endpoints and their associated resources. This vulnerability arises when organizations don't have a clear understanding of:

Active API Endpoints: What APIs are currently running and accessible
API Versions: Which versions are deployed and their security status
Port Assignments: What services are listening on which ports
Environment Separation: Clear distinction between development, testing, and production
Deprecated APIs: Old versions that should be retired but remain accessible
Documentation Status: Up-to-date information about all API assets

🔍 The Problem in Detail

Common Scenarios

🚨 Typical Problems

Random files scattered across servers with no organization
Multiple API versions running simultaneously without tracking
Testing systems left exposed in production environments
No version control or repository management
Obscure services running on non-standard ports (e.g., port 10)
Lack of asset inventory documentation
Unknown or forgotten API endpoints

Why This Matters

When you don't know what you have, you can't protect it. An attacker who discovers an undocumented or forgotten API endpoint can exploit it without your knowledge. These shadow APIs often have weaker security controls because they're not part of your regular security monitoring and updates.

📊 Attack Scenarios and Impact

Attack Flow: Exploiting Improper Assets Management

1. Reconnaissance
Attacker scans for exposed APIs and old versions

→

2. Discovery
Finds unmanaged API endpoint on port 10

→

3. Exploitation
Exploits known vulnerabilities in old API version

→

4. Compromise
Gains unauthorized access to system

🎯 Data Exposure

Old API versions may expose sensitive data that newer versions properly protect

🔓 Unauthorized Access

Forgotten endpoints may have weak or no authentication mechanisms

⚙️ System Compromise

Unpatched services can be exploited to gain control of the entire system

📉 Compliance Violations

Inability to demonstrate proper security controls and audit trails

🛠️ Reconnaissance Commands

Attackers use various tools to discover unmanaged assets. Here are common commands used for API reconnaissance:

Port Scanning with Nmap: nmap -p- -sV target-server.com nmap -p 1-65535 -sV -sC -T4 target-server.com nmap --script=http-enum target-server.com

API Endpoint Discovery: ffuf -u https://target-server.com/FUZZ -w /path/to/wordlist.txt gobuster dir -u https://target-server.com -w /path/to/api-wordlist.txt wfuzz -c -z file,/path/to/wordlist.txt https://target-server.com/FUZZ

Version Detection: curl -I https://target-server.com/api/v1/users curl -I https://target-server.com/api/v2/users curl -I https://target-server.com/api/v3/users

Subdomain Enumeration: subfinder -d target-server.com -o subdomains.txt amass enum -d target-server.com dnsrecon -d target-server.com -t std

Technology Fingerprinting: whatweb https://target-server.com wappalyzer https://target-server.com curl -s -I https://target-server.com | grep -i server

💡 Real-World Examples

Example 1: Forgotten Test API

A development team creates a test API endpoint at https://api.company.com/v1/test/admin that bypasses authentication for easier testing. After completing tests, they forget to remove it. Six months later, an attacker discovers this endpoint through automated scanning and gains administrative access to the system.

Attacker's Discovery Process: gobuster dir -u https://api.company.com -w api-paths.txt curl https://api.company.com/v1/test/admin curl -X POST https://api.company.com/v1/test/admin -d '{"action":"create_user","role":"admin"}'

Example 2: Unpatched Legacy API

An organization migrates to API v3 but leaves v1 running on port 8080 for "backward compatibility." The v1 API has known SQL injection vulnerabilities that were fixed in v3. An attacker discovers the old version and exploits it to extract the entire database.

Attack Sequence: nmap -p- api.company.com curl http://api.company.com:8080/v1/users?id=1 sqlmap -u "http://api.company.com:8080/v1/users?id=1" --dump

Example 3: Shadow API in Microservices

In a microservices architecture, a developer deploys an internal API for inter-service communication on port 3000. Due to misconfiguration, this API becomes accessible from the internet without authentication, exposing sensitive business logic and data.

Discovery Commands: masscan -p1-65535 api.company.com --rate=1000 curl http://api.company.com:3000/internal/health curl http://api.company.com:3000/internal/db/query -d '{"query":"SELECT * FROM users"}'

🛡️ Mitigation Strategies

Implementing Proper Assets Management

Maintain a comprehensive inventory of all API endpoints, versions, and ports
Use an API gateway to centralize access and management
Implement automated asset discovery tools
Document all API endpoints in a centralized repository
Establish a clear API lifecycle management process
Regularly audit and review active endpoints
Retire and remove deprecated API versions promptly
Separate development, testing, and production environments
Use version control for all API code and configurations
Implement network segmentation to isolate sensitive APIs

Asset Inventory Checklist

Essential Information to Track: API Name and Description Version Number and Release Date Host/Server Location and IP Address Port Numbers and Protocols Authentication and Authorization Methods Data Sensitivity Classification Owner/Team Responsible Last Security Assessment Date Dependencies and Integrations Deprecation Timeline (if applicable)

🔧 Tools for Asset Management

Recommended Tools and Technologies

API Gateways
Kong, Apigee, AWS API Gateway

Discovery Tools
Postman, Swagger, OpenAPI

Monitoring
Datadog, New Relic, Prometheus

Documentation
Swagger UI, ReDoc, GitBook

Automation Commands for Asset Discovery

Internal Network Scanning (Defensive): nmap -sV -p- --script=http-title,http-methods localhost netstat -tulpn | grep LISTEN ss -tulpn | grep LISTEN lsof -i -P -n | grep LISTEN

Docker Container Discovery: docker ps -a docker inspect $(docker ps -q) | grep -i port docker-compose ps

Kubernetes Service Discovery: kubectl get services --all-namespaces kubectl get endpoints --all-namespaces kubectl get ingress --all-namespaces

📝 Best Practices Summary

                Key Takeaways
                Know Your Assets: You cannot protect what you don't know exists. Maintain a
                        complete inventory.
Implement Lifecycle Management: Every API should have a clear lifecycle from
                        creation to retirement.
Automate Discovery: Use tools to continuously discover and inventory your
                        assets.
Version Control Everything: Use repositories like Git to track all API code and
                        configurations.
Regular Audits: Conduct periodic reviews to identify and remove obsolete
                        endpoints.
Centralize Management: Use API gateways and management platforms for unified
                        control.
Document Everything: Keep comprehensive documentation of all APIs, their
                        purposes, and security requirements.
Enforce Separation: Clearly separate development, testing, and production
                        environments.

            

🎓 Conclusion

Improper Assets Management is not just a technical issue—it's an organizational challenge that requires discipline, processes, and the right tools. Without proper asset management, you're essentially flying blind, unable to secure what you can't see. The scenario described demonstrates the real-world consequences of poor asset management: systems running on random ports, files scattered without organization, and no centralized tracking system.

Remember: Every unknown API endpoint is a potential entry point for attackers. Implementing robust asset management practices is not optional—it's a fundamental requirement for maintaining API security.

⚠️ Final Warning

If you're currently running systems without proper asset management—like having "random files," no repository, or obscure services on non-standard ports—you should immediately conduct a comprehensive audit of your infrastructure. Identify every running service, document its purpose, close unnecessary ports, and establish a formal asset management process. The longer you wait, the greater the risk of exploitation.