Improper Asset Management

Improper Asset Management occurs when an organization fails to properly inventory, classify, or secure its assets, including hardware, software, and data.

This can lead to vulnerabilities due to unpatched software, exposed sensitive information, or loss of control over critical assets, increasing the risk of security breaches.

Maintain an up-to-date inventory of all assets, regularly assess and classify them based on sensitivity and importance, apply security patches promptly, and implement access controls and monitoring to ensure proper management and protection of assets.

vAPI example

We are interested in endpoints that include some kind of versioning, such as vAPI's API9 (v2). We can see that the v2/user/login has rate-limiting controls (Figure 1).

The below example is based on the vAPI application.

Testing for IIM requires us to check if different endpoint versions are accessible, such as beta, v1, v3, etc. For instance, the older v1 endpoint is still active and does not have rate-limiting controls like v2 (Figure 2).

The lack of rate-limiting controls makes this endpoint vulnerable to brute force attacks (Figure 3).

Testing with Postman

We can efficiently test multiple endpoints for IIM by leveraging Postman's Find and replace function and Collection Runner :

Duplicate the original collection for backup purposes (Figure 3.1).
Open the Find and replace function from Postman's footer (Figure 3.2).
Add a test script, such as Status code: code is 200 (Figure 4.3), and open the run collection menu (Figure 4.4).
Filter the desired requests & select to save the responses option (Figure 5).
Review the results and dig deeper into the non-404 status codes (Figure 6).

The below examples are based on the crAPI application.

Testing with Burp

Burp does not have an option to fuzz multiple endpoints, but we can test for IIM for GET requests with a little extra effort :

Manually create an endpoint list (example code below).
Configure the payload position on Intruder (Figure 7).
Load the endpoint list, add a match and replace rule, and remove URL-encoding (Figure 8).
Run the attack and review the results (Figure 9).

# Extracting the endpoints from the JSON postman collection file
$ cat crAPI\ -\ IIM.postman_collection.json | grep http://127.0.0.1 | awk '{print $2}' | awk -F'"' '{print $2}' > crapi_endpoints.txt

# Displaying the first 5 lines
$ head -n5 crapi_endpoints.txt
http://127.0.0.1:8888/identity/api/v1/vehicle/{{param1}}/location
http://127.0.0.1:8888/identity/api/v1/vehicle/dbca29a8-ce31-4cbe-a337-27a07cc3afbf/location
http://127.0.0.1:8888/identity/api/auth/login
http://127.0.0.1:8888/identity/api/auth/login
http://127.0.0.1:8888/identity/api/v1/user/dashboard

# Extracting the endpoints that include versioning without the host part
$ cat crapi_endpoints.txt | grep v1 | awk -F'8888' '{print $2}' > crapi_v1_endpoints.txt

# Displaying the first 5 lines
$ head -n5 crapi_v1_endpoints.txt
/identity/api/v1/vehicle/{{param1}}/location
/identity/api/v1/vehicle/dbca29a8-ce31-4cbe-a337-27a07cc3afbf/location
/identity/api/v1/user/dashboard
/identity/api/v1/user/dashboard
/identity/api/v1/user/videos/convert_video

Testing with CLI

We could also use CLI tools, such as ffuf, to check for IIM for GET requests adopting a similar process as with Burp (Figure 10).

ffuf -u http://127.0.0.1:8888FUZZ -w crapi_v2_endpoints.txt -c -fc 405

PreviousContent Type Tampering NextMass Assignment

Last updated 1 year ago

hashtagvAPI example

hashtagTesting with Postman

hashtagTesting with Burp

hashtagTesting with CLI

vAPI example

Testing with Postman

Testing with Burp

Testing with CLI