Improper Asset Management
This can lead to vulnerabilities due to unpatched software, exposed sensitive information, or loss of control over critical assets, increasing the risk of security breaches.
Maintain an up-to-date inventory of all assets, regularly assess and classify them based on sensitivity and importance, apply security patches promptly, and implement access controls and monitoring to ensure proper management and protection of assets.
vAPI example
We are interested in endpoints that include some kind of versioning, such as vAPI's API9 (v2). We can see that the v2/user/login has rate-limiting controls (Figure 1).
The below example is based on the vAPI application.
Testing for IIM requires us to check if different endpoint versions are accessible, such as beta, v1, v3, etc. For instance, the older v1 endpoint is still active and does not have rate-limiting controls like v2 (Figure 2).
v1 version does not have rate-limiting controls in place.The lack of rate-limiting controls makes this endpoint vulnerable to brute force attacks (Figure 3).
Testing with Postman
We can efficiently test multiple endpoints for IIM by leveraging Postman's Find and replace function and Collection Runner :
Duplicate the original collection for backup purposes (Figure 3.1).
Open the
Find and replacefunction from Postman's footer (Figure 3.2).Add a test script, such as
Status code: code is 200(Figure 4.3), and open the run collection menu (Figure 4.4).Filter the desired requests & select to save the responses option (Figure 5).
Review the results and dig deeper into the non-404 status codes (Figure 6).
The below examples are based on the crAPI application.
Testing with Burp
Burp does not have an option to fuzz multiple endpoints, but we can test for IIM for GET requests with a little extra effort :
Manually create an endpoint list (example code below).
Configure the payload position on Intruder (Figure 7).
Load the endpoint list, add a match and replace rule, and remove URL-encoding (Figure 8).
Run the attack and review the results (Figure 9).
# Extracting the endpoints from the JSON postman collection file
$ cat crAPI\ -\ IIM.postman_collection.json | grep http://127.0.0.1 | awk '{print $2}' | awk -F'"' '{print $2}' > crapi_endpoints.txt
# Displaying the first 5 lines
$ head -n5 crapi_endpoints.txt
http://127.0.0.1:8888/identity/api/v1/vehicle/{{param1}}/location
http://127.0.0.1:8888/identity/api/v1/vehicle/dbca29a8-ce31-4cbe-a337-27a07cc3afbf/location
http://127.0.0.1:8888/identity/api/auth/login
http://127.0.0.1:8888/identity/api/auth/login
http://127.0.0.1:8888/identity/api/v1/user/dashboard
# Extracting the endpoints that include versioning without the host part
$ cat crapi_endpoints.txt | grep v1 | awk -F'8888' '{print $2}' > crapi_v1_endpoints.txt
# Displaying the first 5 lines
$ head -n5 crapi_v1_endpoints.txt
/identity/api/v1/vehicle/{{param1}}/location
/identity/api/v1/vehicle/dbca29a8-ce31-4cbe-a337-27a07cc3afbf/location
/identity/api/v1/user/dashboard
/identity/api/v1/user/dashboard
/identity/api/v1/user/videos/convert_video
Testing with CLI
We could also use CLI tools, such as ffuf, to check for IIM for GET requests adopting a similar process as with Burp (Figure 10).
ffuf -u http://127.0.0.1:8888FUZZ -w crapi_v2_endpoints.txt -c -fc 405
Last updated
Was this helpful?