Exposed internal API attack technique is when an attacker targets a publicly accessible API intended for internal use only, providing an entry point for accessing sensitive information or systems within an organization.
This is a common issue when API endpoints are mistakenly exposed to the public or not properly secured, which can allow attackers to gain access to sensitive data or systems.
Attackers can discover exposed internal APIs by using automated tools to scan public IP addresses or by reverse-engineering mobile applications or browser extensions.
Once they have identified a vulnerable API, attackers can use it to gather information, launch attacks, or steal sensitive data.
The impact of this attack can be severe as attackers can bypass traditional security controls and gain access to internal systems or data that are not meant to be publicly accessible.
ID:T0123
Type:Technique
Tactic:Initial Access
Summary:Exposed internal API
State:Draft
Mitigations
ID
TYPE
SUMMARY
DESCRIPTION
M1230
Mitigation
Mitigation Secure API access control Implement strong authentication and authorization mechanisms for accessing APIs, including the use of API keys, access tokens, or other secure mechanisms to ensure that only authorized users or applications can access internal APIs.
Mitigation Secure API access control Implement strong authentication and authorization mechanisms for accessing APIs, including the use of API keys, access tokens, or other secure mechanisms to ensure that only authorized users or applications can access internal APIs.
M1231
Mitigation
Mitigation Implement Proper API documentation Clearly document the intended use and accessibility of each API endpoint and provide proper documentation to internal developers and third-party developers to prevent accidental exposure of internal APIs to the public.
Mitigation Implement Proper API documentation Clearly document the intended use and accessibility of each API endpoint and provide proper documentation to internal developers and third-party developers to prevent accidental exposure of internal APIs to the public.
M1232
Mitigation
Mitigation Implement API endpoint hardening Regularly review and update the security configurations of API endpoints to ensure that they are properly secured and not inadvertently exposed to the public.
This may include proper authentication and authorization mechanisms, input validation, and output encoding to prevent attacks such as SQL injection or cross-site scripting (XSS).
M1550
Mitigation
Mitigation Implement strict access control for clouds Limit access to cloud resources to only authorized users and ensure that proper authentication and authorization mechanisms are in place.
Mitigation Implement strict access control for clouds Limit access to cloud resources to only authorized users and ensure that proper authentication and authorization mechanisms are in place.
M1720
Mitigation
Mitigation Implement regular patches and updates Regular patches and updates are necessary to improve the security, performance, and reliability of software and systems.
They include bug fixes, security updates, and performance improvements. Regular patches and updates also ensure compatibility with new technologies and can help maintain compliance with regulatory standards. Failure to install patches and updates can leave systems vulnerable to security threats, cause system failures or crashes, and limit the functionality of software and systems.
Detections
ID
TYPE
SUMMARY
DESCRIPTION
D1230
Detection
Detection Implement API endpoint monitoring Implement monitoring mechanisms to track all API endpoints and their accessibility status.
Regularly review logs and audit trails to identify any API endpoints that are exposed to the public but are intended for internal use only.
D1231
Detection
Detection Implement API security testing Conduct regular security testing of APIs, including vulnerability assessments and penetration testing, to identify any potential weaknesses or vulnerabilities that may allow APIs to be exposed to the public.
Detection Implement API security testing Conduct regular security testing of APIs, including vulnerability assessments and penetration testing, to identify any potential weaknesses or vulnerabilities that may allow APIs to be exposed to the public.
D1510
Detection
Detection Implement Intrusion Detection System and anti-malware An intrusion detection system (IDS) is a security tool designed to detect and alert on unauthorized access to a computer system or network.
Implementing intrusion detection systems (IDS) and anti-malware software can help to identify and block malicious activity. IDS is a critical security tool that helps organizations to detect and respond to security incidents in a timely manner. By providing real-time monitoring and analysis of network traffic, IDS can help organizations to stay ahead of potential threats and reduce the risk of a security breach.
AppSec teams are overwhelmed by useless alerts, managing numerous applications with vulnerabilities across various kill-chain stages, making them increasingly susceptible to successful attacks.
