Contact Us

Tel. (415) 294-0482

Email. info@bc-security.org

  • github
  • Twitter

Endpoint Security

Endpoint Security refers to the evaluation of the back-end servers supporting the user application and negotiation of authentication keys. These servers could also be used to store sensitive information such as firmware updates. While there are several methods to compromise a remote server, BC Security has found that problems most often manifest in the endpoint’s Simple Object Access Protocol (SOAP) or Representational State Transfer (REST) API.

 

BC Security uses automated tools to identify any major misconfigurations of the Endpoint servers, then will assess the API. API attacks can be broadly broken down into the following categories defined by OWASP.

 

 

 

 

 

 

Web Application Assessment Examples

Broken Authentication

Misconfiguration of authentication to the endpoint API can manifest in a variety of ways. Including no authentication required due to developers assuming users will authenticate through the front-end application to poor implementation of JSON Web Tokens. 

Broken Object Level Authorization

This type of vulnerability occurs when access to objects is not properly authorized. An example of this would be changing the parameters in a web request to be able to see a different user’s account information.

Excessive Data Exposure

This most often occurs when data provided to the user is filtered by the application instead of the endpoint API, allowing for an attacker to dump all data related to an object whether users need access to that data or not. For example, when a user sends a request for the availability of a lock instead of just returning the availability data, it returns the log of all users who have accessed that lock.

Lack of Resources & Rate Limiting

API’s often don’t enforce any restrictions on request rates or the size of requests which can result in either denial of service attacks or further enable authentication attacks like brute forcing.

 

Broken Function Level Authorization

Front-end enforcement of user action limitations can result in APIs that fail to restrict functionality when accessed directly. This allows an attacker to perform actions above their authorization level.

Mass Assignment

Generic assignment of object properties regardless of context can allow attackers to manipulate object properties they should not have access to. An example of this class of vulnerability would be crafting a password reset request that includes a password in the request when normally one would not be present. A mass assignment vulnerability would result in overwriting the target user’s password, granting the attacker access to the account.

Injection

If an End Point API fails to validate input, it can result in injection vulnerabilities to the underlying database (SQL, NoSQL, Command Injection, etc.)

How can we help?