Endpoint Security refers to the evaluation of the back-end servers supporting the user application and negotiation of authentication keys. These servers could also be used to store sensitive information such as firmware updates. While there are several methods to compromise a remote server, BC Security has found that problems most often manifest in the endpoint’s Simple Object Access Protocol (SOAP) or Representational State Transfer (REST) API.
BC Security uses automated tools to identify any major misconfigurations of the Endpoint servers, then will assess the API. API attacks can be broadly broken down into the following categories defined by OWASP.
Web Application Assessment Examples
Misconfiguration of authentication to the endpoint API can manifest in a variety of ways. Including no authentication required due to developers assuming users will authenticate through the front-end application to poor implementation of JSON Web Tokens.
Broken Object Level Authorization
This type of vulnerability occurs when access to objects is not properly authorized. An example of this would be changing the parameters in a web request to be able to see a different user’s account information.
Excessive Data Exposure
This most often occurs when data provided to the user is filtered by the application instead of the endpoint API, allowing for an attacker to dump all data related to an object whether users need access to that data or not. For example, when a user sends a request for the availability of a lock instead of just returning the availability data, it returns the log of all users who have accessed that lock.
Lack of Resources & Rate Limiting
API’s often don’t enforce any restrictions on request rates or the size of requests which can result in either denial of service attacks or further enable authentication attacks like brute forcing.
Broken Function Level Authorization
Front-end enforcement of user action limitations can result in APIs that fail to restrict functionality when accessed directly. This allows an attacker to perform actions above their authorization level.
Generic assignment of object properties regardless of context can allow attackers to manipulate object properties they should not have access to. An example of this class of vulnerability would be crafting a password reset request that includes a password in the request when normally one would not be present. A mass assignment vulnerability would result in overwriting the target user’s password, granting the attacker access to the account.
If an End Point API fails to validate input, it can result in injection vulnerabilities to the underlying database (SQL, NoSQL, Command Injection, etc.)