diff --git a/docs/4.10/api-attack-surface/setup.md b/docs/4.10/api-attack-surface/setup.md new file mode 100644 index 0000000000..95fc74d7a8 --- /dev/null +++ b/docs/4.10/api-attack-surface/setup.md @@ -0,0 +1 @@ +--8<-- "latest/api-attack-surface/setup.md" \ No newline at end of file diff --git a/docs/4.8/api-attack-surface/setup.md b/docs/4.8/api-attack-surface/setup.md new file mode 100644 index 0000000000..95fc74d7a8 --- /dev/null +++ b/docs/4.8/api-attack-surface/setup.md @@ -0,0 +1 @@ +--8<-- "latest/api-attack-surface/setup.md" \ No newline at end of file diff --git a/docs/5.0/api-attack-surface/setup.md b/docs/5.0/api-attack-surface/setup.md new file mode 100644 index 0000000000..95fc74d7a8 --- /dev/null +++ b/docs/5.0/api-attack-surface/setup.md @@ -0,0 +1 @@ +--8<-- "latest/api-attack-surface/setup.md" \ No newline at end of file diff --git a/docs/ar/api-attack-surface/setup.md b/docs/ar/api-attack-surface/setup.md new file mode 100644 index 0000000000..95fc74d7a8 --- /dev/null +++ b/docs/ar/api-attack-surface/setup.md @@ -0,0 +1 @@ +--8<-- "latest/api-attack-surface/setup.md" \ No newline at end of file diff --git a/docs/ja/api-attack-surface/setup.md b/docs/ja/api-attack-surface/setup.md new file mode 100644 index 0000000000..95fc74d7a8 --- /dev/null +++ b/docs/ja/api-attack-surface/setup.md @@ -0,0 +1 @@ +--8<-- "latest/api-attack-surface/setup.md" \ No newline at end of file diff --git a/docs/latest/api-attack-surface/api-surface.md b/docs/latest/api-attack-surface/api-surface.md index f9a0ab5fc4..3484ea710c 100644 --- a/docs/latest/api-attack-surface/api-surface.md +++ b/docs/latest/api-attack-surface/api-surface.md @@ -10,7 +10,7 @@ Knowing the full list of your organization's external APIs is the first step in The **API Attack Surface Discovery** Wallarm component helps to solve these issues by providing the following: -* Automatic detection of external hosts for your selected domains. +* Automatic detection of external hosts for your [selected domains](setup.md). * Automatic detection of found hosts' open ports. * Automatic detection of found hosts' APIs. @@ -28,21 +28,6 @@ The **API Attack Surface Discovery** Wallarm component helps to solve these issu You get all this simply by subscribing to the component in Wallarm - you do not need to deploy anything and get the analyzed data immediately. -## Domains to search for hosts - -You can define a list of your **root domains** which you want to search for hosts as follows: - -1. In the **API Attack Surface** or **Security Issues** section, click **Configure**. -1. At the **Scope** tab, add your domains. - - Wallarm will start searching for hosts and their [security issues](security-issues.md). The search progress and results will be displayed at the **Status** tab. - -![AASM - configuring scope](../images/api-attack-surface/aasm-scope.png) - -Note that domains are automatically re-scanned every 3 days - new hosts will be added automatically, previously listed but not found during re-scan will remain in the list. - -You can re-start, pause or continue scanning for any domain manually at **Configure** → **Status**. - ## Data on found hosts Once hosts are found for your domains, in Wallarm Console go to the **API Attack Surface** section. Click the host in the list to see: diff --git a/docs/latest/api-attack-surface/overview.md b/docs/latest/api-attack-surface/overview.md index 755e46e0e0..a40a4132c9 100644 --- a/docs/latest/api-attack-surface/overview.md +++ b/docs/latest/api-attack-surface/overview.md @@ -1,6 +1,6 @@ # API Attack Surface Management -Wallarm's **API Attack Surface Management** (**AASM**) is an agentless detection solution designed to discover all external hosts with their APIs, evaluate their protection against Web and API-based attacks, identify missing WAF/WAAP solutions, and detect the discovered endpoints' security issues. +Wallarm's **API Attack Surface Management** (**AASM**) is an agentless detection solution tailored to the API ecosystem, designed to discover external hosts with their APIs, identify missing WAF/WAAP solutions, and mitigate API Leaks and other vulnerabilities. API Attack Surface Management includes: @@ -11,34 +11,52 @@ API Attack Surface Management includes: ## How it works -Work with API Attack Surface Management looks as follows: +API Attack Surface Management provides multiple automated activities described in the sections below. -* You buy subscription. -* You set your root domains to be scanned. -* For specified domains, Wallarm searches for subdomains/hosts and lists them. +### Step 1: External API attack surface discovery - AASM system collects subdomains using various OSINT methods, such as passive DNS analysis, SSL/TLS certificate analysis, Certificate Transparency Logs analysis, via search engines and enumeration of the most frequently occurring subdomains. +* [Discovers](api-surface.md) external hosts and their APIs (including hosting e.g. CDN, IaaS, or PaaS providers). +* Identifies geolocation and data centers based on IP resolution. +* Provides insights into potential API protocols that an organization is using (JSON-API, GraphQL, XML-RPC, JSON-RPC, OData, gRPC, WebSocket, SOAP, WebDav, HTML WEB and more). +* Uncovers private API specifications unintentionally made publicly available. +* Continuously monitors changes in the external API attack surface to detect new APIs, shadow APIs, and rogue endpoints introduced during development or deployment. -* Wallarm identifies geolocation and data center for each host. -* Wallarm identifies exposed APIs on each host. -* Wallarm identifies security solutions (WAF/WAAP) protecting the host and evaluate their efficiency. -* Wallarm checks found domains/hosts for [security issues](security-issues.md). -* If found, security issues are listed and described for you to be able to solve them. +### Step 2: WAF coverage discovery & testing -## Enabling and setup +* [Discovers](api-surface.md) if APIs are protected by WAFs/WAAPs. +* Tests types of threats WAFs/WAAPs are configured to detect. +* Computes a [security score](api-surface.md#security-posture) for each discovered endpoint. +* Identifies and reports gaps in WAF configurations, such as missing rules for OWASP Top 10 vulnerabilities or lack of coverage for modern API-specific threats like BOLA and credential stuffing. -To use AASM, the Wallarm's [API Attack Surface](../about-wallarm/subscription-plans.md#api-attack-surface) subscription plan should be active for your company. To activate, do one of the following: +### Step 3: automatic API leaks and vulnerability detection -* If you do not have Wallarm account yet, get pricing information and activate AASM on the Wallarm's official site [here](https://www.wallarm.com/product/aasm). +* Once the external attack surface landscape is discovered, starts to [discover API leaks and vulnerabilities](security-issues.md) related to the discovered apps and APIs. +* Monitors and classifies vulnerabilities by severity, categorizing issues such as misconfigurations, weak encryption, or outdated dependencies to prioritize remediation efforts effectively. - When activating, scanning of the used email's domain starts immediately while you negotiate sales team. After activation, you can add additional domains to the scope. +## Vulnerability types detected -* If you already have Wallarm account, contact [sales@wallarm.com](mailto:sales@wallarm.com). +API Attack Surface Management detects: -Once subscription is activated, to configure domain detection and start searching for security issues, in Wallarm Console → AASM → **API Attack Surface** or **Security Issues** section, click **Configure**. Add your domains to the scope, check the scanning status. +* GraphQL misconfigurations +* Information exposures (debug data, configuration files, logs, source code, backups) +* Sensitive APIs exposure (e.g. Prometheus metrics, status pages, APIs exposing system/debug data) +* Most widespread cases of Path traversal, SQLi, SSRF, XSS, etc. +* Remote management interfaces exposure (including API Gateway's management interfaces) +* Database management interface exposure +* SSL/TLS misconfigurations +* API specification exposure +* API Leaks, including API Keys, PII (user names and passwords), authorization tokens (Bearer/JWT), and more +* Outdated software versions and corresponding CVEs +* ~2k most popular web and API-related CVEs -![AASM - configuring scope](../images/api-attack-surface/aasm-scope.png) +See full list with the descriptions [here](security-issues.md#list-of-detected-issues). -Wallarm will list all subdomains and show security issues related to them if there are any. Note that domains are automatically re-scanned daily - new subdomains will be added automatically, previously listed but not found during re-scan will remain in the list. +## Enabling and setup -You can re-start, pause or continue scanning for any domain manually at **Configure** → **Status**. +To use AASM, the Wallarm's [API Attack Surface](../about-wallarm/subscription-plans.md#api-attack-surface) subscription plan should be active for your company. To activate, do one of the following: + +* If you do not have Wallarm account yet, get pricing information and activate AASM on the Wallarm's official site [here](https://www.wallarm.com/product/aasm). + + When activating, scanning of the used email's domain starts immediately while you negotiate sales team. After activation, you can [add additional domains](setup.md) to the scope. + +* If you already have Wallarm account, contact [sales@wallarm.com](mailto:sales@wallarm.com). diff --git a/docs/latest/api-attack-surface/security-issues.md b/docs/latest/api-attack-surface/security-issues.md index b8ca8065b7..ec16888ee8 100644 --- a/docs/latest/api-attack-surface/security-issues.md +++ b/docs/latest/api-attack-surface/security-issues.md @@ -1,6 +1,6 @@ # Detecting Security Issues -Once [API Surface Discovery](api-surface.md) finds the external hosts of your domains, Wallarm checks if these hosts have any security issues. Once found, the issues are listed and described in the **Security Issues** section. This article describes how to use the presented information. +Once [API Attack Surface Discovery](api-surface.md) finds the external hosts of your [selected domains](setup.md), Wallarm checks if these hosts have any security issues. Once found, the issues are listed and described in the **Security Issues** section. This article describes how to use the presented information. ## Exploring security issues @@ -14,19 +14,46 @@ Here, the detailed information on found issues is presented, including: * Risk level evaluation and distribution of security issues by these levels * Top vulnerable hosts list -## Define your domains to search for security issues - -You can define a list of your root domains where you want to search for security issues: - -1. In the **API Attack Surface** or **Security Issues** section, click **Configure**. -1. At the **Scope** tab, add your domains. - - Wallarm will start searching for subdomains and leaked credentials published under the domain. The search progress and results will be displayed at the **Status** tab. - -![Security issues - configuring scope](../images/api-attack-surface/security-issues-configure-scope.png) +## List of detected issues + +Wallarm automatically detects the following security issues: + +| Type | Description | +| ------- | ------- | +| Management interface | The remote management interface or administrative panel is publicly accessible over the Internet, exposing the system to potential attacks. Malicious adversaries could exploit this by performing password-guessing attacks, credential stuffing, or leveraging known vulnerabilities in the service to gain unauthorized access. | +| Authentication bypass | An authentication bypass vulnerability allows an attacker to circumvent the authentication mechanism and gain unauthorized access to protected resources. This security flaw can lead to unauthorized access to sensitive data, privilege escalation, or complete system compromise. | +| BOLA | Attackers can exploit API endpoints vulnerable to broken object-level authorization by manipulating the ID of an object sent within the request. This may lead to unauthorized access to sensitive data. See [details](../attacks-vulns-list.md#broken-object-level-authorization-bola). | +| File read | The application has an arbitrary file read vulnerability, allowing an attacker to read files on the server without proper authorization. This security flaw can lead to unauthorized access to sensitive information, including configuration files, source code, or user data, compromising the entire system's security. | +| File upload | An arbitrary file upload vulnerability allows a malicious user to upload potentially harmful files to a server, bypassing intended restrictions. This security flaw can lead to remote command execution through web shells, overwriting of critical system files, malware distribution, or even complete server compromise. | +| Information exposure | This vulnerability involves the unauthorized disclosure of sensitive information by an application, potentially providing attackers with sensitive data for further malicious activities. See [details](../attacks-vulns-list.md#information-exposure). | +| LFI | A local file inclusion (LFI) vulnerability allows an attacker to manipulate file paths within a web application due to inadequate input validation. This security flaw can result in unauthorized access to sensitive system files, code execution, and potentially complete system compromise, often as a stepping stone for more severe exploits. | +| Misconfiguration | Security misconfigurations include vulnerabilities caused by improperly configured systems, such as enabled debug mode, excessive information in error messages, TLS/SSL misconfiguration, and missing or wrongly set CORS policy. | +| Missing authentication | Sensitive application or API endpoint is accessible without proper authentication mechanisms in place. This vulnerability can lead to unauthorized access and manipulation of sensitive data, potentially resulting in data breaches, service disruptions, or compromise of the entire system's integrity. | +| RCE | Remote code execution - this vulnerability occurs due to incorrect validation and parsing of user input. An attacker can inject malicious code into a request to a web application, and the application will execute this code. Also, the attacker can try to execute certain commands for the operating system that the vulnerable web application runs on. See [details](../attacks-vulns-list.md#remote-code-execution-rce). | +| Open redirect | An open redirect vulnerability allows user-controlled input to specify a link to an external site for redirection. Attackers can exploit this to redirect users to malicious websites, potentially leading to phishing attacks or other security risks. | +| Sensitive API exposure | Due to improper security measures or misconfiguration, an API endpoint, documentation, or functionality is unintentionally exposed or accessible to unauthorized users. This exposure can potentially lead to more targeted attacks, unauthorized access to sensitive data, or the exploitation of system vulnerabilities by providing attackers with valuable information about the system's structure. | +| SQLi | SQL injection - vulnerability to this attack occurs due to insufficient filtration of user input. An SQL injection attack is performed by injecting a specially crafted query to an SQL database. See [details](../attacks-vulns-list.md#sql-injection). | +| SSRF | Server‑side request forgery - a successful SSRF attack may allow an attacker to make requests on behalf of the attacked web server; this potentially leads to revealing the web application's network ports in use, scanning the internal networks, and bypassing authorization. See [details](../attacks-vulns-list.md#serverside-request-forgery-ssrf). | +| Subdomain takeover | A subdomain is vulnerable to potential takeover because it points to non-existent resources. This vulnerability allows attackers to claim and control these subdomains, potentially leading to phishing attacks, data theft, or reputation damage for the original domain owner. | +| User enumeration | A vulnerability allows the unauthorized enumeration of user accounts or sensitive data through system responses. This weakness can lead to unauthorized access, targeted attacks, or serve as a starting point for further system exploitation. | +| Vulnerable component | Using obsolete software components containing known vulnerabilities poses a risk as it allows potential attackers to exploit known vulnerabilities. Furthermore this indicates insufficient patch management processes within the organization. | +| XSS | Cross‑site scripting - a cross‑site scripting attack allows an attacker to execute a prepared arbitrary code in a user's browser. See [details](../attacks-vulns-list.md#crosssite-scripting-xss). | +| XXE | Attack on XML external entity - the vulnerability allows an attacker to inject an external entity in an XML document to be evaluated by an XML parser and then executed on the target web server. See [details](../attacks-vulns-list.md#attack-on-xml-external-entity-xxe). | +| API leak | A leaked API key can allow attackers to impersonate authorized users, access confidential financial data, and even manipulate transaction flows. See [details](#api-leaks). | +| Vulnerable software | Vulnerable software versions pose a significant risk of unauthorized access to systems, stolen data, malware, or operation disruption. The vulnerability has a high risk of exploitation, as the attackers actively seek out known vulnerabilities in outdated software. | + +## Issue lifecycle + +Once a security issue is detected, it obtains the **Open** status meaning some measures are required to mitigate it. In the issue details, you can close it (means it was resolved) or mark as false. + +![Security issues details - Lifecycle controls](../images/api-attack-surface/security-issue-details-lifecycle.png) + +You can also re-evaluate and adjust the risk level of the issue. ## API leaks +Among other types of security issues, Wallarm detects cases of public exposure of API credentials (API leaks). The leaked API keys can allow attackers to impersonate authorized users, access confidential financial data, and even manipulate transaction flows. + Wallarm searches for the API leak security issues with the following two-step procedure: 1. **Passive scan**: checks public resources for published (leaked) data related to these domains. @@ -44,7 +71,7 @@ You can manage the decisions on what to do with the found leaks: * Close the leaks to mark that the problem is solved. * Even if a leak is closed, it is not deleted. Reopen it to mark that problem is still actual. -## Viewing requests blocked by virtual patches +**Viewing requests blocked by virtual patches** You can view requests blocked by [virtual patches](../user-guides/rules/vpatch-rule.md) in Wallarm Console → **Attacks** by setting the **Type** filter to `Virtual patch` (`vpatch`). diff --git a/docs/latest/api-attack-surface/setup.md b/docs/latest/api-attack-surface/setup.md new file mode 100644 index 0000000000..35c99f3c1a --- /dev/null +++ b/docs/latest/api-attack-surface/setup.md @@ -0,0 +1,9 @@ +# API Attack Surface Setup + +To configure [API Attack Surface Management](overview.md) to detect hosts under your selected domains and search for security issues related to these hosts, in Wallarm Console → AASM → **API Attack Surface** or **Security Issues** section, click **Configure**. Add your domains to the scope, check the scanning status. + +![AASM - configuring scope](../images/api-attack-surface/aasm-scope.png) + +Wallarm will list all hosts under your domains and show security issues related to them if there are any. Note that domains are automatically re-scanned once every 3 days - new hosts will be added automatically, previously listed but not found during re-scan will remain in the list. + +You can re-start, pause or continue scanning for any domain manually at **Configure** → **Status**. \ No newline at end of file diff --git a/docs/pt-BR/api-attack-surface/setup.md b/docs/pt-BR/api-attack-surface/setup.md new file mode 100644 index 0000000000..95fc74d7a8 --- /dev/null +++ b/docs/pt-BR/api-attack-surface/setup.md @@ -0,0 +1 @@ +--8<-- "latest/api-attack-surface/setup.md" \ No newline at end of file diff --git a/docs/tr/api-attack-surface/setup.md b/docs/tr/api-attack-surface/setup.md new file mode 100644 index 0000000000..95fc74d7a8 --- /dev/null +++ b/docs/tr/api-attack-surface/setup.md @@ -0,0 +1 @@ +--8<-- "latest/api-attack-surface/setup.md" \ No newline at end of file diff --git a/images/api-attack-surface/aasm-api-surface-protection-score (old).png b/images/api-attack-surface/aasm-api-surface-protection-score (old).png deleted file mode 100644 index 2e924bd17f..0000000000 Binary files a/images/api-attack-surface/aasm-api-surface-protection-score (old).png and /dev/null differ diff --git a/images/api-attack-surface/aasm.png b/images/api-attack-surface/aasm.png index 795ed53c28..2030ff406c 100644 Binary files a/images/api-attack-surface/aasm.png and b/images/api-attack-surface/aasm.png differ diff --git a/images/api-attack-surface/security-issue-details-lifecycle.png b/images/api-attack-surface/security-issue-details-lifecycle.png new file mode 100644 index 0000000000..d025d55fbd Binary files /dev/null and b/images/api-attack-surface/security-issue-details-lifecycle.png differ diff --git a/images/api-attack-surface/security-issues.png b/images/api-attack-surface/security-issues.png index 070fc49942..f95b0e7bb4 100644 Binary files a/images/api-attack-surface/security-issues.png and b/images/api-attack-surface/security-issues.png differ diff --git a/mkdocs-4.10.yml b/mkdocs-4.10.yml index 7885bfc207..f55c531e3d 100644 --- a/mkdocs-4.10.yml +++ b/mkdocs-4.10.yml @@ -59,7 +59,8 @@ nav: - GraphQL API Protection: api-protection/graphql-rule.md - API Attack Surface: - Overview: api-attack-surface/overview.md - - API Surface Discovery: api-attack-surface/api-surface.md + - Setup: api-attack-surface/setup.md + - API Attack Surface Discovery: api-attack-surface/api-surface.md - Detecting Security Issues: api-attack-surface/security-issues.md - Assets & Vulnerabilities: - Exposed Assets: user-guides/scanner.md diff --git a/mkdocs-4.8.yml b/mkdocs-4.8.yml index 02378a7209..5329e869c3 100644 --- a/mkdocs-4.8.yml +++ b/mkdocs-4.8.yml @@ -53,7 +53,8 @@ nav: - Exploring Detected Bots: api-abuse-prevention/exploring-bots.md - API Attack Surface: - Overview: api-attack-surface/overview.md - - API Surface Discovery: api-attack-surface/api-surface.md + - Setup: api-attack-surface/setup.md + - API Attack Surface Discovery: api-attack-surface/api-surface.md - Detecting Security Issues: api-attack-surface/security-issues.md - Assets & Vulnerabilities: - Exposed Assets: user-guides/scanner.md diff --git a/mkdocs-5.0.yml b/mkdocs-5.0.yml index 329c4e8540..4cb8db9d97 100644 --- a/mkdocs-5.0.yml +++ b/mkdocs-5.0.yml @@ -65,7 +65,8 @@ nav: - GraphQL API Protection: api-protection/graphql-rule.md - API Attack Surface: - Overview: api-attack-surface/overview.md - - API Surface Discovery: api-attack-surface/api-surface.md + - Setup: api-attack-surface/setup.md + - API Attack Surface Discovery: api-attack-surface/api-surface.md - Detecting Security Issues: api-attack-surface/security-issues.md - Assets & Vulnerabilities: - Exposed Assets: user-guides/scanner.md