# API Attack Surface Management Wallarm's **API Attack Surface Management** (**AASM**) is an agentless detection solution tailored to the API ecosystem, designed to discover external hosts with their APIs by scanning domains, IP addresses, and network ranges, identify missing WAF/WAAP solutions, and mitigate API Leaks and other vulnerabilities. API Attack Surface Management includes: * [API Attack Surface Discovery (AASD)](https://docs.wallarm.com/api-attack-surface/api-surface.md) * [Security Issues Detection](https://docs.wallarm.com/api-attack-surface/security-issues.md) ![AASM](https://docs.wallarm.com/images/api-attack-surface/aasm.png) ## How it works API Attack Surface Management provides multiple automated activities described in the sections below. ### Step 1: External API attack surface discovery * [Discovers](https://docs.wallarm.com/api-attack-surface/api-surface.md) external hosts and their APIs by scanning domains, IP addresses, and network ranges (including hosting e.g. CDN, IaaS, or PaaS providers). * Identifies geolocation and data centers based on IP resolution. * Provides insights into potential API protocols that an organization is using (JSON-API, GraphQL, XML-RPC, JSON-RPC, OData, gRPC, WebSocket, SOAP, WebDav, HTML WEB and more). * Uncovers private API specifications unintentionally made publicly available. * Continuously monitors changes in the external API attack surface to detect new APIs, shadow APIs, and rogue endpoints introduced during development or deployment. * [Notifies](https://docs.wallarm.com/api-attack-surface/setup.md#notifications) your about discovery results and changes in your API attack surface. ### Step 2: WAF coverage discovery & testing * [Discovers](https://docs.wallarm.com/api-attack-surface/api-surface.md) if APIs are protected by WAFs/WAAPs. * Tests types of threats WAFs/WAAPs are configured to detect. * Computes a [security score](https://docs.wallarm.com/api-attack-surface/api-surface.md#security-posture) for each discovered endpoint. * Identifies and reports gaps in WAF configurations, such as missing rules for OWASP Top 10 vulnerabilities or lack of coverage for modern API-specific threats like BOLA and credential stuffing. ### Step 3: Automatic API leaks and vulnerability detection * Once the external attack surface landscape is discovered, starts to [discover API leaks and vulnerabilities](https://docs.wallarm.com/api-attack-surface/security-issues.md) related to the discovered apps and APIs. * Monitors and classifies vulnerabilities by severity, categorizing issues such as misconfigurations, weak encryption, or outdated dependencies to prioritize remediation efforts effectively. * [Notifies](https://docs.wallarm.com/api-attack-surface/setup.md#notifications) your about found leaks and detected vulnerabilities. ## Vulnerability types detected API Attack Surface Management detects: * GraphQL misconfigurations * Information exposures (debug data, configuration files, logs, source code, backups) * Sensitive APIs exposure (e.g. Prometheus metrics, status pages, APIs exposing system/debug data) * Most widespread cases of Path traversal, SQLi, SSRF, XSS, etc. * Remote management interfaces exposure (including API Gateway's management interfaces) * Database management interface exposure * SSL/TLS misconfigurations * API specification exposure * API Leaks, including API Keys, PII (user names and passwords), authorization tokens (Bearer/JWT), and more * Outdated software versions and corresponding CVEs * ~2k most popular web and API-related CVEs See full list with the descriptions [here](https://docs.wallarm.com/attacks-vulns-list.md#vulnerability-types). ## Enabling and setup To start using API Attack Surface Management, enable and configure it as described in API [Attack Surface Management Setup](https://docs.wallarm.com/api-attack-surface/setup.md).