AASM's Security Issues ¶

Once API Attack Surface Discovery finds the external hosts of your selected domains, Wallarm checks if these hosts have any security issues. Once found, the issues are listed and described in the Security Issues section. This article describes how to use the presented information.

Detected issues¶

Wallarm's API Attack Surface Management (AASM) finds more than 40 different types of security issues, some of them are only found by AASM and not by other vulnerability detection methods. Get familiar with all issues found by AASM here by searching for "AASM".

Pay specific attention to the issues for which AASM is the only detection method.

API leaks¶

Among other types of security issues, Wallarm detects cases of public exposure of API credentials (API leaks). The leaked API keys can allow attackers to impersonate authorized users, access confidential financial data, and even manipulate transaction flows.

Wallarm searches for the API leak security issues with the following two-step procedure:

1. Passive scan: checks public resources for published (leaked) data related to these domains.

2. Active scan: automatically searches the listed domains for subdomains. Then - as an unauthenticated user - sends requests to their endpoints and checks responses and the source code of pages for the presence of sensitive data. The following data is searched for: credentials, API keys, client secrets, authorization tokens, email addresses, public and private API schemas (API specifications).

You can manage the decisions on what to do with the found leaks:

• If you have a deployed Wallarm node(s), apply a virtual patch to block all attempts to use the leaked API credentials.

  A virtual patch rule will be created.

  Note that creating virtual patch is only possible when the leaked secret value is 6 or more symbols or regular expression is no more than 4096 symbols - Not applicable remediation status will be displayed if these conditions are not met. The limitations aim to prevent the legitimate traffic blocking.

• Mark the leak as false if you think it was added by mistake.

• Close the leaks to mark that the problem is solved.

• Even if a leak is closed, it is not deleted. Reopen it to mark that problem is still actual.

Viewing requests blocked by virtual patches

You can view requests blocked by virtual patches in Wallarm Console → Attacks by setting the Type filter to Virtual patch (vpatch).

Note that this filter will list not only the virtual patch events caused by the Security Issues functionality but also all the other virtual patches, created for different purposes.

Managing found issues¶

Along with all the other security issues (found by any method), the ones found by AASM are displayed in the Wallarm Console → Security Issues section.

You can recognize issues found by AASM by the AASM in the Discovered by field. You can filter issues to see only the ones found by AASM with the Discovered by filter.

Detailed information on how to work with security issue: understand issue statuses, lifecycle and transitions, risk levels, getting details on each issue and mitigation measures, getting notifications and reports - is provided here.

Was this page helpful?

How can we improve this article? (Optional)

Information is unclear or confusing

Insufficient information

Outdated or incorrect information

0/240

Send