Issues
  • 12 Jun 2024
  • 4 Minutes to read
  • PDF

Issues

  • PDF

Article summary

Issues are security gaps in your API definition that threat actors may exploit to attack your API infrastructure. The issue-management life cycle process helps identify and remediate security risks before threat actors can exploit them. The life cycle includes being aware of all the assets in your organization, carrying out an issue scan, assessing the risks, and taking action to mitigate those risks. Traceable’s API Security Testing (AST) can help you with an issue scan.

Traceable identifies assets or the API endpoints and services in your environment through the discovery process. After Traceable discovers the API endpoints, it does an issue scan on APIs and the associated services and displays them in the Issues section.

Issue-management Life Cycle

Based on the issues identified, you can carry out a risk assessment of the API endpoint. Traceable also provides possible remediation. Once you have applied the remediation, verify that your API is secure. Traceable continuously monitors the API endpoints that you have remediated and secured. It reports an issue if it finds any in the future; hence, continuous monitoring is essential.

Issue Summary

The Issues page summarizes issues for both External and Internal APIs. The integrated issues page display issues found during run time protection, API security testing (AST), or detected by a compliance policy. These three different categories of issues are based on different sources:

  • Live Traffic

  • AST

  • Compliance

Issues

The Issues dashboard provides the following information:

Issues

The issues section shows:

  • The total number of issues across APIs in the last 90 days. For example, in the above screenshot, the total number of issues is 1.11K.

Status

The status section shows:

  • The total number of open issues since you created your account with Traceable.

  • The number of resolved, under review, fixed, and accepted risk issues.

Severity

The severity is categorized as critical, high, medium, and low.

Issue details

To view the details of each issue, click on it, as shown in the screenshot below. In the table, you can also view the number of API endpoints associated with each type of issue. These issues are specific to an environment; alternatively, you can view them for all environments, as shown below. For example, in the screenshot below, the Lack of Encryption issue is found in 15 API endpoints.

The issues table below displays the issues’ source, CVSS score, severity, whether it belongs to any OWASP API Top 10 category, and when it was last seen.

Issue Selection

The issue detail page provides many details about the issue. To view the details about a specific issue, click on the issue. The details page, as shown below, displays when the issue was first found and how recently it was seen again. The page also displays all the APIs where the issue was found.

You can also view the description, the method to mitigate this issue, and the impact that the issue may have on your system. The page also provides the attack methodology that the attacker may use to exploit the issue.

Traceable gathers evidence for each issue that it has seen in your environment. You can view this evidence when you click on the API endpoint. Traceable shows the 5 latest pieces of evidence it has seen in the last 24 hours. Further, you can view the detailed span for each piece of evidence.

Note

For dormant APIs, Traceable shows the 5 latest evidences that it has seen in 90 days.

Issue Evidence

Types of Issues

Traceable, based on its continuous learning, detects the following types of issues:

Category

Issue Type

Insecure Design

  • Query params contain sensitive data

  • Lack of encryption

  • API params contain URL

  • HTTP redirect

  • Insecure HTTP method

  • Username and password enumeration

  • Regex DOS

Remote Code Execution

  • Java Log4Shell

  • Buffer overflow

  • Integer overflow error

Security Headers

  • HSTS header misconfiguration

  • Missing nosniff in content type options header

  • CSP header misconfiguration

Authentication

  • Basic authentication method

  • Unauthenticated access

  • Weak password

SQL Injection

  • Blind SQL injection

  • Error-based SQL injection

Data Exposure

  • Excessive data exposure

JSON Web Token (JWT)

  • JWT token expiry

  • JWT weak algorithm

  • JWT algorithm confusion

  • JWT invalid signature

  • JWT JKU misuse

  • JWT missing audience claim

Improper asset management

  • Multiple versions of API

Business logic

  • Parameter pollution

  • Mass assignment

Security misconfiguration

  • HTTP only site

  • Server version disclosure

  • .env information leak

  • HTTPS not accessible

  • Directory listing leak

Access control

  • Rate limiting

TLS

  • TLS not implemented

  • TLS/DTLS CBC attack (Lucky13)(CVE-2013-0169)

  • Self-signed certificate

Authorization

  • Broken object-level authorization

  • Broken function level authorization

Cross-site scripting

  • Reflected cross-site scripting

Server-side request forgery

  • Server-side request forgery blind

You can view the description and mitigation for each issue in the Issues UI.


Issue Status

You can manually change the state of the detected issue to any of the following:

  • Open — Traceable has detected an issue.

  • Under review — The issue has been acknowledged. You are taking steps to close it.

  • Fixed — The issue has been closed. Traceable keeps monitoring the asset (API endpoint or service) even after you have marked it as fixed. If Traceable finds new issues, it automatically moves them to an Open state for you to review and resolve. 

  • Not an issue — Move the issue to a Not a Issue state when you do not want Traceable to report it. If Traceable keeps seeing this issue category, it does not move it to an open state.

  • Accepted risk — You can move the issue to this state when you understand and accept the impact.


Issue Deletion

You can delete detected issues from the Issue Summary section by changing their status to Fixed or Not an issue. Traceable also deletes issues if they are deleted from all Sources. For example, let us say an issue has Live Traffic and AST as the Source. Then, Traceable deletes the issue when it is deleted from both Sources.


Was this article helpful?

What's Next
ESC

Eddy, a generative AI, facilitating knowledge discovery through conversational intelligence