Contents x
    Issues
    • 08 Oct 2024
    • 4 Minutes to read
    • Print
    • Dark
      Light
    • PDF
    Contents

    Issues

    • Updated on 08 Oct 2024
    • 4 Minutes to read
    • Print
    • Dark
      Light
    • PDF
    Article summary

    Issues are security gaps in your API definition that threat actors may exploit to attack your API infrastructure. The issue-management life cycle process helps identify and remediate security risks before threat actors can exploit them. The life cycle includes being aware of all the assets in your organization, carrying out an issue scan, assessing the risks, and taking action to mitigate those risks. Traceable’s API Security Testing (AST) can help you with an issue scan.

    Traceable identifies assets or the API endpoints and services in your environment through the discovery process. After Traceable discovers the API endpoints, it does an issue scan on APIs and the associated services and displays them in the Issues section.

    Note

    Traceable does not scan APIs for issues while they are in the learning phase.

    Issue-management Life Cycle

    Based on the issues identified, you can carry out a risk assessment of the API endpoint. Traceable also provides possible remediation. Once you have applied the remediation, verify that your API is secure. Traceable continuously monitors the API endpoints that you have remediated and secured. It reports an issue if it finds any in the future; hence, continuous monitoring is essential.

    Issue Summary

    The Issues page summarizes issues for both External and Internal APIs. The integrated issues page display issues found during run time protection, API security testing (AST), or detected by a compliance policy. These three different categories of issues are based on different sources:

    • Live Traffic

    • AST

    • Compliance

    Issues

    The Issues dashboard provides the following information:

    Issues

    The issues section shows:

    • The total number of issues across APIs in the last 90 days. For example, in the above screenshot, the total number of issues is 1.11K.

    Status

    The status section shows:

    • The total number of open issues since you created your account with Traceable.

    • The number of resolved, under review, fixed, and accepted risk issues.

    Severity

    The severity is categorized as critical, high, medium, and low.

    Issue details

    To view the details of each issue, click on it, as shown in the screenshot below. In the table, you can also view the number of API endpoints associated with each type of issue. These issues are specific to an environment; alternatively, you can view them for all environments, as shown below. For example, in the screenshot below, the Lack of Encryption issue is found in 15 API endpoints.

    The issues table below displays the issues’ source, CVSS score, severity, whether it belongs to any OWASP API Top 10 category, and when it was last seen.

    Issue Selection

    The issue detail page provides many details about the issue. To view the details about a specific issue, click on the issue. The details page, as shown below, displays when the issue was first found and how recently it was seen again. The page also displays all the APIs where the issue was found.

    You can also view the description, the method to mitigate this issue, and the impact that the issue may have on your system. The page also provides the attack methodology that the attacker may use to exploit the issue.

    Traceable gathers evidence for each issue that it has seen in your environment. You can view this evidence when you click on the API endpoint. Traceable shows the 5 latest pieces of evidence it has seen in the last 24 hours. Further, you can view the detailed span for each piece of evidence.

    Note

    • For dormant APIs, Traceable shows the 5 latest evidences that it has seen in 90 days.

    • For issues having AST as the Source, you can customize the detection conditions according to your requirements. For more information, see Mutation and Assertion Overrides.

    Issue Evidence

    Types of Issues

    Traceable, based on its continuous learning, detects the following types of issues:

    Category

    Issue Type

    Insecure Design

    • Query params contain sensitive data

    • Lack of encryption

    • API params contain URL

    • HTTP redirect

    • Insecure HTTP method

    • Username and password enumeration

    • Regex DOS

    Remote Code Execution

    • Java Log4Shell

    • Buffer overflow

    • Integer overflow error

    Security Headers

    • HSTS header misconfiguration

    • Missing nosniff in content type options header

    • CSP header misconfiguration

    Authentication

    • Basic authentication method

    • Unauthenticated access

    • Weak password

    SQL Injection

    • Blind SQL injection

    • Error-based SQL injection

    Data Exposure

    • Excessive data exposure

    JSON Web Token (JWT)

    • JWT token expiry

    • JWT weak algorithm

    • JWT algorithm confusion

    • JWT invalid signature

    • JWT JKU misuse

    • JWT missing audience claim

    Improper asset management

    • Multiple versions of API

    Business logic

    • Parameter pollution

    • Mass assignment

    Security misconfiguration

    • HTTP only site

    • Server version disclosure

    • .env information leak

    • HTTPS not accessible

    • Directory listing leak

    Access control

    • Rate limiting

    TLS

    • TLS not implemented

    • TLS/DTLS CBC attack (Lucky13)(CVE-2013-0169)

    • Self-signed certificate

    Authorization

    • Broken object-level authorization

    • Broken function level authorization

    Cross-site scripting

    • Reflected cross-site scripting

    Server-side request forgery

    • Server-side request forgery blind

    You can view the description and mitigation for each issue in the Issues UI.

    Issue Status

    You can manually change the state of the detected issue to any of the following:

    • Open — Traceable has detected an issue.

    • Under review — The issue has been acknowledged. You are taking steps to close it.

    • Fixed — The issue has been closed. Traceable keeps monitoring the asset (API endpoint or service) even after you have marked it as fixed. If Traceable finds new issues, it automatically moves them to an Open state for you to review and resolve. 

    • Not an issue — Move the issue to a Not a Issue state when you do not want Traceable to report it. If Traceable keeps seeing this issue category, it does not move it to an open state.

    • Accepted risk — You can move the issue to this state when you understand and accept the impact.

    Issue Resolution

    While you can resolve an issue by changing it status to Fixed, Traceable also auto-resolves them. The following table lists the applicability and scenario of auto-resolution for each source:

    Applicability and Scenario →

    Source

    Auto-Resolution

    Scenario 1

    Scenario 2

    Live Traffic

    Yes

    Traceable has not detected the issue in the 14 days since its last occurrence.

    -

    API Security Testing

    Yes

    Traceable has not detected the issue in the 60 days since its last occurrence.

    Traceable does not detect the issue in the 15 scans following its last observation.

    Compliance

    No

    -

    -

    Issue Deletion

    You can delete detected issues from the Issue Summary section by changing their status to Fixed or Not an issue. Traceable also deletes issues if they are deleted from all Sources. For example, let us say an issue has Live Traffic and AST as the Source. Then, Traceable deletes the issue when it is deleted from both Sources.

    Was this article helpful?
    What's Next
    ©2023 Traceable Inc
    terms of services
    privacy policy
    oss disclosures