search

Improper Assets Management

hashtag
Check List

hashtag
Methodology

hashtag
Black Box

hashtag
Deprecated API Version Exposed

1

Login normally and Capture request to current API version

GET /api/v2/user/profile HTTP/1.1
Host: target.com
Authorization: Bearer user_token
2

Attempt to access older API versions

GET /api/v1/user/profile HTTP/1.1
Host: target.com
Authorization: Bearer user_token

or

GET /api/v0/user/profile HTTP/1.1
Host: target.com
Authorization: Bearer user_token
3

If deprecated version responds successfully and lacks recent security controls, old API is still active

4

If older endpoint exposes additional fields or bypasses new authorization logic, improper asset management is confirmed

hashtag
Staging or Test API Exposed

1

Enumerate subdomains

GET / HTTP/1.1
Host: api-staging.target.com

or

GET / HTTP/1.1
Host: dev-api.target.com
2

If staging or development API responds publicly, environment isolation is missing

3

Test authentication endpoint

POST /api/login HTTP/1.1
Host: api-staging.target.com
Content-Type: application/json

{"username":"test","password":"test"}
4

If weaker authentication or test credentials work on exposed environment, improper asset control exists

5

If non-production APIs are accessible externally, vulnerability is confirmed

hashtag
Forgotten Internal Endpoint

1

Login as normal user and Browse JavaScript files

GET /static/app.js HTTP/1.1
Host: target.com
2

Identify undocumented endpoint reference

/api/internal/exportAllUsers
3

Directly access endpoint

GET /api/internal/exportAllUsers HTTP/1.1
Host: target.com
Authorization: Bearer user_token
4

If endpoint responds with sensitive data despite not being part of public API documentation, internal API is exposed

5

If forgotten or hidden API endpoints are accessible without restriction, improper asset management is confirmed

hashtag
Unused GraphQL Endpoint Enabled

1

Attempt access to GraphQL endpoint

POST /graphql HTTP/1.1
Host: target.com
Content-Type: application/json

{"query":"{__schema{types{name}}}"}
2

If schema introspection is enabled and returns full API structure, hidden asset is exposed

3

Test unauthorized query

{"query":"{users{id,email,password}}"}
4

If sensitive data fields are retrievable via undocumented GraphQL endpoint, asset governance is missing

5

If legacy or unused API services remain active and accessible, Improper Assets Management vulnerability is confirmed

hashtag
White Box

hashtag
Cheat Sheet

PreviousInjection AttackNextInsufficient Logging and Monitoring

Last updated