保護DataHogo
Security Encyclopedia/OWASP API Top 10
lowCWE-1059API9:2023

Improper Inventory Management

Multiple API versions remain active without documentation or deprecation, leaving old endpoints with known vulnerabilities accessible to attackers.

How It Works

As APIs evolve, older versions are often left running alongside new ones. These legacy endpoints may lack security patches, modern authentication, or rate limiting applied to newer versions. Attackers actively scan for /api/v1/, /api/beta/, or /api/internal/ endpoints that developers forgot to decommission. Without a proper API inventory, organizations lose track of which endpoints exist, what data they expose, and which third parties have access. Shadow APIs and zombie APIs become easy targets.

Vulnerable Code
// Still active in production:
app.use('/api/v1/users', usersV1Router);  // No auth!
app.use('/api/v2/users', usersV2Router);  // Has auth
app.use('/api/beta/users', usersBetaRouter); // Debug mode
app.use('/api/internal/admin', adminRouter); // Exposed!
Secure Code
// Only current version active
app.use('/api/v2/users', authMiddleware, usersV2Router);
// v1 redirects to v2 with deprecation notice
app.use('/api/v1/*', (req, res) => {
  res.status(410).json({ error: 'API v1 deprecated. Use /api/v2/' });
});

Real-World Example

In 2023, researchers discovered that several major fintech companies had undocumented API v1 endpoints still active. These older endpoints lacked the OAuth2 authentication added in v2, allowing unauthenticated access to customer account data.

How to Prevent It

  • Maintain an up-to-date inventory of all API endpoints and versions
  • Deprecate and decommission old API versions with clear timelines
  • Block access to internal or beta endpoints from production
  • Use API gateway features to enforce version lifecycle policies

Affected Technologies

Node.jsPythonGoJavaPHPC#

Data Hogo detects this vulnerability automatically.

Scan Your Repo Free

Related Vulnerabilities

Broken Object Level Authorization (BOLA)

high

API endpoints don't verify that the requesting user owns the resource they're accessing — allowing attackers to access other users' data by changing object IDs.

CWE-639API1:2023

Broken Authentication (API)

high

API authentication mechanisms are weak or improperly implemented — JWT without proper validation, tokens not in httpOnly cookies, or missing token expiration.

CWE-287API2:2023

Broken Object Property Level Authorization

medium

API allows users to read or modify object properties they shouldn't have access to — mass assignment, excessive data exposure, or missing field-level access control.

CWE-915API3:2023

Unrestricted Resource Consumption

medium

API endpoints without rate limiting, pagination, or resource limits — allowing attackers to exhaust server resources, rack up costs, or extract large datasets.

CWE-770API4:2023