Add detection for inbound HTTP/API requests #563
Comments
|
Are you specifically interested in instances of calling an endpoint directly with an HTTP request? For example, if you call into an SDK and the SDK makes a request to the API that would be infeasible to detect with Application Inspector. AppInspector already has some coverage depending on lanugage for detecting HTTP requests themselves - If you want to know what endpoints are being called, application inspector also has a rule for detecting urls starting with http or https: Looking over the rules I think what can be feasibly gathered towards this end should already be captured, but how would you expand this coverage? I'm not sure how we could distinguish an API endpoint vs just a URL with a data file in the above queries - the structure of the URL doesn't tell you if an endpoint is an API or not. |
|
You can also potentially leverage CodeQL for a more precise way to find all endpoints in the source. |
|
Hey thanks @gfs . Those look helpful for sure but not really what I'm looking for. Those would seem to identify code that makes outbound HTTP requests, but I'm hoping for a feature that says, "This code appears to listen for inbound API requests". Not sure I'm explaining it well... |
|
@cqueern Ah, I see. Sorry I misunderstood and thought you were looking for outbound HTTP. I agree, inbound HTTP listeners could be a good addition. |
gfs
changed the title
|
Updated title to be for a rule/rules for inbound HTTP. For outbound HTTP I think the existing rules cover many cases, but if you have samples that are not detected you'd expect to be detected I can also look into expanding those. |
cqueern
changed the title
|
PR #578 adds some basic Socket and HTTP Listener detections. If you have other examples for other cases you'd want these rules to catch those would be helpful. |
|
Thank you Team! |
Large organizations struggle to create and maintain an inventory of their APIs, so they can consider applying the appropriate security controls for the ones that matter.
If a large organization could leverage App Inspector to identify whether software offers API services (makes API calls or answers API calls) it'd allow them to target that subset of their portfolio for implementation of the appropriate controls.
The text was updated successfully, but these errors were encountered: