Name Using Unpublished Web Service APIs
Summary An attacker searches for and invokes Web Services APIs that the target system designers did not intend to be publicly available. If these APIs fail to authenticate requests the attacker may be able to invoke services and/or gain privileges they are not authorized for.
Prerequisites This might include listening on a well-known port. Ultimately, the likelihood of exploit depends on discoverability of the vulnerable service.
Solutions Authenticating both services and their discovery, and protecting that authentication mechanism simply fixes the bulk of this problem. Protecting the authentication involves the standard means, including: 1) protecting the channel over which authentication occurs, 2) preventing the theft, forgery, or prediction of authentication credentials or the resultant tokens, or 3) subversion of password reset and the like.
Related Weaknesses
CWE ID Description
CWE-306 Missing Authentication for Critical Function
CWE-693 Protection Mechanism Failure
CWE-695 Use of Low-Level Functionality
Back to Top