This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

Possible security threat on API request in case of ApplicationNotFound

Posted on 03-29-2018 10:31 AM
Not applicable
Reply posted on --/--/---- --:-- AM

Hi Team,

A customer is concerned about the possible security threat on API request.

If an API proxy or request path doesn't exist, it returns the error message to client: 

{"fault":{"faultstring":"Unable to identify proxy for host: {hostname}:9001 and url: {request_path}","detail":
{"errorcode":"messaging.adaptors.http.flow.ApplicationNotFound"}}}

Isn't this a security issue, since host and url are shown on the response body that can be misused for Cross Domain access issue, etc.?

Any thoughts on this or is there any config to suppress the message?

Regards,
Toshi

Solved Solved
1 3 278
Topic Labels
Jump to Solution
2 ACCEPTED SOLUTIONS

Posted on --/--/---- --:-- AM
amitkumar2091
New Member
Reply posted on --/--/---- --:-- AM

Well if user is seeing this , they already have right host. Also the host name thrown is virtual host alias and url is url hit by consumer. so i don't think apigee is exposing anything vulnerable with this response. Only thing consumer can conclude from this message that they luckily hit a valid apigee host.Will love to see other geeks feedback.

If this is a major concern by your security team , then you can create a new proxy in environment with basepath as "/" , and throw 503 or any other customized response you want from post flow to avoid default apigee message.

View solution in original post

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
latheefdudakula
New Member
Reply posted on --/--/---- --:-- AM

HI @Toshihiro Shibamoto

Are you using the url with host and port ? Can you share you prototype url.

I have tested this scenario, i never got the host and port details.

URL : http://sandbox.api.com/1testj2x

{
    "fault": {
        "faultstring": "Unable to identify proxy for host: default and url: /1testj2x",
        "detail": {
            "errorcode": "messaging.adaptors.http.flow.ApplicationNotFound"
        }
    }
}

Definitely exposing host and port would be vulnerable issue when we are associating with larger developers and partners.

Thanks,

Latheef D

View solution in original post

Jump to Solution
0 Likes
3 REPLIES 3

Posted on --/--/---- --:-- AM
amitkumar2091
New Member
Reply posted on --/--/---- --:-- AM

Well if user is seeing this , they already have right host. Also the host name thrown is virtual host alias and url is url hit by consumer. so i don't think apigee is exposing anything vulnerable with this response. Only thing consumer can conclude from this message that they luckily hit a valid apigee host.Will love to see other geeks feedback.

If this is a major concern by your security team , then you can create a new proxy in environment with basepath as "/" , and throw 503 or any other customized response you want from post flow to avoid default apigee message.

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
latheefdudakula
New Member
Reply posted on --/--/---- --:-- AM

HI @Toshihiro Shibamoto

Are you using the url with host and port ? Can you share you prototype url.

I have tested this scenario, i never got the host and port details.

URL : http://sandbox.api.com/1testj2x

{
    "fault": {
        "faultstring": "Unable to identify proxy for host: default and url: /1testj2x",
        "detail": {
            "errorcode": "messaging.adaptors.http.flow.ApplicationNotFound"
        }
    }
}

Definitely exposing host and port would be vulnerable issue when we are associating with larger developers and partners.

Thanks,

Latheef D

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
Not applicable
In response to latheefdudakula
Reply posted on --/--/---- --:-- AM

Hi Amit, Latheef,

Thank you both for the useful comments. I understand now this is not a critical security issue, but a kind of general concern by showing the host name and basepath of the API proxy on app user's browser. Currently the error message above is not possible to be handled by fault rule in API proxy, but we need a frontend proxy with base path / or virtual host config with * to handle unknown url on the request, which is an overhead. So just having feature to customize default error message to hide host: and url: would work.

Regards,
Toshi

Jump to Solution
0 Likes