• Browse topics

Improper inventory management

Keeping track of API endpoints

Select your ecosystem

Improper inventory management: the basics

What is improper inventory management?

Improper inventory management occurs when an organization fails to maintain an accurate and up-to-date inventory of its API endpoints, versions, and data flows. This vulnerability often leads to security risks, such as exposing deprecated API versions or enabling unauthorized data access.

Modern application architectures, such as microservices and cloud computing, exacerbate the issue by spreading APIs across diverse environments. Without proper visibility, sensitive data might be inadvertently exposed to unauthorized parties or left accessible via outdated or unpatched endpoints. This creates opportunities for attackers to exploit known vulnerabilities, access administrative functionalities, or extract sensitive data.

About this lesson

In this lesson, you will learn how improper inventory management can compromise API security and explore methods to protect your applications. The lesson dives into real-world scenarios where this vulnerability has been exploited and provides strategies to mitigate risks effectively.


A blind spot in documentation

Cloudflare's 2024 API Security & Management Report revealed that their machine learning models discovered nearly 31% more API endpoints than what organizations had self-reported, indicating a significant presence of undocumented APIs.

Improper inventory management in action

Meet Ana, a security consultant tasked with auditing the APIs of a global fitness app, FitSphere. While reviewing their systems, Ana uncovered a significant vulnerability tied to improper inventory management.

She put on her hackhat and started with some reconnasaince. Ana identified that the legacy API and sensitive data flow were indexed by search engines. A simple "Google dorking" query exposed the API documentation online, complete with sample requests and responses.

She wanted to test to see if the deprecated API version (v1.2) was still accessible via an old subdomain. While testing its functionality, she realized this endpoint connected to the production database! FitSphere's developers had forgotten to decommission the API after migrating to a newer version (v2.0).

Ana ran a test query to fetch user data and discovered that the v1.2 endpoint lacked modern security protocols, such as rate limiting and proper authentication. Using basic enumeration techniques, she retrieved the sensitive information of thousands of users. Below is the bash script to enumerate through users:

for i in {10000..10100}; do
  curl -X GET "https://legacy-api.fitsphere.xy/v1.2/users/$i";
Demo terminal

Ana suspected the API exposes fitness data. She identified that the legacy API and sensitive data flow were indexed by search engines. A simple "Google dorking" query exposed the API documentation online, complete with sample requests and responses. To do this, she did a search for site:fitsphere.xy inurl:api

She then modified her request:

curl -X GET "https://legacy-api.fitsphere.xy/v1.2/users/10001/data"

This request results in more JSON but now with sensitive data!

 "user_id": 12345,
 "name": "Ana Martinez",
 "email": "ana.martinez@fitsphere.com",
 "fitness_metrics": {
  "heart_rate": 78,
  "steps_today": 10543,
  "calories_burned": 520
 "location": {
  "latitude": 37.7749,
  "longitude": -122.4194

And to add insult to injury, further investigation revealed an unmonitored data flow between FitSphere's API and an external marketing analytics service.

FitSphere’s web app was making API calls from the frontend. Ana used her browser's DevTools to inspect requests (DevTools → Network Tab → Fetch/XHR). She was looking for suspicious requests to third-party domains. Surprise! There was a silent request sending fitness data to marketing-analytics.thirdparty.com.


Google Dorking

Google Dorking, also known as Google Hacking, lets you uncover hidden info using advanced search operators. With the right queries, you can find exposed databases, login portals, or even forgotten admin pages! It’s so powerful that security pros (and hackers) use it to test vulnerabilities!

Improper inventory management under the hood

Let’s break down what happened during Ana's investigation and how each issue contributed to the vulnerability in FitSphere's API environment.

Firstly, the outdated API (v1.2) was still operational and connected to FitSphere's production database. A lack of deprecation and retirement policies allowed this endpoint to remain accessible, exposing sensitive data to unauthorized users. Next, the legacy API version lacked modern security controls such as rate limiting and strong authentication mechanisms. This enabled attackers to retrieve sensitive data using enumeration techniques.

Then there was the hidden integration with the marketing analytics service, which demonstrated how undocumented data flows can result in sensitive information being shared without oversight or encryption.

Vulnerable code example

The code snippet below uses the Flask framework to create an API endpoint /api/v1.2/users that return a list of user objects in JSON format. It runs on port 3000 and is accessible to anyone with the URL.

The vulnerability in the code snippet below arises from the absence of access control measures, which means that any individual with knowledge of the endpoint can retrieve sensitive user data without restriction. The inclusion of sensitive fields such as email addresses in the API response further exacerbates this issue, as this data could be misused or aggregated for malicious purposes. The lack of rate limiting or other request-throttling mechanisms also makes it possible for attackers to programmatically iterate through requests, gathering significant volumes of data in a short amount of time.

Scan your code & stay secure with Snyk - for FREE!

Did you know you can use Snyk for free to verify that your code
doesn't include this or other vulnerabilities?

Scan your code

Improper inventory management mitigation

As you may have noticed in the section above, the way to mitigate improper inventory management is not a code issue but rather a process and procedure issue. The inventory is there to keep a close eye on what endpoints are available to the public. When the inventory is reviewed, and unnecessary API endpoints are found to be online, they should be removed from the code base.

To systemically address improper inventory management, organizations must adopt a proactive approach to API lifecycle management and enforce robust security controls. This includes creating and maintaining an accurate inventory of all API endpoints, documenting their purposes, and ensuring their secure operation. Deprecating old versions is not enough; they must be fully decommissioned and retired from production to prevent unauthorized access. Additionally, sensitive data flows between APIs and third parties should be carefully monitored and encrypted.

The mitigated code examples below demonstrate how the specific code example above might be mitigated.

The mitigated Python snippet uses Flask extensions for JWT authentication and rate limiting. It adds a login endpoint to generate tokens and requires a valid token for accessing the /api/v1.2/users endpoint. The response data is also sanitized to exclude sensitive fields.

It's important to note that while this mitigates the immediate vulnerability - it does not mitigate the improper inventory management. The API endpoint should also be added to the organization's asset inventory.


Test your knowledge!


Which of the following is a key strategy to mitigate risks associated improper inventory management?

Keep learning

To expand your knowledge about API security and related topics, check out the following resources:


You’ve taken an essential step toward mastering API security by learning about improper inventory management, how it works, its potential impacts, and effective mitigation techniques. Armed with this knowledge, you can now identify and secure your APIs against this vulnerability, making your applications more robust and secure!