APIs at Risk
Pynt's system automatically assigns risk score for each endpoint, the risk scoring is calculated based on the likelihood and impact of the detected vulnerabilities, using the below matrix.
Identify and manage APIs at risk with Pynt’s automated risk scoring system. Pynt assigns a risk score to each API endpoint based on the likelihood and impact of detected vulnerabilities, using a sophisticated risk matrix. This scoring system helps you quickly identify which APIs are most at risk, allowing you to prioritize security efforts where they are needed most.
The risk score is calculated by analyzing the vulnerabilities found during security scans, considering both the probability of exploitation and the potential damage they could cause. By understanding the risk levels of your APIs, you can take targeted actions to mitigate threats and protect your critical assets. Pynt’s risk scoring system provides a clear and actionable overview of your API security posture, helping you maintain a secure and resilient API environment.
Likelihood
The likelihood of occurrence is determined through a systematic evaluation of the potential that a threat actor can successfully exploit a specific vulnerability or a combination thereof.
Impact
The Impact score for a threat signifies the potential extent of harm resulting from the exploitation of a detected vulnerability. This includes unauthorized information disclosure, unauthorized information alteration, unauthorized information destruction, or the loss of both information and information system availability.
The below table shows the impact and likelihood assigned for each of the vulnerabilities category*
Business Logic
2
4
Injections
4
4
Authentication bypass
2
4
Mass Assignment
2
1
Server-Side request forgery
3
3
Stack trace in response
2
1
Lack of Resources and Rate Limiting
2
4
File path manipulation
3
3
When the endpoint processes Personally Identifiable Information (PII), it amplifies the impact score of the vulnerabilities.
The presence of multiple vulnerabilities within a single endpoint can elevate the impact, such as when Broken Object Level Authorization (BOLA) and insufficient rate limiting co-occur, leading to the highest impact score. In other cases the maximum score in applied
Should our system lack sufficient details regarding the endpoint, such as absent documentation and tests not executed on the endpoint, the risk will be indicated as N/A.
Risk Matrix
Each finding's risk level is determined from four possible categories: Critical, High, Medium, or Low risk level. This determination was made by assessing the potential impact magnitude and the likelihood of exposure exploitation, with reference to the provided table.
Open API/Swagger based risk calculation
When risk is assessed using API documentation only, it is determined as follows:
Likelihood:
Likelihood is derived from factors such as the attack surface (e.g., parameter count), authentication methods or their absence and parameter types
The likelihood score is calculated based on the attack surface (e.g. number of parameters), the authentication method or lack there of and the type of the handled parameters
Impact: The impact score is calculated based on the endpoint's sensitivity, such as its handling of PII
Last updated
