Vulnerability Discussion

The API gateway must audit exceptions and errors that occur during processing to ensure robust security, reliable performance, and effective troubleshooting. As the central entry point for all incoming API requests, the gateway is responsible for managing traffic and routing requests to the appropriate backend services. Auditing errors and exceptions allows the gateway to capture critical issues such as request processing failures, system outages, or unexpected behaviors, providing insights into the health and stability of the entire API ecosystem. By logging these events, the gateway can help identify recurring issues, misconfigurations, or security vulnerabilities that might otherwise go unnoticed. This is essential for detecting potential attacks, such as denial-of-service (DoS) attempts or malicious behavior that exploits system flaws.

Check

If an API Gateway is not in use, this is Not Applicable.

Verify the API Gateway audits exceptions and errors that occur during the processing.

1. Inspect the API Gateway logs to ensure they capture exception and error events, including error codes, messages, and stack traces.

2. Simulate errors (e.g., invalid requests or server failures) and verify these are logged with relevant details like timestamps and error types.

3. Verify the API Gateway is configured to log exceptions and errors with sufficient detail for troubleshooting and analysis.

4. Review the API Gateway documentation support to ensure proper auditing of exceptions and errors is enabled.

If the API Gateway does not audit exceptions and errors, this is a finding.

Fix

Build or configure the API Gateway to log errors and exceptions, including the level of detail, such as timestamps, error type, and affected resources.