Vulnerability Discussion

The API Gateway must audit request and response details to ensure robust security, efficient troubleshooting, and compliance with regulations. As the central point for handling incoming traffic, the gateway is responsible for managing authentication, authorization, routing, and applying policies across all services. By auditing request and response details, the gateway can monitor for potential security threats, such as unauthorized access attempts, data tampering, or malicious activities like SQL injection and cross-site scripting (XSS).

Detailed logs provide valuable information for troubleshooting issues, enabling quick identification of problematic requests, errors, or performance bottlenecks, which can be essential for maintaining system reliability.

Check

If an API Gateway is not in use, this is Not Applicable.

Verify the API audits execution time and performance metrics.

1. Inspect the API Gateway's logs to verify they capture details of incoming requests and outgoing responses, including headers, body content, and status codes.

2. Simulate various requests and verify that both request and response details are being logged correctly, including any data passed and the response outcome.

3. Verify the API Gateway is configured to log the necessary request and response details, such as the type of request, request parameters, and response status.

4. Review the API Gateway's documentation to ensure proper auditing of request and response details is enabled.

If the API Gateway is not auditing request and response detail, this is a finding.

Fix

Build or configure the API Gateway to log the necessary request and response details such as method, URL, headers, body, status, etc.