How to fix Improper Assets Management
in ASP.NET Core
Executive Summary
Shadow APIs and forgotten legacy endpoints are a goldmine for reconnaissance. Improper asset management in ASP.NET Core occurs when stale versions, debug controllers, or undocumented routes are left exposed. Attackers target these 'ghost' endpoints because they often lack the hardened security controls, logging, and rate-limiting implemented in current production versions.
The Vulnerable Pattern
[ApiController] [Route("api/v1/internal/debug")] public class DebugController : ControllerBase { // VULNERABILITY: This controller was used for testing during v1 // and was never removed or restricted. It leaks system state. [HttpGet("dump-env")] public IActionResult GetEnvironment() => Ok(Environment.GetEnvironmentVariables());[HttpGet("legacy-user-query")] public IActionResult GetUserLegacy(int id) => Ok(_context.Users.Find(id));
}
The Secure Implementation
Fixing improper asset management requires a multi-layered approach: First, use the 'Asp.Versioning.Http' package to force explicit versioning, preventing users from accidentally hitting unmaintained legacy paths. Second, utilize the 'IWebHostEnvironment' to wrap diagnostic tools and documentation (like Swagger) so they are physically absent from production binaries or routing tables. Third, implement a 'Sunset' policy by explicitly mapping old routes to a 410 Gone status code or a restricted internal-only middleware. Finally, audit your 'EndpointDataSource' during CI/CD to ensure no undocumented routes were merged into the main branch.
// 1. Implement API Versioning to manage asset lifecycle builder.Services.AddApiVersioning(options => { options.ReportApiVersions = true; options.DefaultApiVersion = new ApiVersion(2, 0); options.AssumeDefaultVersionWhenUnspecified = false; });// 2. Use Environment Guards and Authorization Policies [ApiVersion(“2.0”)] [Authorize(Policy = “StrictAdmin”)] [Route(“api/v{version:apiVersion}/admin”)] public class AdminController : ControllerBase { [HttpGet(“status”)] public IActionResult GetStatus() => Ok(“Healthy”); }
// 3. Explicitly disable Swagger/Debug assets in Production if (app.Environment.IsDevelopment()) { app.UseSwagger(); app.UseSwaggerUI(); } else { // In production, ensure legacy routes return 410 Gone app.Map(“/api/v1/internal/debug”, (IApplicationBuilder innerApp) => { innerApp.Run(async context => { context.Response.StatusCode = 410; await context.Response.WriteAsync(“Endpoint Decommissioned”); }); }); }
Your ASP.NET Core API
might be exposed to Improper Assets Management
74% of ASP.NET Core apps fail this check. Hackers use automated scanners to find this specific flaw. Check your codebase before they do.
Free Tier • No Credit Card • Instant Report
Verified by Ghost Labs Security Team
This content is continuously validated by our automated security engine and reviewed by our research team. Ghost Labs analyzes over 500+ vulnerability patterns across 40+ frameworks to provide up-to-date remediation strategies.