How to fix Improper Assets Management
in .NET 8 Web API
Executive Summary
Improper Assets Management (OWASP A09:2021) is the silent killer of enterprise perimeters. In .NET 8, this manifests as 'Shadow APIs'—legacy v1 endpoints left rotting in production, or internal Swagger documentation exposed to the public internet. Attackers hunt for these forgotten assets because they usually lack modern rate-limiting, authentication, or logging. If it's reachable, it's an entry point.
The Vulnerable Pattern
// Program.cs - The 'I forgot to check my environment' pattern var builder = WebApplication.CreateBuilder(args); builder.Services.AddControllers(); builder.Services.AddEndpointsApiExplorer(); builder.Services.AddSwaggerGen();var app = builder.Build();
// VULNERABILITY: Swagger is exposed in Production, leaking the entire API schema to attackers app.UseSwagger(); app.UseSwaggerUI();
app.MapControllers(); app.Run();
// LegacyController.cs - The ‘Shadow API’ pattern [Route(“api/v1/[controller]”)] public class AdminController : ControllerBase { // Old v1 endpoint that was supposed to be decommissioned // Uses weak legacy auth or none at all [HttpGet(“export-all-users”)] public IActionResult Export() => Ok(_db.Users.ToList()); }
The Secure Implementation
To kill Improper Assets Management, you must: 1. Environment Gating: Wrap Swagger/OpenAPI middleware in 'IsDevelopment()' checks to prevent schema leaks. 2. API Versioning: Use 'Asp.Versioning.Http' to explicitly define supported versions; this prevents 'v1' shadow endpoints from running indefinitely. 3. Sunsetting: Use the 'ApiVersion' attribute to mark old versions as deprecated and return 'Sunset' headers before decommissioning. 4. Asset Inventory: Regularly audit the 'MapControllers' output to ensure no undocumented debug or legacy routes are registered in the routing table.
// Program.cs - Hardened Asset Management var builder = WebApplication.CreateBuilder(args); builder.Services.AddControllers();// Implement formal API Versioning builder.Services.AddApiVersioning(options => { options.DefaultApiVersion = new ApiVersion(2, 0); options.AssumeDefaultVersionWhenUnspecified = false; options.ReportApiVersions = true; }).AddApiExplorer(options => { options.GroupNameFormat = “‘v’VVV”; options.SubstituteApiVersionInUrl = true; });
var app = builder.Build();
// FIX 1: Strict environment gating for documentation if (app.Environment.IsDevelopment()) { app.UseSwagger(); app.UseSwaggerUI(); }
// FIX 2: Explicitly map only active versions app.MapControllers(); app.Run();
// UserController.cs - Explicitly versioned [ApiVersion(“2.0”)] [Route(“api/v{version:apiVersion}/[controller]”)] public class UsersController : ControllerBase { [HttpGet] public IActionResult Get() => Ok(“Secure V2 logic”); }
Your .NET 8 Web API API
might be exposed to Improper Assets Management
74% of .NET 8 Web API apps fail this check. Hackers use automated scanners to find this specific flaw. Check your codebase before they do.
Free Tier • No Credit Card • Instant Report
Verified by Ghost Labs Security Team
This content is continuously validated by our automated security engine and reviewed by our research team. Ghost Labs analyzes over 500+ vulnerability patterns across 40+ frameworks to provide up-to-date remediation strategies.