GuardAPI Logo
GuardAPI
Automated Security Protocol

How to fix Improper Assets Management
in ServiceStack

Executive Summary

Shadow APIs and leaky metadata are the low-hanging fruit for any red teamer. ServiceStack’s 'auto-magic' configuration is a liability in production if not explicitly hardened. Improper asset management here typically manifests as exposed /metadata pages, undocumented DTOs leaking system architecture, and administrative plugins left open to the public internet. If you aren't auditing your service surface area, you're basically handing over the blueprint to your infrastructure.

The Vulnerable Pattern

VULNERABLE CODE
public class AppHost : AppSelfHostBase {
    public AppHost() : base("InsecureApi", typeof(MyServices).Assembly) {}

public override void Configure(Container container) {
    // VULNERABILITY: Default settings leave /metadata, /json, /xml endpoints public.
    // Internal administrative plugins are registered without access controls.
    Plugins.Add(new RequestLogsFeature()); 
    Plugins.Add(new AdminRedisFeature());
}


}

The Secure Implementation

To remediate improper asset management, you must enforce a 'Need-to-Know' policy on your API surface. 1. Disable the Metadata Feature in production via HostConfig to stop attackers from enumerating your DTOs and routes. 2. Use the [Restrict] attribute on sensitive service classes to limit visibility to Localhost or Internal networks. 3. Explicitly gate diagnostic plugins (RequestLogs, RedisAdmin) behind Authentication and specific Admin roles. 4. Toggle DebugMode off to prevent verbose error leakage which assists in reconnaissance.

SECURE CODE
public class AppHost : AppSelfHostBase {
    public AppHost() : base("HardenedApi", typeof(MyServices).Assembly) {}

public override void Configure(Container container) {
    var isProd = Env.IsProduction();

    SetConfig(new HostConfig {
        // Disable metadata pages in production to prevent discovery
        EnableFeatures = isProd 
            ? Feature.All.Remove(Feature.Metadata | Feature.Html | Feature.Csv)
            : Feature.All,
        DebugMode = !isProd,
        WriteErrorsToResponse = !isProd
    });

    // Secure internal assets with RBAC
    Plugins.Add(new RequestLogsFeature {
        RequiredRoles = new[] { RoleNames.Admin }
    });
}


}


// Use Restrict attribute to hide internal DTOs from external discovery
[Restrict(InternalOnly = true)]
public class InternalSystemAudit : IReturn { }

System Alert • ID: 7544
Target: ServiceStack API
Potential Vulnerability

Your ServiceStack API might be exposed to Improper Assets Management

74% of ServiceStack apps fail this check. Hackers use automated scanners to find this specific flaw. Check your codebase before they do.

RUN FREE SECURITY DIAGNOSTIC
GuardLabs Engine: ONLINE

Free Tier • No Credit Card • Instant Report

Verified by Ghost Labs Security Team

This content is continuously validated by our automated security engine and reviewed by our research team. Ghost Labs analyzes over 500+ vulnerability patterns across 40+ frameworks to provide up-to-date remediation strategies.

About GuardLabs → Follow us on X