{"id":19604076,"url":"https://github.com/escape-technologies/api-threat-matrix","last_synced_at":"2025-08-04T09:34:03.368Z","repository":{"id":256812552,"uuid":"856381701","full_name":"Escape-Technologies/API-Threat-Matrix","owner":"Escape-Technologies","description":"A comprehensive knowledge base for security professionals to keep track of and build defenses against API attack techniques.","archived":false,"fork":false,"pushed_at":"2024-09-12T16:32:18.000Z","size":230,"stargazers_count":42,"open_issues_count":0,"forks_count":2,"subscribers_count":3,"default_branch":"main","last_synced_at":"2025-03-15T00:09:06.277Z","etag":null,"topics":["api","security","threatmatrix","threats"],"latest_commit_sha":null,"homepage":"","language":null,"has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/Escape-Technologies.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2024-09-12T13:41:12.000Z","updated_at":"2024-12-26T11:22:19.000Z","dependencies_parsed_at":"2024-09-13T06:47:51.609Z","dependency_job_id":"6955a927-6970-46df-bb24-c5fdf4faa834","html_url":"https://github.com/Escape-Technologies/API-Threat-Matrix","commit_stats":null,"previous_names":["escape-technologies/api-threat-matrix"],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/Escape-Technologies/API-Threat-Matrix","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Escape-Technologies%2FAPI-Threat-Matrix","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Escape-Technologies%2FAPI-Threat-Matrix/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Escape-Technologies%2FAPI-Threat-Matrix/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Escape-Technologies%2FAPI-Threat-Matrix/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/Escape-Technologies","download_url":"https://codeload.github.com/Escape-Technologies/API-Threat-Matrix/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Escape-Technologies%2FAPI-Threat-Matrix/sbom","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":268675526,"owners_count":24288287,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-08-04T02:00:09.867Z","response_time":79,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["api","security","threatmatrix","threats"],"created_at":"2024-11-11T09:34:35.055Z","updated_at":"2025-08-04T09:34:03.338Z","avatar_url":"https://github.com/Escape-Technologies.png","language":null,"funding_links":[],"categories":[],"sub_categories":[],"readme":"# Common Threat Matrix for APIs\nThis is an ATT\u0026CK-like matrix focused on API-specific risk. Using the [MITRE ATT\u0026CK®](https://attack.mitre.org/) framework as a base, we collected techniques and attack vectors associated with APIs and created a matrix dedicated to API attack methods.\n\nOur goal for developing the threat matrix for API security is to build a comprehensive knowledgebase that defenders can use to keep track of and build defenses against relevant attack techniques. \n\nWe’re looking to continuously improve the matrix, so any feedback is welcome! \n\n## Table of Contents\n- [Background](#background)\n- [Threat Matrix](#threat-matrix)\n- [Techniques and Mitigation](#techniques-and-mitigation)\n - [Reconnaissance](#reconnaissance)\n - [Resource Development](#resource-development)\n - [Initial Access](#initial-access)\n - [Execution](#execution)\n - [Persistence](#persistence)\n - [Privilege Escalation](#privilege-escalation)\n - [Defense Evasion](#defense-evasion)\n - [Credential Access](#credential-access)\n - [Discovery](#discovery)\n - [Lateral Movement](#lateral-movement)\n - [Command and Control](#command-and-control)\n - [Exfiltration](#exfiltration)\n - [Collection](#collection)\n - [Impact](#impact)\n- [Adaptation to the different API types](#adaptation-to-the-different-api-types)\n - [GraphQL](#graphql)\n - [REST](#rest)\n - [gRPC](#grpc)\n- [Other API security-related security research](#other-api-security-related-security-research)\n\n## Background\nThis matrix aims to share knowledge on securing APIs with the Cybersecurity community. \nThis matrix was created by the security research team at Escape.\n\n## Threat Matrix\n\n![threat matrix](api-threat-matrix.png \"threat matrix\")\n\n## Techniques and Mitigation\n\nEach technique is aligned with MITRE ATT\u0026CK's framework of adversary tactics, techniques, and procedures (TTPs), structured according to:\n\n* Reconnaissance: Attackers gather information about API endpoints.\n* Resource Development: Attackers acquire tokens, credentials, or tools to attack the API.\n* Initial Access: Attackers gain entry to the API through stolen keys or exposed endpoints.\n* Execution: Techniques for injecting commands or manipulating the API's behavior.\n* Persistence: Techniques for maintaining access, such as token hijacking.\n* Privilege Escalation: Elevating access by exploiting roles or token scopes.\n* Defense Evasion: Obfuscating API traffic or disabling logging to avoid detection.\n* Credential Access: Stealing or hijacking session tokens and other credentials.\n* Discovery: Finding hidden or undocumented API endpoints.\n* Lateral Movement: Moving between API services to access more data.\n* Command and Control: Using APIs for covert communication channels.\n* Exfiltration: Extracting data from API endpoints.\n* Collection: Gathering data for exfiltration, including credential harvesting.\n* Impact: Denial of Service (DoS) attacks, data manipulation, or ransomware.\n\n\n## API-Specific ATT\u0026CK-like Matrix\n\n| **Tactic** | **Technique** | **Description** | **Mitigation** |\n|-------------------------|-----------------------------------|------------------------------------------------------------------------------------------------------|---------------------------------------------------------------------------------------------------|\n| \u003cspan id=\"reconnaissance\"\u003e**Reconnaissance**\u003c/span\u003e | **API Enumeration** | Attackers probe API endpoints using brute-force or automated tools to identify open APIs. | Use API gateways to filter traffic, apply rate limiting, and hide internal APIs. |\n| | **Documentation Scraping** | Attackers exploit public-facing documentation to identify potential vulnerabilities or weak spots. | Regularly review and sanitize public documentation to avoid leaking sensitive implementation info. |\n| \u003cspan id=\"resource-development\"\u003e**Resource Development**\u003c/span\u003e | **Compromised Tokens** | Attackers acquire API tokens from previous breaches or through social engineering. | Regularly rotate API tokens and enforce MFA for token generation. |\n| | **Acquisition of Exploit Tools** | Attackers acquire or build tools to target vulnerabilities in API implementations. | Use threat intelligence to detect tool use, apply input validation, and use API security scanning. |\n| \u003cspan id=\"initial-access\"\u003e**Initial Access**\u003c/span\u003e | **Stolen API Keys** | API keys are compromised via public repositories, misconfigurations, or phishing attacks. | Store API keys securely, implement key rotation, and avoid embedding them in public codebases. |\n| | **Broken Authentication** | Attackers exploit weak or absent authentication mechanisms, including missing MFA or weak passwords. | Enforce MFA, use OAuth 2.0, and validate session tokens properly. |\n| | **Exposed Endpoints** | Attackers gain unauthorized access to APIs via publicly exposed or undocumented API endpoints. | Limit access via IP whitelisting, monitor traffic with logging, and use API gateways. |\n| \u003cspan id=\"execution\"\u003e**Execution**\u003c/span\u003e | **Command Injection via APIs** | Attackers send malicious inputs to exploit vulnerabilities in APIs to execute arbitrary commands. | Validate and sanitize input, use prepared statements, and prevent code injection attacks. |\n| | **Parameter Tampering** | Attackers modify API parameters (e.g., manipulating IDs) to bypass access controls. | Validate parameters on the server side, sanitize inputs, and enforce strong access controls. |\n| | **API Abuse for Resource Exhaustion** | Attackers flood API endpoints with a high volume of requests or payloads to exhaust system resources. | Implement rate limiting, resource throttling, and monitor for unusual traffic patterns. |\n| \u003cspan id=\"persistence\"\u003e**Persistence**\u003c/span\u003e | **Hijacked Tokens** | Stolen or long-lived tokens allow attackers to maintain persistent access to the API. | Use short-lived access tokens, enforce refresh token expiration, and monitor API usage patterns. |\n| | **OAuth Token Manipulation** | OAuth tokens are manipulated to escalate privileges or extend access beyond allowed permissions. | Properly validate OAuth tokens, set appropriate scopes, and enforce token revocation policies. |\n| \u003cspan id=\"privilege-escalation\"\u003e**Privilege Escalation**\u003c/span\u003e | **Role Misconfiguration** | Attackers exploit misconfigured roles and permissions to escalate access within the API environment. | Enforce least privilege, regularly audit RBAC, and apply role validation. |\n| | **OAuth Scope Abuse** | Attackers exploit excessive OAuth scopes to gain elevated privileges. | Define minimal scopes for each user, validate token claims. |\n| \u003cspan id=\"defense-evasion\"\u003e**Defense Evasion**\u003c/span\u003e | **Obfuscated API Calls** | API requests are encrypted or encoded to evade detection and logging. | Use deep packet inspection (DPI) tools to monitor encrypted traffic, enable full API logging. |\n| | **IP Spoofing** | Attackers spoof their IP addresses to bypass geolocation or IP-based access controls. | Implement IP reputation services, use geo-blocking, and monitor traffic for abnormal behavior. |\n| | **Disabling Audit Logs** | Attackers attempt to disable or bypass logging mechanisms to avoid detection. | Ensure audit logs cannot be disabled by API users, use external monitoring services. |\n| \u003cspan id=\"credential-access\"\u003e**Credential Access**\u003c/span\u003e | **Token Harvesting** | Attackers capture API tokens via misconfigurations or compromised services to access APIs. | Encrypt tokens, use HTTPS for transmission, and avoid exposing tokens in logs or URLs. |\n| | **Session Hijacking** | Attackers intercept active sessions to impersonate legitimate users and access APIs. | Implement session timeouts, force re-authentication on critical actions, and use HTTPS for secure communication. |\n| \u003cspan id=\"discovery\"\u003e**Discovery**\u003c/span\u003e | **Endpoint Probing** | Attackers brute-force or scan for hidden or undocumented API endpoints to discover more resources. | Implement rate limiting, log discovery attempts, and enforce endpoint naming conventions. |\n| | **Error Message Analysis** | Attackers analyze verbose error messages to learn about the API's internal structure. | Limit error message information, sanitize logs, and return minimal error responses. |\n| \u003cspan id=\"lateral-movement\"\u003e**Lateral Movement**\u003c/span\u003e | **API Pivoting** | Attackers use compromised APIs to gain access to interconnected services and resources. | Use micro-segmentation to isolate critical services, implement mutual TLS for service-to-service communication. | \n| | **Exploiting Third-Party Integrations** | Attackers exploit insecure third-party services integrated with the API to pivot and move laterally. | Validate and secure all third-party integrations, enforce access control policies, audit services. |\n| | **Exploiting API Chains** | Attackers use chained API requests to move between services and escalate access. | Apply strong authentication across all services, audit chained API requests. |\n| \u003cspan id=\"collection\"\u003e**Collection**\u003c/span\u003e | **Bulk Data Collection** | Attackers gather large amounts of data from vulnerable API endpoints in preparation for exfiltration. | Monitor for unusual data access patterns and enforce strict data access controls. |\n| | **Credential Collection** | Attackers focus on gathering sensitive credentials through exposed API endpoints or logs. | Mask sensitive information in API responses, secure logs, and implement strict access control. |\n| \u003cspan id=\"command-and-control\"\u003e**Command and Control**\u003c/span\u003e | **API-based Command Channel** | Attackers use APIs as a covert command channel to issue commands and control compromised systems. | Monitor for abnormal API behavior, use rate limiting, and detect anomalous traffic patterns. |\n| | **Covert C2 over HTTPS** | Attackers use API endpoints over encrypted HTTPS to communicate with compromised infrastructure. | Inspect encrypted traffic for anomalies, use SSL inspection tools. |\n| \u003cspan id=\"exfiltration\"\u003e**Exfiltration**\u003c/span\u003e | **Data Exfiltration via APIs** | Attackers extract sensitive data using API endpoints that allow bulk data downloads. | Enforce rate limiting, monitor for unusual download patterns, and apply strict access controls. |\n| | **Unencrypted Data Exfiltration**| Sensitive data is transmitted via APIs without encryption, allowing attackers to intercept it. | Enforce TLS for data in transit, encrypt sensitive data at rest. |\n| \u003cspan id=\"impact\"\u003e**Impact**\u003c/span\u003e | **Denial of Service (DoS)** | Attackers flood API endpoints with requests to cause service disruption and make the API unavailable. | Implement rate limiting, use load balancers, and monitor API traffic for anomalies. |\n| | **Data Manipulation** | Attackers modify or corrupt data using legitimate API calls, impacting the integrity of the system. | Use data validation and integrity checks, log all data changes, and maintain backups for recovery. |\n| | **Data Encryption (Ransomware)** | Attackers encrypt sensitive data via APIs and demand ransom for decryption. | Implement regular data backups, use strong encryption, and apply data integrity monitoring tools. |\n\n\n## Adaptation to the different API types\n\n### GraphQL\n\n[GraphQL threat framework by Nick Aleks and Dolev Farhi](https://github.com/nicholasaleks/graphql-threat-matrix)\n\n### REST\n\n| **Tactic** | **Technique** | **Description** | **Mitigation** |\n|-------------------------|-----------------------------------|------------------------------------------------------------------------------------------------------|---------------------------------------------------------------------------------------------------|\n| **Reconnaissance** | **REST API Crawling** | Attackers use automated tools to crawl through REST API endpoints to discover exposed resources. | Use API gateways, limit endpoint exposure, and apply IP filtering. |\n| | **Swagger/OpenAPI Exploitation** | Attackers exploit public-facing API schemas (Swagger/OpenAPI) to learn about API structure. | Keep API schemas internal, apply access controls, and sanitize public documentation. |\n| **Resource Development** | **Compromised Tokens** | Attackers acquire API tokens from previous breaches or through social engineering. | Regularly rotate API tokens, enforce MFA for token generation. |\n| | **Acquisition of REST Attack Tools** | Attackers develop or acquire tools that automate REST API attacks such as rate-limiting bypasses. | Use threat intelligence to detect these tools, apply rate-limiting rules, and monitor anomalies. |\n| **Initial Access** | **Compromised API Keys** | Attackers steal or reuse API tokens exposed in repositories or misconfigured environments. | Regularly rotate API keys and enforce strict token expiration policies. |\n| | **Broken REST Authentication** | Attackers exploit weaknesses in REST authentication mechanisms, such as JWT misconfiguration. | Implement strong JWT token validation, use HTTPS, and enforce MFA. |\n| **Execution** | **RESTful SQL Injection** | Attackers inject SQL queries into API parameters to exploit database vulnerabilities. | Use prepared statements, input validation, and escape user inputs. |\n| | **Parameter Tampering** | Attackers modify REST API parameters to bypass access controls or gain unauthorized access. | Validate input on the server side, enforce strong access controls, and sanitize user inputs. |\n| **Persistence** | **Stolen OAuth Tokens** | Attackers use stolen OAuth tokens to maintain access to RESTful APIs. | Use short-lived OAuth tokens, rotate and revoke tokens as needed, and monitor access logs. |\n| | **Abusing API Sessions** | Attackers maintain persistence by hijacking active REST API sessions. | Implement session expiration policies and enforce re-authentication for critical operations. |\n| **Privilege Escalation** | **Insecure Direct Object References (IDOR)** | Attackers exploit IDOR vulnerabilities to access unauthorized resources by manipulating object references. | Validate access controls and implement object-level access checks. |\n| | **OAuth Scope Abuse** | Attackers exploit excessive OAuth scopes to escalate privileges within REST APIs. | Define minimal scopes for each role, validate token scopes, and monitor OAuth activity. |\n| **Defense Evasion** | **REST Call Obfuscation** | Attackers obscure REST API requests to evade security systems and logging. | Enable detailed API logging, use API security gateways, and analyze unusual traffic patterns. |\n| | **IP Spoofing** | Attackers spoof their IP addresses to bypass IP-based access controls in REST APIs. | Apply geo-restrictions and use IP reputation services for real-time monitoring. |\n| **Credential Access** | **Token Replay Attacks** | Attackers reuse stolen tokens to impersonate legitimate users and access REST APIs. | Implement short-lived tokens, session binding, and replay attack detection mechanisms. |\n| | **Session Hijacking** | Attackers intercept and steal active REST API sessions to access the API. | Use HTTPS, apply strong session validation, and enforce re-authentication on sensitive actions. |\n| **Discovery** | **Endpoint Brute Force** | Attackers attempt to brute force REST API endpoints to discover hidden or undocumented resources. | Implement rate limiting, enforce IP restrictions, and monitor for unusual traffic patterns. |\n| | **Error Message Analysis** | Attackers analyze detailed error messages to learn about the internal structure of the API. | Limit error information, sanitize logs, and return generic error responses to avoid data leakage. |\n| **Lateral Movement** | **REST API Chaining** | Attackers use chained REST API calls to access additional services or resources. | Enforce strong authentication between API services, use network segmentation, and apply mutual TLS.|\n| **Collection** | **Bulk Data Collection** | Attackers gather large amounts of sensitive data from unsecured REST API endpoints. | Monitor for unusual data access patterns, apply rate limiting, and enforce strict data access controls. |\n| **Command and Control** | **API-based Command Channel** | Attackers use REST APIs as a covert command channel to control compromised systems. | Monitor for abnormal API behavior, use rate limiting, and detect anomalous traffic patterns. |\n| | **Covert C2 over HTTPS** | Attackers use encrypted HTTPS channels through REST APIs to establish command and control (C2). | Inspect HTTPS traffic using SSL inspection tools, and monitor API requests for anomalies. |\n| **Exfiltration** | **Bulk Data Extraction** | Attackers exploit poorly secured REST API endpoints to extract large amounts of data. | Implement rate limiting, apply strict access control, and monitor for abnormal download patterns. |\n| | **Unencrypted Data Exfiltration**| Sensitive data is transmitted without encryption, allowing attackers to intercept it. | Enforce TLS for data in transit, use encryption for sensitive data at rest. |\n| **Impact** | **Denial of Service (DoS)** | Attackers flood REST API endpoints with requests to cause service disruption. | Use rate limiting, apply DoS protection tools, and monitor API traffic for abnormal patterns. |\n| | **Data Manipulation** | Attackers modify data using legitimate API calls, affecting the integrity of the system. | Apply strong data validation, log data changes, and enforce data integrity checks. |\n| | **Data Encryption (Ransomware)** | Attackers encrypt sensitive data via REST APIs and demand a ransom for decryption. | Regularly back up data, use strong encryption methods, and monitor for anomalous data changes. |\n\n\n### gRPC\n\n| **Tactic** | **Technique** | **Description** | **Mitigation** |\n|-------------------------|-----------------------------------|------------------------------------------------------------------------------------------------------|---------------------------------------------------------------------------------------------------|\n| **Reconnaissance** | **gRPC Service Enumeration** | Attackers enumerate gRPC services using automated tools to discover exposed services. | Use mTLS for authentication, hide internal services, and enforce IP restrictions. |\n| | **Reflection Exploitation** | Attackers exploit the reflection feature of gRPC to learn about available methods and services. | Disable reflection in production or limit it to authenticated users. |\n| **Resource Development** | **Acquisition of gRPC Attack Tools** | Attackers acquire tools specifically designed for exploiting gRPC services (e.g., fuzzers). | Regularly update gRPC libraries, and monitor for signs of exploitation attempts. |\n| **Initial Access** | **Stolen API Tokens** | Attackers gain access through stolen or exposed gRPC tokens. | Use short-lived tokens, enforce strict expiration policies, and regularly rotate keys. |\n| | **Exploiting Weak Authentication**| Attackers target gRPC services with weak or absent authentication mechanisms. | Implement mTLS, use OAuth 2.0 for authentication, and enforce MFA for critical gRPC services. |\n| **Execution** | **gRPC Command Injection** | Attackers inject malicious commands into gRPC payloads by exploiting input validation flaws. | Validate all gRPC inputs and use protocol buffers to restrict the input structure. |\n| | **Excessive Resource Consumption**| Attackers send numerous gRPC requests to exhaust resources and disrupt service availability. | Implement rate limiting, monitor resource usage, and apply throttling for high-volume requests. |\n| **Persistence** | **Hijacked Session Tokens** | Attackers use hijacked tokens or credentials to maintain persistent access to gRPC services. | Use short-lived tokens, rotate tokens, and enforce re-authentication policies for sensitive actions.|\n| | **Abusing gRPC Streams** | Attackers maintain persistence by hijacking long-lived gRPC streams. | Limit stream durations and monitor for abnormal gRPC stream behavior. |\n| **Privilege Escalation** | **Exploiting RBAC Misconfiguration** | Attackers escalate privileges by exploiting misconfigured role-based access control (RBAC) in gRPC. | Enforce least privilege principles and regularly audit access control policies. |\n| | **OAuth Scope Abuse** | Attackers abuse excessive OAuth scopes to gain elevated privileges in gRPC services. | Define minimal scopes for each user, validate token claims, and monitor OAuth activity. |\n| **Defense Evasion** | **Obfuscated gRPC Calls** | Attackers obscure gRPC requests to evade security detection tools and logging. | Enable full logging for gRPC services, use security gateways,\n\n## Other API security-related research\n- [API Threat Landscape Database](https://escape.tech/resources/api-threat-landscape)\n- [The API secret sprawl report](https://escape.tech/the-api-secret-sprawl-2024)\n- [State of GraphQL security 2024](https://escape.tech/resources/the-state-of-graphql-security-2024)\n\n\n\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fescape-technologies%2Fapi-threat-matrix","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fescape-technologies%2Fapi-threat-matrix","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fescape-technologies%2Fapi-threat-matrix/lists"}