Pen testing was conducted and it was determined that UUIDs are passed through the APM REST API in the authentication token, which opens up the potential for man-in-the-middle attacks.
Is it possible to ensure that the UUID does not appear in a get-request within the URL and is it to change the generation of the authentication token to a more secure method?
Finding: The APM web interface allows generating API tokens. These seem to be generated according to the UUID v4 specification (RFC 4122). According to this specification, UUIDs should not be used as authentication tokens3:
"RFC 4122, Section 6
Do not assume that UUIDs are hard to guess; they should not be used as security capa-
bilities (identifiers whose mere possession grants access), for example. A predictable
random number source will exacerbate the Situation.
The use of UUIDS as authentication tokens poses an actual threat or not depends on
the specific implementation, which could not be checked in the time frame and scope"
if the APM REST API is utilizing UUIDs according to RFC4122, that is definitely not secure enough when even the creators warn to use these UUIDs as access tokens.
Request: Improve current secure mechanism with an entropy of at least 128 bit (rather 140+).
This is a request for enhancement
US692398 - AUDI - Rest API UUID (122 Bit) can be used but not for security related purposes in Production
Release : 10.7
No solution or workaround available at the present time.