Authentication removed

firetail:unauthenticated-endpoints-removed

Rule Severity:

High

Ensure that endpoints requiring authentication do not have their authentication removed
This rule applies at the API Specification level (OAS/Swagger).
Endpoints that have previously required authentication should not become accessible to the public. API endpoints that become public can expose data, sensitive business flows, or other critical information about the application and its users.
An authenticated endpoint verifies the identity of the requesting entity. Endpoints can be authenticated in various ways including API keys, tokens, Oauth and basic authentication. Endpoints that require authentication will fail with a 401 status code if the user or application is not authenticated. An unauthenticated endpoint does not require authentication for access. This results in these endpoints being publicly accessible to anyone, with users not needing to provide any form of authentication credentials to use them.

Example Attack Scenario

Data Theft: Attackers can exploit the lack of authentication to steal sensitive data from the system. This could include personal information, financial records, or intellectual property, which can be used for identity theft or fraud.

1. How to Identify with Example Scenario

Incident

1. How to Resolve with Example Scenario

Incident

2. How to Identify with Example Scenario

Find the text in bold to identify issues such as these in API specifications

2. How to Resolve with Example Scenario

Modify the text in bold to resolve issues such as these in API specifications
References:

More findings

All Findings