Missing global security

owasp-protection-global-safe

Type:

Finding

Rule Severity:

Medium

An endpoint was found that is not protected by any security scheme.

POST, PUT, PATCH, and DELETE methods can modify data, change the state of or entirely delete resources. Without proper security measures, malicious actors could exploit these endpoints to introduce unauthorized changes, delete important data, or compromise the integrity of an API. Furthermore, unprotected API operations can lead to data breaches, which not only harm the reputation of the affected organization but can also result in legal and financial repercussions. By implementing security rules, developers can control who has access to these operations and under what conditions, ensuring that only authorized users can make changes and that the system remains secure and reliable. Authentication, authorization, rate limiting, and data validation are just a few examples of security rules that can be implemented.

This rule applies at the API Specification level (OAS/Swagger).

Remediation

Ensure that all API operations using HTTP methods such as POST, PUT, PATCH, and DELETE are safeguarded with at least one security rule. All non-public endpoints that can effect change on databases should have a security scheme in place.

Example Attack Scenario

Unauthorized Access: Missing global security controls may allow unauthorized users or attackers to gain access to sensitive resources, functionalities, or data within the system. This could include accessing administrative interfaces, sensitive configuration files, or critical system components without proper authentication or authorization.

How to Identify with Example Scenario

How to Resolve with Example Scenario

How to Identify with Example Scenario

Find the text in bold to identify issues such as these in API specifications

How to Resolve with Example Scenario

Modify the text in bold to resolve issues such as these in API specifications
References:

More findings

All Findings