Security Test: Authenticated route bypass¶
Description¶
Default Severity:
Authenticated route bypass happens when a part of an application that should be protected from unauthorized access is left open due to flaws in its authentication process. Instead of properly checking if a user is allowed to access sensitive data or perform certain actions, the system mistakenly lets anyone through. This oversight can allow attackers to access restricted areas, steal data, or manipulate functionality they shouldn’t be able to. Often, such vulnerabilities arise from misconfigured security checks, overlooked edge cases, or inconsistent token validations. Developers need to ensure every path and endpoint is thoroughly protected, consistently checking credentials to prevent unintended access.
Configuration¶
Identifier:
access_control/auth_bypass
Examples¶
All configuration available:
Compliance and Standards¶
| Standard | Value |
|---|---|
| OWASP API Top 10 | API2:2023 |
| OWASP LLM Top 10 | LLM06:2023 |
| PCI DSS | 6.5.10 |
| GDPR | Article-32 |
| SOC2 | CC1 |
| PSD2 | Article-95 |
| ISO 27001 | A.14.2 |
| NIST | SP800-53 |
| FedRAMP | AC-4 |
| CWE | 285 |
| CVSS Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N |
| CVSS Score | 6.5 |