Security Test: Private fields¶
Description¶
Default Severity:
Private fields are meant to be hidden from outside access, but a common vulnerability arises when they're accidentally exposed—either through misconfigured access settings or insecure serialization. This means that internal, private data that's supposed to stay hidden could be read or modified by unauthorized users, opening the door to data leaks, privilege escalation, or unwanted side effects on application behavior. Developers often fall into the trap of using insecure defaults or overly trusting naming conventions without proper access controls, which can lead to serious security oversights if left unaddressed.
Reference:
Configuration¶
Identifier:
access_control/private_fields
Examples¶
All configuration available:
checks:
access_control/private_fields:
skip: false # default
parameters:
__user: # cf. Parameters below
rules: # cf. Parameters below
options:
empty_values_are_positive: false # default
GraphQL: Accessibility of private objects in a GraphQL API for not authenticated users.
checks:
access_control/private_fields:
public: # Triggering on a "users" object key
Query: # Object name
- getUsersById # Field name
- getAllUsers # The public user is not supposed to have access to the "getUsersById" and "getAllUsers" queries.
User: # Object name
- id # The public user is not supposed to have access to the "id" field of the "User" object
REST: Ensure user some-user cannot access the routes GET /admin and PUT /user/role/{roleId}
checks:
AccessControl_PrivateFields:
parameters:
rules:
- user: some-user
routes:
- method: GET
path: /admin
- method: GET
path: /admin/.* # Regex are supported
- method: PUT
path: /user/role/{roleId}
REST: Ensure user some-user cannot access the fields email and credentials.apiKey route GET /admin
checks:
AccessControl_PrivateFields:
parameters:
rules:
- user: some-user
routes:
- method: GET
path: /admin
fields:
- email
- credentials.apiKey
REST: Ensure user some-user cannot access a field admin-* on route GET /admin
checks:
AccessControl_PrivateFields:
parameters:
rules:
- user: some-user
routes:
- method: GET
path: /admin
fields:
- admin-*
Parameters¶
Parameters can be set in the parameters key of the Security Test Configuration.
| Property | Type | Default | Description |
|---|---|---|---|
__user | ObjectRefParameters1 | ||
rules | List[ObjectRefRules2] | (For REST) The list of private fields rules to check during a scan. |
ObjectRefItems3¶
| Property | Type | Default | Description |
|---|---|---|---|
fields* | List[string] | A list of fields of the object to control. Nested fields are represented separated with .. For instance, user.id represents the id field of the user field of the response. | |
method* | EnumRefMethod4 | ||
path* | string | The path of the route to control, compliant with the OpenAPI route format. See swagger.io |
ObjectRefParameters1¶
| Property | Type | Default | Description |
|---|---|---|---|
additionalProperties | List[string] | Additional properties are allowed |
ObjectRefRules2¶
| Property | Type | Default | Description |
|---|---|---|---|
routes* | List[ObjectRefItems3] | ||
user* | string | The user on which the rule applies. |
EnumRefMethod4¶
| Value |
|---|
GET |
POST |
PUT |
DELETE |
PATCH |
HEAD |
OPTIONS |
TRACE |
CONNECT |
Options¶
Options can be set in the options key of the Security Test Configuration.
| Property | Type | Default | Description |
|---|---|---|---|
empty_values_are_positive | boolean | false | When the API returns a None value without error is the field considered to be successfully accessed ? |
Compliance and Standards¶
| Standard | Value |
|---|---|
| OWASP API Top 10 | API1:2023 |
| OWASP LLM Top 10 | LLM06:2023 |
| PCI DSS | 7.1 |
| GDPR | Article-32 |
| SOC2 | CC1 |
| PSD2 | Article-95 |
| ISO 27001 | A.18.1 |
| NIST | SP800-53 |
| FedRAMP | AC-6 |
| CWE | 284 |
| CVSS Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:H/RL:O/RC:C |
| CVSS Score | 5.1 |