Security Test: Public state-altering operation¶

Description¶

Default Severity:

If a route that changes data is public, anyone can trigger changes without proper checks. This means an attacker might alter or delete data, inject malicious information, or cause unexpected behavior in your application. The vulnerability arises when state-altering operations, like data updates or deletions, aren’t protected by authentication, leaving your system open to abuse. Developers often overlook that securing just the read operations isn’t enough, which can lead to serious security breaches, data loss, and a loss of trust if attackers exploit these unguarded endpoints.

Reference:

https://owasp.org/Top10/A01_2021-Broken_Access_Control/

Configuration¶

Identifier: access_control/public_state_altering_operation

Examples¶

All configuration available:

checks:
  access_control/public_state_altering_operation:
    skip: false # default

Compliance and Standards¶

Standard	Value
OWASP API Top 10	API5:2023
OWASP LLM Top 10	LLM06:2023
PCI DSS	`6.5.10`
GDPR	`Article-32`
SOC2	`CC1`
PSD2	`Article-95`
ISO 27001	`A.14.2`
NIST	`SP800-53`
FedRAMP	`AC-6`
CWE	`306`
CVSS Vector	`CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N/E:H/RL:O/RC:C`
CVSS Score	`8.7`