Security Test: Arbitrary Token Scope Injection¶

Scanner(s) Support¶

GraphQL Scanner	REST Scanner	Frontend Scanner

Description¶

Default Severity:

Arbitrary Token Scope Injection happens when an attacker tricks your system into adding arbitrary scopes to a token. This allows them to access resources that they shouldn't be able to access.

Reference:

https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/05-Authorization_Testing/02-Testing_for_Bypassing_Authorization_Schema

Configuration¶

Identifier: injection/arbitrary_token_scope

Examples¶

All configuration available:

checks:
  injection/arbitrary_token_scope:
    skip: false # default

Compliance and Standards¶

Standard	Value
OWASP API Top 10	API5:2023
PCI DSS	`7.1`
GDPR	`Article-25`
SOC2	`CC6.1`
PSD2	`Article-5`
ISO 27001	`A.9.1.2`
NIST	`AC-6`
FedRAMP	`AC-2(7)`
CWE	`284`
CVSS Vector	`CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N/E:H/RL:O/RC:C`
CVSS Score	`8.6`