Security Test: Excessive Browser Permissions¶
Scanner(s) Support¶
| GraphQL Scanner | REST Scanner | Frontend Scanner |
|---|---|---|
Description¶
Default Severity:
When a website unnecessarily grants access to special browser features or APIs to everyone, it can open the door to misuse. Instead of carefully limiting what parts of a browser an attacker or even third-party content should be able to access, developers might accidentally leave the door wide open for unwanted access to sensitive tools like the camera, microphone, or location services. This vulnerability happens when too many permissions are granted without proper oversight, increasing the risk of abuse or data breaches. Essentially, if left unaddressed, attackers could use these permissions to collect information or perform actions on behalf of users, which could lead to serious privacy and security issues. Developers need to watch out for the temptation to enable features by default and instead carefully choose what truly needs to be available to maintain a secure environment.
Configuration¶
Identifier:
frontend_configuration/excessive_browser_permissions
Examples¶
All configuration available:
Compliance and Standards¶
| Standard | Value |
|---|---|
| OWASP API Top 10 | API6:2023 |
| OWASP LLM Top 10 | LLM06:2023 |
| PCI DSS | 6.2 |
| GDPR | Article-25 |
| SOC2 | CC6 |
| PSD2 | Article-96 |
| ISO 27001 | A.12.7 |
| NIST | SP800-53 |
| FedRAMP | SC-18 |
| CWE | 732 |
| CVSS Vector | AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H |
| CVSS Score | 3.0 |