Access Control: Private fields¶

Identifier: private_fields

Scanner(s) Support¶

GraphQL Scanner	REST Scanner	WebApp Scanner

Description¶

Private fields are meant to be hidden from outside access, but a common vulnerability arises when they're accidentally exposedeither through misconfigured access settings or insecure serialization. This means that internal, private data that's supposed to stay hidden could be read or modified by unauthorized users, opening the door to data leaks, privilege escalation, or unwanted side effects on application behavior. Developers often fall into the trap of using insecure defaults or overly trusting naming conventions without proper access controls, which can lead to serious security oversights if left unaddressed.

References:

https://blog.logrocket.com/authorization-access-control-graphql/

Configuration¶

Example¶

Example configuration:

---
security_tests:
  private_fields:
    assets_allowed:
    - REST
    - GRAPHQL
    - WEBAPP
    skip: false
    users:
      Alice:
      - createTransaction
      Bob:
      - createUser
      - updateUser

Reference¶

`assets_allowed`¶

Type : List[AssetType]*

List of assets that this check will cover.

`skip`¶

Type : boolean

Skip the test if true.

`users`¶

Type : Dict[string, List[string]]

Mapping of users to operations that should be off-limits for them.

The public user is by default the user without authentication.

For example, if you want to ensure that Alice cannot execute createTransaction and Bob cannot execute createUser or updateUser:

---
security_tests:
  private_fields:
    users:
      Alice:
      - createTransaction
      Bob:
      - createUser
      - updateUser