Access Control: Public state-altering operation¶

Identifier: public_state_altering_operation

Scanner(s) Support¶

GraphQL Scanner	REST Scanner	WebApp Scanner

Description¶

If a route that changes data is public, anyone can trigger changes without proper checks. This means an attacker might alter or delete data, inject malicious information, or cause unexpected behavior in your application. The vulnerability arises when state-altering operations, like data updates or deletions, arent protected by authentication, leaving your system open to abuse. Developers often overlook that securing just the read operations isnt enough, which can lead to serious security breaches, data loss, and a loss of trust if attackers exploit these unguarded endpoints.

References:

https://owasp.org/Top10/A01_2021-Broken_Access_Control/

Configuration¶

Example¶

Example configuration:

---
security_tests:
  public_state_altering_operation:
    assets_allowed:
    - REST
    - GRAPHQL
    - WEBAPP
    skip: false

Reference¶

`assets_allowed`¶

Type : List[AssetType]*

List of assets that this check will cover.

`skip`¶

Type : boolean

Skip the test if true.