Access Control: Private data¶

Identifier: private_data

Scanner(s) Support¶

GraphQL Scanner	REST Scanner	WebApp Scanner	ASM Scanner

Description¶

Private data may be accessible to unauthorized users due to misconfigured access controls or authorization rules, potentially leading to privacy breaches or identity theft.

How we test: We test access controls by making requests with different user contexts and analyzing responses to detect if private data intended for one user is accessible to others. We check for data leakage patterns based on configured user-to-data mappings and regex patterns.

References:

https://cheatsheetseries.owasp.org/cheatsheets/Authorization_Cheat_Sheet.html

Configuration¶

Example¶

Example configuration:

---
security_tests:
  private_data:
    skip: false
    users:
      Alice:
      - bob@example.com
      Bob:
      - alice@example.com
      public:
      - .*@example.com

Reference¶

`skip`¶

Type : boolean

Skip the test if true.

`users`¶

Type : Dict[string, List[string]]

Mapping of users to regex patterns that should never match in their responses.

The public user is by default the user without authentication.

For example, if you want to ensure that Alice should never see Bob's email:

---
security_tests:
  private_data:
    users:
      Alice:
      - bob@example.com
      Bob:
      - alice@example.com
      public:
      - .*@example.com