Public state-altering operation

Description

Any route that mutates application data should not be public. DELETE, POST, PUT requests and GraphQL mutations should be protected by an authentication middleware.

Remediation

Restrict access to the route, using an authentication middleware for example.

Configuration

Identifier: access_control/public_mutation_endpoint

Examples

Ignore this check

{
    "checks": {
        "access_control/public_mutation_endpoint": {
            "skip": true
        }
    }
}

Score

Escape Severity: MEDIUM
- OWASP: API5:2023
- PCI DSS: 6.5.8
- CWE
  - 200
  - 264
  - 275
  - 284
  - 285
- WASC: WASC-02

CVSS

CVSS_VECTOR: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N/E:H/RL:O/RC:C
CVSS_SCORE: 8.7

References

https://owasp.org/Top10/A01_2021-Broken_Access_Control/

Public state-altering operation

Description​

Remediation​

Configuration​

Examples​

Ignore this check​

Score​

CVSS​

References​