Skip to main content

Public state-altering operation

Description

Any route that mutates application data should not be public. Generally, REST READ, UPDATE, DELETE requests and GraphQL mutations should be protected by an authentication middleware.

Remediation

Restrict access to the route, using an authentication middleware for example.

GraphQL Specific

Apollo

Ensure that all mutations in Apollo Server are protected by authentication. Use context to share authentication state and apply checks before resolving operations.

Yoga

In GraphQL Yoga, use middleware to verify authentication before processing mutations. Apply authentication checks within the context or resolver middleware.

Awsappsync

For AWS AppSync, configure resolvers to use AWS_IAM or Amazon Cognito for securing your GraphQL endpoints. Attach appropriate policies to IAM roles or use Cognito User Pools.

Graphqlgo

In GraphQL-Go, protect your mutations by implementing authentication logic within the resolver functions. Use context to pass authenticated user information.

Graphqlruby

In GraphQL-Ruby, use before_action in your controller to protect your GraphQL mutations or implement authorization logic within your mutation resolvers.

Hasura

With Hasura, use webhook or JWT authentication modes to secure your GraphQL mutations. Configure permissions appropriately in Hasura Console.

REST Specific

Asp.net

In ASP.NET, use the [Authorize] attribute to protect your mutating endpoints. Apply this attribute to controllers or actions that should be secured.

Ruby on rails

In Ruby on Rails, use before_action in your controller to require authentication for mutating actions. Utilize current_user to check for authenticated users.

Next.js

In Next.js API routes, implement server-side authentication checks before processing POST, PUT, or DELETE requests.

Laravel

In Laravel, use middleware to protect routes that mutate data. Apply the 'auth' middleware to routes or route groups.

Express.js

In Express.js, use middleware functions to authenticate requests before processing POST, PUT, or DELETE routes.

Django

In Django, use the @login_required decorator or a custom decorator to protect views that perform state changes.

Symfony

In Symfony, secure your controllers with access control rules in security.yaml or use annotations to require authentication for certain routes.

Spring boot

In Spring Boot, secure your endpoints using Spring Security. Configure HttpSecurity to require authentication for mutating HTTP methods.

Flask

In Flask, use the @login_required decorator from Flask-Login or a custom decorator to protect your mutating routes.

Nuxt

In Nuxt.js, use middleware to check for authentication on server-side routes or API calls that mutate data.

Configuration

Identifier: access_control/public_state_altering_operation

Examples

Ignore this check

{
"checks": {
"access_control/public_state_altering_operation": {
"skip": true
}
}
}

Score

  • Escape Severity: MEDIUM

Compliance

  • OWASP: API5:2023
  • pci: 6.5.8
  • gdpr: Article-32
  • soc2: CC6.1
  • psd2: Article-95
  • iso27001: A.14.2
  • nist: SP800-53
  • fedramp: AC-6

Classification

Score

  • CVSS_VECTOR: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N/E:H/RL:O/RC:C
  • CVSS_SCORE: 8.7

References