Findings

Authentication removed

Updated: June 19, 2025

findings design based findings api finding

Description

Severity: Critical

An endpoint that previously required authentication has been changed to no longer require authentication.

This rule applies at the API Specification level (OAS/Swagger).

Example Attack

Data Theft: Attackers can exploit the lack of authentication to steal sensitive data from the system. This could include personal information, financial records, or intellectual property, which can be used for identity theft or fraud.

Remediation

Verify that the change was intentional and correct, or add back the authentication requirement to the endpoint.

Security Frameworks

OWASP API 2023

API2:2023 Broken Authentication

Authentication mechanisms are often implemented incorrectly, allowing attackers to compromise authentication tokens or to exploit implementation flaws to assume other user's identities temporarily or permanently. Compromising a system's ability to identify the client/user, compromises API security overall.

OWASP API 2019

API2:2019 Broken User Authentication

Authentication mechanisms are often implemented incorrectly, allowing attackers to compromise authentication tokens or to exploit implementation flaws to assume other user's identities temporarily or permanently. Compromising the system's ability to identify the client or user, compromises API security overall.

MITRE CWE Top 25

CWE-287: Improper Authentication

When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.

Need help?

Contact FireTail support

Previous (Findings - Design based findings)
API key in URL
Next (Findings - Design based findings)
AWS API Gateway not private