Findings
Missing global security
Updated: June 19, 2025
Description
An endpoint was found that is not protected by any security scheme.
POST, PUT, PATCH, and DELETE methods can modify data, change the state of or entirely delete resources. Without proper security measures, malicious actors could exploit these endpoints to introduce unauthorized changes, delete important data, or compromise the integrity of an API. Furthermore, unprotected API operations can lead to data breaches, which not only harm the reputation of the affected organization but can also result in legal and financial repercussions. By implementing security rules, developers can control who has access to these operations and under what conditions, ensuring that only authorized users can make changes and that the system remains secure and reliable. Authentication, authorization, rate limiting, and data validation are just a few examples of security rules that can be implemented.
This rule applies at the API Specification level (OAS/Swagger).
Example Attack
Unauthorized Access: Missing global security controls may allow unauthorized users or attackers to gain access to sensitive resources, functionalities, or data within the system. This could include accessing administrative interfaces, sensitive configuration files, or critical system components without proper authentication or authorization.
Remediation
Ensure that all API operations using HTTP methods such as POST, PUT, PATCH, and DELETE are safeguarded with at least one security rule. All non-public endpoints that can effect change on databases should have a security scheme in place.
Security Frameworks
Authentication mechanisms are often implemented incorrectly, allowing attackers to compromise authentication tokens or to exploit implementation flaws to assume other user's identities temporarily or permanently. Compromising a system's ability to identify the client/user, compromises API security overall.
Authentication mechanisms are often implemented incorrectly, allowing attackers to compromise authentication tokens or to exploit implementation flaws to assume other user's identities temporarily or permanently. Compromising the system's ability to identify the client or user, compromises API security overall.
CIS-ASG-1.2.1: CIS 1.2.1: Define Authentication and Authorization Requirements
Decide if the API requires authentication and authorization mechanisms along with deciding on the tools to be used. Role-based access controls will be implemented with user roles defined as user, admin, and superadmin, each having specific permissions and access levels to different data and functions within the API.
Rationale
Defining API authentication and authorization requirements provides a structured plan from the outset, outlining how user identity and access will be managed, which helps with risk mitigation by implementing appropriate security controls. This approach ensures compliance with regulatory laws and standards governing data protection and privacy, safeguarding against potential legal and compliance risks associated with API usage.
Remediation
- Assess current authentication and authorization mechanisms.
- Conduct aGgap analysis between the existing mechanisms and the compliance standards' mechanisms.
- Define authentication methods (for example, SSO, OAuth, API key, JWT).
- Establish user and entity-specific authorization controls (for example, user, admin).
- Document requirements.
Audit
- Review the documentation and the requirements provided by the development team and the compliance standards to ensure alignment and completeness.
- Evaluate compliance with requirements using VAPT and/or automated solutions across various use cases, including normal scenarios and situations where low-privilege users attempt to access high-privilege data or data belonging to other users.
- Ensure the current state complies with compliance standards.
- Ensure proper and secure management of secrets and tokens, employing solutions like encrypted vaults to safeguard sensitive information.