API Operation Publicly Accessible (By Design)

Description

The API operation is publicly accessible and does not have any security scheme defined in its API definition. This means that the operation is unauthenticated by design, thereby allowing anyone to browse to the operation's URL and exercise its functionality. While this may be intentional for certain public endpoints, it can pose risks if sensitive data or critical functionality is inadvertently exposed. Attackers could discover and exploit these exposed operations, potentially leading to unauthorized access or misuse of system resources if the endpoint handles privileged actions or data.

Remediation

Verify that the publicly accessible endpoint does not handle any sensitive or privileged data. If the operation is truly intended to be public, implement strict validation and rate limiting to reduce misuse. Otherwise, integrate an authentication mechanism or token-based security scheme to limit access only to authorized clients. Consider employing a Web Application Firewall (WAF) or intrusion detection system to detect suspicious requests targeting the endpoint. Regularly review your API definitions and documentation to ensure public endpoints are truly safe to expose and do not compromise system integrity or confidentiality.

References

Severity

Owasp

Code: A01:2021

Category: Broken Access Control

Classification