API Operation Publicly Accessible (Leaky APIs)

Description

The API operation does not validate authentication although its API definition describes this operation as authenticated. By simply browsing to the operation’s URL, anyone can execute the functionality and retrieve any data returned by that operation. This discrepancy between intended and actual access control grants unauthorized parties the ability to invoke sensitive operations or view confidential data, potentially leading to data leaks, privilege escalation, or unauthorized actions within the system.

Remediation

Implement strict authentication checks for this API operation to ensure only authorized users can access it. Update your backend services to reject requests unless valid authentication credentials are provided. If an API gateway or reverse proxy is in use, configure it to enforce appropriate authentication policies for this endpoint. Regularly test and review your API endpoints to confirm that all operations follow the declared access control requirements, especially for operations intended to be restricted. Consider using a Web Application Firewall (WAF) or intrusion detection system to monitor suspicious requests targeting otherwise private API operations.

References

Severity

Owasp

Code: A01:2021

Category: Broken Access Control

Classification