TRIAL REQUEST A DEMO LOGIN

REST API Resource modifying data without Authentication check - No Author

Impact area

Security

Severity

High

Rule ID

SN-RESTAPI_DATAMOD_NO_AUTHOR

Impact

Defining a REST API Resource with a data modification verb (POST/DELETE/PATCH) without authorization restrictions via ACLs is a security risk, as it allows any user with login credentials to modify data in your instance.

Remediation

Ensure that all REST API Resources which can modify data have authentication and authorization checks enabled.

Time to fix

10 min

What's here


Related content

Scripted Rest Resource rules

Scripted REST API Best Practices




Last modified on Jun 9, 2020
Copyright © QualityClouds 2021