Access control policies ensure that users cannot act outside of their intended permissions. See how Web Application Security is assessed.
API: GET Web Application Security Evidence: Broken Authentication and Access Control [/v1/companies/company_guid/findings?risk_vector=web_appsec]
Table of Contents
- CMS Administration Portal Exposed
- Cross-Site Request Forgery (CSRF) Mitigations Present
- Authentication on Insecure Channel
CMS Administration Portal Exposed
Content Management System (CMS) administration portals are frequently exposed to the Internet and are prime targets for brute force attacks. Since these interfaces are typically present at well-known URLs, it is trivial to discover such interfaces for brute force attacks.
Finding Message: Exposed content management system (CMS) admin interface
Frameworks Referenced
| Organization | Framework |
|---|---|
| OWASP | A01:2021 - Broken Access Control |
| CWE | CWE-284: Improper Access Control |
Grading & Conditions
We scan each website looking for known CMS administration portals and issue a WARN finding for each one exposed to the Internet.
Weight =
10Condition = A CMS administration portal is exposed to the Internet.
Mitigation
Website owners should avoid exposing administrative interfaces to the Internet, instead only making them accessible via a VPN, internal network, or behind a firewall.
Cross-Site Request Forgery (CSRF) Mitigations Present
Cross-Site Request Forgery (CSRF) is an attack that forces authenticated users to submit a request to a web application against which they are currently authenticated. CSRF attacks exploit the trust a web application has in an authenticated user’s browser session.
Finding Message: A CSRF token does not contain a hidden attribute with at least 128 bits of entropy.
Frameworks Referenced
| Organization | Framework |
|---|---|
| OWASP | A01:2021 - Broken Access Control |
| CWE | CWE-352: Cross-Site Request Forgery (CSRF) |
Grading & Conditions
We issue an informational finding (NEUTRAL) whenever we fail to identify a CSRF mechanism in use without the adequate configuration. Since there is no standard method to define the name for these tokens, we will only consider those used by known CSRF frameworks.
Weight = Not Applicable.
Condition = Missing CSRF mechanism with adequate configuration. Findings of this type are informational only.
Mitigation
Whenever possible, 128 bits of entropy should be used to define CSRF tokens.
Authentication on Insecure Channel
This assessment looks for situations where a web application is requesting authentication from a user on an insecure channel.
The following situations are considered:
- Web application is requesting credentials via the www-Authenticate header over an insecure non-HTTPS connection
- An authentication HTML form is being presented over an insecure non-HTTPS connection
- Password forms are requesting credentials on a site loaded with TLS Errors
Finding Message: Authentication over HTTP
Frameworks Referenced
| Organization | Framework |
|---|---|
| OWASP | A02:2021 - Cryptographic Failures |
| CWE | CWE-319: Cleartext Transmission of Sensitive Information |
Grading & Conditions
Minimum weight: 0
Maximum weight: 1000
Possible Grades:
Weight =
0
Weight =
10Condition = A password form is requesting credentials on a site loaded with the "Obsolete connections settings" TLS error.
Weight =
1000Condition =
- We identified a request for credentials via the www-Authenticate header over non-HTTPS (high severity).
- A password form is requesting credentials over HTTP.
- A password form is requesting credentials on a site loaded with the “This site is missing a valid, trusted certificate” TLS error.
Mitigation
All authentication mechanisms should always be served through a secure channel.
- March 4, 2025: Updated weights per changes implemented December 16, 2024.
- January 15, 2025: Linked finding messages.
- December 5, 2024: Moved to a more exclusive section.
Feedback
0 comments
Please sign in to leave a comment.