Skip to main content
Security Performance Management
Continuous Monitoring
Vendor Risk Management
Trust Management Hub
Cyber Insurance
National Cybersecurity

GET Web Application Security Evidence: Broken Authentication and Access Control

Ingrid

https://api.bitsighttech.com/ratings/v1/companies/company_guid/findings?risk_vector=web_appsec

Get broken authentication and access control scripting evidence, including:

For details specific to Web Application Security, use the ?risk_vector=web_appsec parameter. Other query parameters are listed in GET: Finding Details.

Authentication on Insecure Channel

[assessmentName = authentication_on_insecure_channel]

Example Response

{
  "name": "input",
  "message": "Password input field present in a form on a non-HTTPS page",
  "details": "size=\"5\" name=\"password\" style=\"width:100px\" type=\"password\"",
  "authCategory": "password_on_insecure_channel",

  ⊕ See additional evidences

}

Response Attributes

Field Description 
name

String

 The name of the HTML element that represents an authentication mechanism. 
message

String

 A summary of the issue. 
details

String

 Additional details of the identified HTML element. 
authCategory

String

The issue category.

Values:

  • auth_on_insecure_channel
  • password_on_insecure_channel_ssl_cert_error
  • password_on_insecure_channel_ssl_obsolete_connection_error
  • password_on_insecure_channel
 
resource

String

 The application that sent the WWW-Authenticate header.

CMS Administration Portal Exposed

[assessmentName = exposed_csm_admin_page]

Example Response

{
  "cms": "Wordpress",
  "location": "url",

  ⊕ See additional evidences

}

Response Attributes

Field Description 
cms

String

 The content management system (CMS) that was identified. 
location

String

 The login page URL.

Cross-Site Request Forgery (CSRF) Mitigations Present

[assessmentName = cross_site_request_forgery]

Example Response

{
  "documentUrl":"url",
  "name":"input types",
  "value":"string",
  "path":"/html/body#top/header/div/form#quicksearch",
  "message":"Page contains a form that does not include a hidden attribute with a value of 20 characters or more",

  ⊕ See additional evidences
  
}

Response Attributes

Field Description 
documentUrl

String

 The URL of the page containing the token. 
name

String

 The token name. 
value

String

 The token value. 
path

String

 The HTML element path. 
message

String

 A summary of the issue.
  • May 15, 2024: Added message field to Cross-Site Request Forgery (CSRF) Mitigations Present.
  • December 12, 2023: Included general finding details; Added table of contents.
  • August 11, 2023: Published.

Related articles

Feedback

0 comments

Please sign in to leave a comment.