GET Web Application Security Evidence: Broken Authentication and Access Control Ingrid https://api.bitsighttech.com/ratings/v1/companies/company_guid/findings?risk_vector=web_appsecGet broken authentication and access control scripting evidence, including: Authentication on Insecure Channel CMS Administration Portal Exposed Cross-Site Request Forgery (CSRF) Mitigations Present For details specific to Web Application Security, use the ?risk_vector=web_appsec parameter. Other query parameters are listed in GET: Finding Details.Authentication on Insecure Channel[details.assessment_name = authentication_on_insecure_channel]Example Response{ "name": "input", "message": "Password input field present in a form on a non-HTTPS page", "details": "size=\"5\" name=\"password\" style=\"width:100px\" type=\"password\"", "authCategory": "password_on_insecure_channel", ⊕ See additional evidences }Response Attributes Field Description name String The name of the HTML element that represents an authentication mechanism. message String A summary of the issue. details String Additional details of the identified HTML element. authCategory String The issue category. Values: auth_on_insecure_channel password_on_insecure_channel_ssl_cert_error password_on_insecure_channel_ssl_obsolete_connection_error password_on_insecure_channel resource String The application that sent the WWW-Authenticate header. CMS Administration Portal Exposed[details.assessment_name = exposed_csm_admin_page]Example Response{ "cms": "Wordpress", "location": "url", ⊕ See additional evidences }Response Attributes Field Description cms String The content management system (CMS) that was identified. location String The login page URL. Cross-Site Request Forgery (CSRF) Mitigations Present[details.assessment_name = cross_site_request_forgery]Example Response{ "documentUrl":"url", "name":"input types", "value":"string", "path":"/html/body#top/header/div/form#quicksearch", "message":"Page contains a form that does not include a hidden attribute with a value of 20 characters or more", ⊕ See additional evidences }Response Attributes Field Description documentUrl String The URL of the page containing the token. name String The token name. value String The token value. path String The HTML element path. message String A summary of the issue. January 15, 2026: Corrected assessmentName parameter to details.assessment_name May 15, 2024: Added message field to Cross-Site Request Forgery (CSRF) Mitigations Present. December 12, 2023: Included general finding details; Added table of contents. August 11, 2023: Published. Related articles GET: Web Application Security Finding Details GET Web Application Security Evidence: Components with Known Vulnerabilities GET: Finding Details GET Web Application Security Evidence: Sensitive Data Exposure GET Web Application Security Evidence: Security Misconfiguration Feedback 0 comments Please sign in to leave a comment.