Authenticated Route Bypass

A vulnerable authentication bypass might occur when an endpoint that should be protected isn't properly enforced by authentication middleware or decorators.

An authentication bypass occurs when secure endpoints aren't protected by authentication measures, allowing unauthorized access to sensitive areas like admin panels or user accounts. This can lead to data breaches and exposure. Proper authentication checks are crucial to prevent this risk. Developers should review code, ensure all sensitive endpoints are protected, and conduct regular security audits

Vulnerable Code

In the below code snippet, the get_all_users endpoint lacks authentication or authorization, which means anyone can access the list of users without restriction. This creates a vulnerability in scenarios where sensitive user information should be restricted to authenticated or authorized users only.

@router.get("/users")
async def get_all_users(db: Session = Depends(get_db)):
    users = await get_all_users_handler(db)
    return JSONResponse(status_code=200, content={"status": "success", "message": "Users retrieved successfully", "data": jsonable_encoder(users)})

Vulnerable APIs

(Admin) Get All Users

https://apidoc.fvb.vchan.in/#ff62ee09-4e94-4a0f-9621-ddff39925fd8

Compliance

OWASP: API2:2023
PCI: 6.5.10
GDPR: Article-32
SOC2: CC1
ISO27001: A.14.2
NIST: SP800-53

CWE & CVSS

CWE: 285
CVSS VECTOR: AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
CVSS SCORE: 6.5

PreviousBroken Object Level Authorization

Last updated 1 year ago

hashtagVulnerable Code

hashtagVulnerable APIs

hashtagCompliance​arrow-up-right

hashtagCWE & CVSS​arrow-up-right

Vulnerable Code

Vulnerable APIs

Compliance

CWE & CVSS