| Details | |
|---|---|
| Alert ID | 10101 |
| Alert Type | Tool |
| Status | alpha |
| Risk | High |
| CWE | 287 |
| WASC | 1 |
| Technologies Targeted | All |
| Tags |
CWE-287 OWASP_2017_A05 OWASP_2021_A01 |
Summary
Insufficient Authentication occurs when a web site permits an attacker to access sensitive content or functionality without having to properly authenticate. Web-based administration tools are a good example of web sites providing access to sensitive functionality. Depending on the specific online resource, these web applications should not be directly accessible without requiring the user to properly verify their identity.
To get around setting up authentication, some resources are protected by “hiding” the specific location and not linking the location into the main web site or other public places. However, this approach is nothing more than “Security Through Obscurity”. It’s important to understand that even though a resource is unknown to an attacker, it still remains accessible directly through a specific URL. The specific URL could be discovered through a Brute Force probing for common file and directory locations (/admin for example), error messages, referrer logs, or documentation such as help files. These resources, whether they are content- or functionality-driven, should be adequately protected.
Solution
Phase: Architecture and Design Use an authentication framework or library such as the OWASP ESAPI Authentication feature.Other Info
Accessed as an unauthenticated user. Request detected as authorized: true. The defined access rule for resource is that access should be: Denied.References
- https://cheatsheetseries.owasp.org/cheatsheets/Authentication_Cheat_Sheet.html
- https://cwe.mitre.org/data/definitions/287.html
- https://cwe.mitre.org/data/definitions/284.html