Api Missing Authentication
Description
This detector identifies API endpoints that should require authentication but incorrectly allow unauthenticated access. It tests whether endpoints that normally receive authenticated requests will also accept the same requests without authentication headers, potentially exposing sensitive data or functionality to unauthorized users.
Detection Strategy
• The original request must include authentication headers (indicating the endpoint expects authentication)
• The request method must be GET or HEAD (read-only operations)
• When the same request is sent without authentication headers, it must return a successful response (2xx or 3xx status code)
• The response body must not contain soft denial indicators (error messages suggesting authentication failure despite the successful status code)
Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.