Skip to main content

Public state-altering operation

Description

Any route that mutates application data should not be public. Generally, REST READ, UPDATE, DELETE requests and GraphQL mutations should be protected by an authentication middleware.

Remediation

Restrict access to the route, using an authentication middleware for example.

GraphQL Specific

Apollo

Ensure that all public state-altering operations in the Apollo framework engine are properly authenticated and authorized to prevent unauthorized access or modifications. Implement checks to validate the user's permissions before executing any changes.

Yoga

Ensure that the Yoga framework engine's public state-altering operations are properly authenticated and authorized to prevent unauthorized access or modifications. Implement robust input validation to avoid injection attacks and enforce access controls to restrict operations to legitimate users only.

Awsappsync

Ensure that AWS AppSync resolvers use proper authorization checks before allowing state-altering operations to prevent unauthorized access and data manipulation. Implement fine-grained access control using AWS Identity and Access Management (IAM) policies, Amazon Cognito, or OpenID Connect providers, depending on your authentication requirements. Additionally, validate and sanitize all input data to protect against injection attacks and enforce schema validation to maintain data integrity.

Graphqlgo

Ensure that the GraphQL Go framework engine properly validates and sanitizes user input to prevent injection attacks. Implement authorization checks to restrict access to state-altering operations to authorized users only. Additionally, consider using query complexity analysis to prevent resource exhaustion attacks.

Graphqlruby

In the GraphQL Ruby framework, ensure that all state-altering operations are performed using mutations with properly defined authorization checks. Avoid exposing sensitive actions to unauthorized users by implementing a robust authentication and authorization strategy. Use GraphQL's built-in mechanisms for input validation and sanitization to prevent injection attacks. Additionally, consider rate-limiting to protect against abuse of the API.

Hasura

Ensure that all public state-altering operations in the Hasura framework are protected by appropriate authentication and authorization mechanisms. Utilize Hasura's role-based access control to define permissions and restrict access based on user roles. Additionally, consider implementing validation checks and rate limiting to prevent abuse of exposed APIs.

REST Specific

Asp_net

Implement authentication and authorization mechanisms such as ASP.NET Identity for user management, and use [Authorize] attribute to protect state-altering endpoints. Additionally, apply AntiForgeryToken to prevent CSRF attacks on form submissions.

Ruby_on_rails

In Ruby on Rails, ensure that routes which alter the state of the application, such as create, update, or destroy actions, are secured with authentication checks. Utilize the before_action callback in your controllers to enforce user authentication with methods like authenticate_user! provided by authentication solutions like Devise.

Next_js

Implement authentication and authorization checks in your Next.js API routes or pages with dynamic data fetching methods. Use Next.js middleware or higher-order functions to wrap your API routes, ensuring that only authenticated users can perform state-altering operations. Additionally, consider using libraries like next-auth for streamlined authentication handling.

Laravel

In Laravel, protect state-altering routes by applying the 'auth' middleware to ensure only authenticated users can access them. Use Route groups or apply the middleware directly to each route that performs create, update, or delete operations.

Express_js

In Express.js, ensure that routes handling state-altering operations such as POST, PUT, PATCH, and DELETE are secured with authentication middleware like Passport.js or express-jwt. Implement route-specific middleware to verify the user's identity and permissions before processing the request.

Django

In Django, ensure that views which perform state-altering operations such as POST, PUT, PATCH, and DELETE are protected by appropriate authentication and permission classes. Utilize Django's built-in authentication system and decorators like @login_required, or use Django REST framework's permissions to restrict access to authenticated users only.

Symfony

In Symfony, secure state-altering operations by implementing access controls using voters or access decision managers. Ensure that routes handling CREATE, UPDATE, and DELETE operations require authentication and proper authorization. Utilize Symfony's security components to set up firewalls and configure security voters to check user permissions before allowing access to these sensitive endpoints.

Spring_boot

In Spring Boot, secure state-altering endpoints by applying Spring Security. Configure authentication and use annotations like @PreAuthorize to control access, ensuring only authenticated users with proper roles can invoke these operations.

Flask

In Flask, ensure that routes handling state-altering operations such as POST, PUT, PATCH, and DELETE are protected by authentication. Utilize Flask extensions like Flask-Login or Flask-Security to manage user sessions and restrict access to these endpoints. Additionally, apply the @login_required decorator to your view functions to enforce authentication.

Nuxt

In Nuxt.js, ensure that all state-altering operations such as POST, PUT, PATCH, and DELETE requests are secured by implementing authentication and authorization checks. Use middleware to verify user credentials and permissions before allowing access to these routes.

Fastapi

In FastAPI, secure state-altering endpoints by integrating security dependencies such as OAuth2 with JWT tokens. Apply these dependencies to your route operations to ensure that only authenticated users can perform CREATE, UPDATE, or DELETE actions.

Configuration

Identifier: access_control/public_state_altering_operation

Examples

Ignore this check

checks:
  access_control/public_state_altering_operation:
    skip: true

Score

  • Escape Severity: MEDIUM

Compliance

  • OWASP: API5:2023

  • pci: 6.5.10

  • gdpr: Article-32

  • soc2: CC1

  • psd2: Article-95

  • iso27001: A.14.2

  • nist: SP800-53

  • fedramp: AC-6

Classification

  • CWE: 306

Score

  • CVSS_VECTOR: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N/E:H/RL:O/RC:C
  • CVSS_SCORE: 8.7

References