Get a demo
Web Application Vulnerabilities Runtime SCA Findings
Looking for the vulnerability index of Invicti's legacy products?
Invicti Enterprise Acunetix Standard & Premium
API Sensitive Data (PII) accessible without authentication - Vulnerability Database

API Sensitive Data (PII) accessible without authentication

Description

This API endpoint exposes Personally Identifiable Information (PII) to unauthenticated users due to missing or improperly configured authentication controls. Attackers can access sensitive personal data without providing valid credentials, allowing unauthorized retrieval of confidential user information. This vulnerability typically occurs when authentication checks are bypassed, misconfigured, or entirely absent from endpoints that handle sensitive data.

Remediation

Implement authentication and authorization controls to protect sensitive endpoints:<br/><br/>1. <strong>Require authentication:</strong> Ensure all endpoints returning PII require valid authentication tokens or credentials before processing requests.<br/><br/>2. <strong>Implement proper authorization checks:</strong> Verify that authenticated users have permission to access the specific data they are requesting. Validate user identity and ownership before returning sensitive information.<br/><br/>3. <strong>Apply the principle of least privilege:</strong> Only return the minimum data necessary for the requested operation. Avoid exposing entire user objects when only specific fields are needed.<br/><br/>4. <strong>Example implementation:</strong><br/><pre> // Before: Vulnerable endpoint app.get('/api/users/:id', (req, res) => { const user = getUserById(req.params.id); res.json(user); // Returns all user data without auth }); // After: Secured endpoint app.get('/api/users/:id', authenticateToken, (req, res) => { // Verify authenticated user can access this resource if (req.user.id !== req.params.id && !req.user.isAdmin) { return res.status(403).json({ error: 'Forbidden' }); } const user = getUserById(req.params.id); // Return only necessary fields const sanitizedUser = { id: user.id, name: user.name, email: user.email }; res.json(sanitizedUser); }); </pre><br/>5. <strong>Conduct security testing:</strong> Regularly test API endpoints to ensure authentication and authorization controls are functioning correctly and cannot be bypassed.

References

API1:2023 Broken Object Level Authorization
API3:2019 Excessive Data Exposure

Related Vulnerabilities

Trace.axd Detected High
Common tags: Information Disclosure
WordPress Plugin Advanced XML Reader XML External Entity Information Disclosure (0.3.4) High
Common tags: Information Disclosure
WordPress Plugin W3 Total Cache Information Disclosure (0.9.2.4) High
Common tags: Information Disclosure
WordPress Plugin Duplicator-WordPress Migration Arbitrary File Disclosure (0.3.0) High
Common tags: Information Disclosure
WordPress Plugin Forums 'url' Parameter Arbitrary File Disclosure (1.4.3) High
Common tags: Information Disclosure

Severity

High

Classification

CWE-284
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Tags

Information Disclosure
API BOLA