Web Application Vulnerabilities Runtime SCA Findings
Looking for the vulnerability index of Invicti's legacy products?
Invicti Enterprise Acunetix Standard & Premium
Resource Accessible Without Required Authentication - Vulnerability Database

Resource Accessible Without Required Authentication

Description

This vulnerability occurs when a resource that is explicitly defined as requiring authentication in the API specification can be accessed without providing valid credentials. The absence of proper authentication enforcement allows any user, including unauthenticated attackers, to interact with protected endpoints and access functionality that should be restricted to authorized users only.

Remediation

Implement comprehensive authentication controls to protect all sensitive resources:

1. Enforce Authentication at the Application Layer
Ensure all protected endpoints validate authentication tokens before processing requests. Example middleware implementation:

// Express.js authentication middleware example
const authenticateRequest = (req, res, next) => {
  const token = req.headers.authorization?.split(' ')[1];
  
  if (!token) {
    return res.status(401).json({ error: 'Authentication required' });
  }
  
  try {
    const decoded = jwt.verify(token, process.env.JWT_SECRET);
    req.user = decoded;
    next();
  } catch (error) {
    return res.status(401).json({ error: 'Invalid or expired token' });
  }
};

// Apply to protected routes
app.get('/api/protected-resource', authenticateRequest, (req, res) => {
  // Handle authenticated request
});

2. Use Industry-Standard Authentication Protocols
Implement OAuth 2.0, OpenID Connect, or JWT-based authentication with proper token validation, expiration, and refresh mechanisms.

3. Apply Defense in Depth
• Validate authentication on every request (do not rely on client-side checks)
• Implement rate limiting to prevent brute force attacks
• Use HTTPS/TLS for all authentication-related communications
• Store credentials securely using appropriate hashing algorithms (bcrypt, Argon2)

4. Align Implementation with API Specification
Review your API definition file and ensure all endpoints marked as requiring authentication have corresponding server-side enforcement.

5. Test and Audit Regularly
• Perform automated security testing to verify authentication is enforced
• Conduct manual penetration testing of authentication mechanisms
• Review access logs for unauthorized access attempts
• Implement monitoring and alerting for authentication failures

References

OWASP API Security Top 10 2023: API2 - Broken Authentication
OWASP API Security Top 10 2023: API5 - Broken Function Level Authorization
CWE-287: Improper Authentication

Severity

Medium

Classification

CWE-287
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L