Authentication / Request URL Override

Web and API

Description

Request URL override is an authentication vulnerability (CWE-287) in Web and API applications. It occurs when a server is not properly validating URLs, and allows an attacker to bypass authentication and gain access to restricted resources. This vulnerability is explained in the OWASP Testing Guide, in the chapter on authentication testing.

Risk

The risk of this vulnerability is high, as the malicious user can gain access to data or resources without having to authenticate, thus bypassing the security measures put in place by the application.

Solution

To mitigate the risk of this vulnerability, the server should validate the URLs and limit access to authenticated users. Additionally, it is important to ensure that the URL is always validated, including when the user is requesting a resource from a different domain.

Curious? Convinced? Interested?

Arrange a no-obligation consultation with one of our product experts today.