Overview
- Bug Type:
- AuthN/AuthZ flaw
- Category:
- Security
Definition
Weaknesses in authentication/authorization enable impersonation or unauthorized actions.
How to fix AuthN/AuthZ flaw?
Harden auth flows (MFA, secure session mgmt); enforce server-side access control per action; validate tokens/claims; follow least privilege
Symptoms
Observable signs that may indicate AuthN/AuthZ flaw:
- Privileged actions available via hidden UI routes or client-side checks only.
- Sessions not invalidated on logout or credential change.
- Role/claim tampering grants unauthorized access.
Example Errors:
- JWT accepted after expiration
- Missing CSRF/anti-forgery validation
- Authorization header ignored on certain routes