DerScanner
Home / Vulnerability Database / Config files : Unsafe HTTP access control
Config files

Config files : Unsafe HTTP access control

Classification

OWASP Top 10 2013
A1-InjectionA4-Insecure Direct Object ReferencesA7-Missing Function Level Access Control
OWASP Top 10 2017
A1-InjectionA5-Broken Access Control
OWASP Top 10 2021
A3-InjectionA1-Broken Access Control
OWASP ASVS
Access ControlAccess ControlAccess ControlAccess Control
PCI DSS 4.0
2.2.56.2.4
HIPAA
§164.312 (a)(1)§164.312 (d)
CWE
CWE-284CWE-287CWE-1027CWE-1030CWE-1033
CWE/SANS Top 25 2021
CWE-287

Overview

Protection enabled not for all HTTP methods.

In security-constraint, do not list any http-method. Any non-listed method will be unprotected, so attackers may use an uncommon method (HEAD, TRACE, DELETE…) to access the protected resources.

References

  1. web.xml Deployment Descriptor Elements
  2. OWASP Top 10 2017-A5-Broken Access Control
  3. CWE-284: Improper Access Control
  4. CWE CATEGORY: OWASP Top Ten 2017 Category A1 - Injection
  5. CWE-1030
LOW

DerScanner Severity Score

Do you want to fix Config files : Unsafe HTTP access control in your application?

See also

Config files

Config files : Text4Shell Vulnerability

Config files

Config files : Incorrect directory deletion

Config files

Config files : Code injection