Avoid client-side control enforcement

Summary

The system must enforce access controls on trusted enforcement points, which are not on the client's side.

Description

Systems must enforce access controls on trusted enforcement points, such as access control gateways, servers and serverless functions. Client-side access control enforcement cannot be trusted because it is prone to being bypassed and/or tampered with.

Supported In

This requirement is verified in following services

Plan	Supported
Essential	🟢
Advanced	🟢

References

CAPEC™-11. Cause web server misclassification
CAPEC™-22. Exploiting trust in client
CAPEC™-28. Fuzzing
CAPEC™-34. HTTP response splitting
CAPEC™-39. Manipulating opaque client-based data tokens
CAPEC™-153. Input data manipulation
CAPEC™-690. Metadata Spoofing
CWE™-284. Improper access control
CWE™-285. Improper authorization
CWE™-290. Authentication bypass by spoofing
CWE™-602. Client-side enforcement of server-side security
CWE™-639. Authorization bypass through user-controlled key
ePrivacy Directive-4_1a. Security of processing
OWASP TOP 10-A1. Broken access control
OWASP TOP 10-A2. Cryptographic failures
OWASP-M TOP 10-M1. Improper platform usage
Agile Alliance-11. Best architectures, requirements, and designs
CERT-J-LCK11-J. Avoid client-side locking when using classes that do not commit to their locking strategy
MITRE ATT&CK®-M1035. Limit access to resource over network
PA-DSS-5_2_8. Improper access controls
CMMC-AC_L2-3_1_14. Remote access routing
CMMC-CM_L2-3_4_9. User-installed software
HITRUST CSF-01_o. Network routing control
WASSEC-6_2_5_3. Information disclosure - Path traversal
OSSTMM3-9_4_1. Wireless security (visibility audit) - Interception
WASC-A_12. Content spoofing
WASC-A_33. Path traversal
WASC-W_17. Improper filesystem permissions
WASC-W_02. Insufficient authorization
ISSAF-F_5_9. Network security - Router security assessment (configure ingress filtering)
ISSAF-G_15. Network security - Firewalls (compromise remote users/sites)
ISSAF-P_6_15. Host security - Linux security (local attacks)
ISSAF-T_16_1. Web application assessment - Input validation (validate data)
PTES-6_2_3. Exploitation - Countermeasures (data execution prevention)
OWASP SCP-8. Data protection
CWE TOP 25-22. Improper limitation of a pathname to a restricted directory (path traversal)
NIST 800-115-3_6. File integrity checking
OWASP ASVS-1_4_1. Access control architecture
OWASP ASVS-8_1_3. General data protection
OWASP ASVS-12_3_1. File execution
SIG Lite-SL_131. Are end user devices used for transmitting, processing or storing scoped data?
CWE™-15. External control of system or configuration setting
CWE™-22. Improper limitation of a pathname to a restricted directory ("path traversal")
CWE™-36. Absolute path traversal
CWE™-73. External control of file name or path
OWASP ASVS-5_1_4. Input validation
OWASP ASVS-5_2_1. Sanitization and sandboxing
OWASP ASVS-5_2_2. Sanitization and sandboxing
OWASP ASVS-5_2_3. Sanitization and sandboxing
OWASP ASVS-5_2_7. Sanitization and sandboxing
OWASP ASVS-5_3_6. Output encoding and injection prevention
OWASP ASVS-5_4_2. Memory, string, and unmanaged code
OWASP ASVS-14_5_1. HTTP request header validation
OWASP API Security Top 10-API4. Lack of Resources & Rate Limiting
OWASP API Security Top 10-API5. Broken Function Level Authorization
CASA-1_4_1. Access Control Architecture
CASA-5_1_4. Input Validation
CASA-5_2_3. Sanitization and Sandboxing
CASA-5_2_7. Sanitization and Sandboxing
CASA-5_3_6. Output Encoding and Injection Prevention
CASA-8_1_3. General Data Protection
CASA-13_1_4. Generic Web Service Security
SANS 25-8. Improper limitation of a pathname to a restricted directory (path traversal)

Vulnerabilities

032. Spoofing
039. Improper authorization control for web services
063. Lack of data validation - Path Traversal
064. Traceability loss - Server's clock
075. Unauthorized access to files - APK Content Provider
089. Lack of data validation - Trust boundary violation
093. Hidden fields manipulation
098. External control of file name or path
103. Insufficient data authenticity validation - APK signing
127. Lack of data validation - Type confusion
184. Lack of data validation
185. Lack of data validation - Header x-amzn-RequestId
186. Lack of data validation - Web Service
187. Lack of data validation - Source Code
188. Lack of data validation - Modify DOM Elements
189. Lack of data validation - Content Spoofing
190. Lack of data validation - Session Cookie
191. Lack of data validation - Responses
192. Lack of data validation - Reflected Parameters
193. Lack of data validation - Host Header Injection
194. Lack of data validation - Input Length
195. Lack of data validation - Headers
196. Lack of data validation - Dates
197. Lack of data validation - Numbers
198. Lack of data validation - Out of range
199. Lack of data validation - Emails
200. Traceability loss
201. Unauthorized access to files
202. Unauthorized access to files - Debug APK
203. Unauthorized access to files - Cloud Storage Services
204. Insufficient data authenticity validation
274. Restricted fields manipulation
321. Lack of data validation - HTML code
327. Insufficient data authenticity validation - Images
340. Lack of data validation - Special Characters
341. Lack of data validation - OTP
344. Lack of data validation - Non Sanitized Variables
353. Lack of data validation - Token
355. Insufficient data authenticity validation - Checksum verification
377. Insufficient data authenticity validation - Device Binding
382. Insufficient data authenticity validation - Front bypass
389. Insufficient data authenticity validation - JAR signing

free trial

Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.

Summary​

Description​

Supported In​

References​

Vulnerabilities​

Summary

Description

Supported In

References

Vulnerabilities