Skip to main content

Insufficient data authenticity validation - Front bypass


The credentials policy present in the system warns that these cannot be consecutive and/or repeated numbers, however this validation is only done in the front end of the application, so it is possible to modify the password from the same request and assign a key that goes against the policies.


Bypass security policies assigned for user keys.


The key creation policy must be validated on both the front and back ends of the application.


Attacker without credentials from the Internet.

Expected Remediation Time

⌚ 60 minutes.


Default score using CVSS 3.1. It may change depending on the context of the vulnerability.


  • Attack vector: N
  • Attack complexity: L
  • Privileges required: N
  • User interaction: N
  • Scope: U
  • Confidentiality: N
  • Integrity: L
  • Availability: N


  • Exploit code madurity: X
  • Remediation level: X
  • Report confidence: X


  • Vector string: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N/E:X/RL:X/RC:X
  • Score:
    • Base: 5.3
    • Temporal: 5.3
  • Severity:
    • Base: Medium
    • Temporal: Medium

Code Examples

Compliant code

The application validates user credentials on the back end

public static boolean isValidPassword(String password,String regex){
Pattern pattern = Pattern.compile(regex);
Matcher matcher = pattern.matcher(password);
return matcher.matches();

Non compliant code

The application does not validate credentials on the back end

public void createUser(user) throws Exception {
VOUserDetails u = createUniqueUser();
is.createUser(u, Arrays.asList(UserRoleType.USER), null);


free trial

Search for vulnerabilities in your apps for free with our automated security testing! Start your 21-day free trial and discover the benefits of our Continuous Hacking Machine Plan. If you prefer a full service that includes the expertise of our ethical hackers, don't hesitate to contact us for our Continuous Hacking Squad Plan.