Cache is accessed without prior authentication

Severity
High
Applies to
Step
Links
CWE-306

Why This Issue Is Important

Accessing a cache without prior authentication can lead to unauthorized access and potential exposure of sensitive data stored in the cache. If a malicious user can access the cache directly, they might retrieve or modify information that should only be available to authenticated users. This violates the principle of least privilege and can compromise the security and confidentiality of your API proxy.

How This Issue Is Detected

This issue is detected by analyzing the sequence of policies applied in the API flow. The tool checks if any of the standard authentication policies such as VerifyJWT, VerifyAPIKey, or OAuthV2 are applied before accessing the cache. If no such policies are found in the steps preceding the cache access, an issue is raised, indicating that the cache is being accessed without authentication.

How to Fix the Issue

Ensure that an authentication policy, such as VerifyJWT, VerifyAPIKey, or OAuthV2, is applied before the cache is accessed. This will verify the identity of the user or system attempting to access the cache, ensuring that only authenticated requests can read or modify cached data. You can fix this by adding the relevant authentication policy as a step before the cache access step in the API flow.

<Step>
    <Name>DecodeJWT</Name>
</Step>
<Step>
    <Name>VerifyJWT</Name>
</Step>
<Step>
    <Name>LookupCache</Name>
</Step>