Configuring broken access control testing using REST APIs

Broken access control occurs when an application doesn't properly enforce restrictions on what authenticated users are allowed to do. Attackers can exploit these vulnerabilities to gain unauthorized access to sensitive data or functionality.

Before you begin

Before you configure broken access control testing, make sure you meet the following requirements:
  • An existing DASTConfig job that's not in a "Running" or "Completed" state.
  • Baseline traffic files for the roles you want to test. Supported file formats: .har, .seqe, .exd, and .dast.config (covering both FIPS and non-FIPS encrypted files generated by Activity Recorder and Traffic Recorder).
  • A target URL that exactly matches the baseline traffic file URL.
  • A file size that doesn't exceed 200 MB per role.
Note:
Standard .scan files aren't supported for this feature.

About this task

This testing identifies two main scenarios:
  • Vertical access control: A lower-privileged user accesses functions or data reserved for a higher-privileged user (for example, a standard user accessing an administrative dashboard).
  • Horizontal access control: A user accesses data belonging to another user with the same privilege level (for example, User A viewing User B's private account details).

To prevent false positives on public pages (pages accessible without authentication), AppScan Enterprise uses a delta mechanism. It compares the authenticated user's traffic against a non-authenticated user baseline. If a page is accessible to the non-authenticated user, it acts as an exclusion list and isn't flagged as a broken access control vulnerability.

Procedure

  1. Add a role and upload baseline traffic.
    Use the POST /jobs/{jobId}/brokenaccesscontrol/add endpoint to attach baseline traffic to your active scan job. You must use multipart/form-data for the request.
    • Job ID: Enter the required JobID for the target scan job.
    • For an authenticated role: Specify a unique roleName (for example, Admin or StandardUser) and provide the file path. The role name must not contain the following special characters: <>"'%;)(&+
    • For a non-authenticated baseline: Set the isNonAuthenticated parameter to true. Omit the roleName parameter completely, or the request will fail. You can upload only one non-authenticated baseline file per job.
  2. Run the scan.
    After you upload the traffic files for all required roles, start the DAST scan using the POST /jobs/{jobId}/actions endpoint. AppScan Enterprise crawls the application and tests for broken access control vulnerabilities based on the provided role baselines.
  3. Optional: Update or remove a role.
    If you need to update the traffic file for a role or remove the role entirely, use the DELETE /jobs/{jobId}/brokenaccesscontrol/delete endpoint. Provide the jobId and roleName. To delete a non-authenticated baseline, provide the roleName as "Non-Authenticated-User". To update the role, repeat step 1 to add it again with the new traffic file.