Using the backend API request for login, you can bypass the access page. Add the backend API to the access list and you can’t get past access as there is no access page presented in the response to the BE API request
What steps have you taken to resolve the issue?
No solution found including speaking to our pen test team.
What are the steps to reproduce the issue?
Make a postman request to our backend login API. Submit login details etc and can access the admin portal without needing to go through the front end access.
Tried adding the backend API to the access settings and then we cannot access the admin portal at all as the backend API is never authenticated via the access OTP.
Further detials: The Access page blocks access to our API on the Front End but can be bypassed by simply using the backend API. If adding the backend API to the access list of URls to protect then we can’t login as no access page is presented to a backend API request. This meant we failed on this point in our pen test. Do you know how we resolve this so the backend API is also covered?
For example:
FE API for login: https://admin.domain.co.uk > access page shows > enter email and then enter OTP = Perfect
But if you use the BE API e.g. https://adminapi.domain.co.uk > you can post the login credentials and login to our admin portal.
If we then add this BE API to the access list, we get the error that we can’t access that API due to access control but you don’t get a login page on the response request to be able to submit the email and then an OTP so the access page can be bypassed for backend requests.
How do we prevent the backend API being access until the front end API is authorised?