Skip to content
Fast-turnaround security assessments available — 10+ years development & security experienceGet started
Tag

Posts tagged ‘access-control

6 cases tagged with ‘access-control

API SecurityCVSS 7.5high
9 min read

Nine Hosts, One Wildcard, Zero Access Control

During an external attack surface assessment against a media infrastructure company, systematic enumeration of API subdomains revealed a consistent CORS misconfiguration across nine separate hosts. Every host returned Access-Control-Allow-Origin: * alongside authenticated API responses. Any external page could read responses from any of these nine endpoints — authentication tokens, broadcast configuration data, and internal account details included.

Read case
Access ControlCVSS 9.1critical
9 min read

Enterprise GitLab With the Front Door Wide Open

An enterprise GitLab installation used by a global media technology company to host proprietary infrastructure code, deployment configurations, and CI/CD pipelines was configured with open user registration enabled. Any external party could create an account, browse internal repositories, clone source code, and read environment files containing credentials for production systems — no invitation required.

Read case
API SecurityCVSS 8.1high
8 min read

Chaining a Subdomain XSS Into API Token Theft

A cross-site scripting vulnerability on a help-center subdomain of a cryptocurrency exchange seemed low-risk in isolation. The exchange's main trading API disagreed: its CORS configuration trusted that subdomain as an allowed origin, turning reflected XSS into a mechanism for making credentialed requests to every authenticated trading endpoint.

Read case
Info DisclosureCVSS 6.5high
8 min read

The Staging Server No One Password-Protected

During a web application assessment of a digital asset trading platform, subdomain enumeration surfaced a staging blog environment with no authentication. Every unpublished post, internal announcement, and draft disclosure was readable by anyone with a browser and the subdomain name.

Read case
Access ControlCVSS 6.1medium
8 min read

Poisoning Analytics Through an Open Endpoint

During an assessment of a cryptocurrency exchange's infrastructure, an unauthenticated API endpoint intended to proxy third-party analytics events accepted arbitrary payloads with no validation. An attacker could inject synthetic events into the platform's analytics pipeline, manipulating conversion tracking, corrupting behavioral data, and potentially influencing automated systems that acted on those signals.

Read case
Access ControlCVSS 8.8critical
8 min read

The iframe That Could Rewrite Ballot Templates

A government digital services platform trusted every postMessage it received — no origin check, no source validation. Any website could embed the platform in an iframe and send crafted messages to modify sensitive document templates. One missing conditional turned a routine message handler into an access control bypass.

Read case
Back to all cases