Missing Authentication for Critical Function
The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.
As data traverses trust boundaries, the data should be validated before being processed. When authentication is not applied to critical functions, attackers can invoke these functions without proving their identity.
보급률
높음
자주 악용됨
영향
높음
6개의 높은 심각도 규칙
예방
문서화됨
6개의 수정 예시
2 예방
2 예방
이 취약점을 수정하는 방법
Python
모두 보기 Python 자세히 →
Django View Missing Authentication
HIGH
Add @login_required or @permission_required decorator to all protected views
- from django.http import JsonResponse - from .models import Document - - def delete_document(request, doc_id): - doc = Document.objects.get(id=doc_id) + from django.contrib.auth.decorators import login_required + from django.http import JsonResponse + from .models import Document + + @login_required + def delete_document(request, doc_id): + doc = Document.objects.get(id=doc_id, owner=request.user) doc.delete() return JsonResponse({'status': 'deleted'})
FastAPI Endpoint Missing Authentication
HIGH
Add authentication using FastAPI Depends() dependency injection
- from fastapi import FastAPI - - app = FastAPI() - - @app.delete("/users/{user_id}") - async def delete_user(user_id: int): + from fastapi import FastAPI, Depends + from myapp.auth import get_current_user + + app = FastAPI() + + @app.delete("/users/{user_id}") + async def delete_user( + user_id: int, + current_user: User = Depends(get_current_user) + ): await User.filter(id=user_id).delete() return {"deleted": user_id}
Echo Missing JWT Middleware
HIGH
Add Echo JWT middleware to protect API endpoints
package main - import "github.com/labstack/echo/v4" - - func main() { - e := echo.New() - e.POST("/api/transfer", transferHandler) + import ( + "os" + "github.com/labstack/echo/v4" + echojwt "github.com/labstack/echo-jwt/v4" + ) + + func main() { + e := echo.New() + api := e.Group("/api") + api.Use(echojwt.WithConfig(echojwt.Config{ + SigningKey: []byte(os.Getenv("JWT_SECRET")), + })) + api.POST("/transfer", transferHandler) e.Start(":8080") }
Fiber Missing JWT Middleware
HIGH
Add Fiber JWT middleware to protect API endpoints
package main - import "github.com/gofiber/fiber/v2" - - func main() { - app := fiber.New() - app.Post("/api/transfer", transferHandler) + import ( + "os" + "github.com/gofiber/fiber/v2" + jwtware "github.com/gofiber/contrib/jwt" + ) + + func main() { + app := fiber.New() + api := app.Group("/api") + api.Use(jwtware.New(jwtware.Config{ + SigningKey: jwtware.SigningKey{Key: []byte(os.Getenv("JWT_SECRET"))}, + })) + api.Post("/transfer", transferHandler) app.Listen(":3000") }
Gin Missing JWT Middleware
HIGH
Add JWT authentication middleware to protect API endpoints
package main - import "github.com/gin-gonic/gin" - - func main() { - r := gin.Default() - r.POST("/api/transfer", transferHandler) + import ( + "os" + "github.com/gin-gonic/gin" + jwt "github.com/appleboy/gin-jwt/v2" + ) + + func main() { + r := gin.Default() + auth, _ := jwt.New(&jwt.GinJWTMiddleware{ + Realm: "api", + Key: []byte(os.Getenv("JWT_SECRET")), + }) + api := r.Group("/api") + api.Use(auth.MiddlewareFunc()) + api.POST("/transfer", transferHandler) r.Run(":8080") }
JavaScript
모두 보기 JavaScript 자세히 →
NestJS Endpoint Missing Authentication Guard
HIGH
Add @UseGuards decorator with authentication guard at controller or method level
- import { Controller, Get, Post, Body, Param } from '@nestjs/common'; - - @Controller('users') + import { Controller, Get, Post, Body, Param, UseGuards } from '@nestjs/common'; + import { JwtAuthGuard } from '../auth/jwt-auth.guard'; + + @Controller('users') + @UseGuards(JwtAuthGuard) export class UsersController { @Get(':id') findOne(@Param('id') id: string) { return this.usersService.findOne(id); } @Post() create(@Body() dto: CreateUserDto) { return this.usersService.create(dto); } }
3 탐지
3 탐지
코드에서 취약점 찾기
Shoulder를 사용하여 코드에서 Missing Authentication for Critical Function 패턴을 스캔하세요. 6 규칙.
# Scan with Shoulder CLI npx @shoulderdev/cli trust --cwe=306 # Or scan entire project npx @shoulderdev/cli trust .
탐지 규칙 (6)
🐹
Go
3 rules
🐍
Python
2 rules
Django View Missing Authentication
HIGH
Detects Django views that should require authentication but lack
@login_required, @permission_required, or other authentication decorators.
FastAPI Endpoint Missing Authentication
HIGH
Detects FastAPI endpoints that perform sensitive operations without
authentication via Depends() dependency injection.
4 경고 신호
4 경고 신호
코드 리뷰에서 주의할 점
이 패턴은 잠재적인 Missing Authentication for Critical Function 취약점을 나타냅니다. 코드 리뷰와 보안 감사 중에 찾아보세요.
View handles sensitive operations without authentication decorator
django-missing-authentication
Django views that should require authentication but lack
@login_required, @permission_required, or o
django-missing-authentication
Endpoint performs sensitive operations without Depends(get_current_user) or similar auth
fastapi-missing-authentication
FastAPI endpoints that perform sensitive operations without
authentication via Depends() dependency
fastapi-missing-authentication
Gin application missing JWT authentication middleware
go-gin-missing-jwt
NestJS endpoint has no @UseGuards() decorator for authentication
nestjs-missing-auth-guard
코드베이스를 스캔하세요: Missing Authentication for Critical Function
Shoulder CLI는 전체 코드베이스에서 취약한 패턴을 찾아냅니다.