You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
@@ -27,7 +27,7 @@ Access control deficiencies are unlikely to be discovered using generic automate
|**4.2.1**| Verify that sensitive data and APIs are protected against Insecure Direct Object Reference (IDOR) attacks targeting creation, reading, updating and deletion of records, such as creating or updating someone else's record, viewing everyone's records, or deleting all records. | ✓ | ✓ | ✓ | 639 |
|**4.2.2**|[MOVED TO 50.3.1]|||||
|**4.2.3**|[ADDED] Verify that multi-tenant applications use cross-tenant controls to ensure user operations will never affect tenants with which they do not have permissions to interact. | ✓ | ✓ | ✓ | 283 |
|**4.2.4**|[ADDED] Verify that access to an object is based on the originating subject's (e.g. user's) permissions, not on the permissions of any intermediary or service acting on their behalf. ||| ✓ | 441 |
|**4.2.4**|[ADDED] Verify that access to an object is based on the originating subject's (e.g. user's) permissions, not on the permissions of any intermediary or service acting on their behalf. For example, if a user calls a web service using a signed token for authentication, and the service then requests data from a different service, the second service should use the user's signed token, rather than a machine-to-machine token from the first service, to make permission decisions. ||| ✓ | 441 |
