I have an application that uses a REST API to communicate with the server, and has several endpoints that return some sensitive data about customers (this is the intended behavior). However, I can query these endpoints as often as I want without any kind of throttling, enabling for example an attack on a unattended, logged-in workstation that uses the current session token and automatically queries the server for data on a huge list of potential victims, enumerating sensitive data.
Considering this behavior is normal but abusable, could it be considered as a vulnerability?
Thanks in advance!
I difference two types of vulnerability:
exploitable or no exploitable
An exploitable one, in this case, is present only if the abuse of the behavior leaves to a user (registered or anonymous) to perform unauthorized actions. In this situation the service vulnerability exploitation depends on the exploitation of other vulnerability. So I would report only user authentication vulnerability since it covers various dependent vulnerabilities, and not each individual exploitation case that will be invalid when the principal vulnerability is closed.
In the other hand a non exploitable vulnerability (as FIN.S.0011 that points out outdated dependencies) highlights a risk. If we can’t prove the execution of unauthorized actions, then reporting the risk worth if user authentication mechanism hasn’t been tested or has related risks (like weak policies). For me, reporting the risk with the presence of a robust, secure authentication mechanisms doesn’t worth.