Description

Unauthenticated users have access to an API that’s processing payments. Attackers can abuse this endpoint to perform unauthorized actions, carding, or commit fraudulent activities.

Rationale

This finding works by identifying an API that is tracking a payment business logic event (tags containing the payment. prefix) but lacks an authentication mechanism.

Remediation

• Implement authentication to prevent non-intended users interaction with the API