Property
Language
Severity
CWE	CWE-287: Improper Authentication
OWASP	A02:2017 - Broken Authentication
Confidence Level	Low
Impact Level	Low
Likelihood Level	Low

Description

The App Service is not configured with a managed identity in its Terraform resource definition. Without this, the app may need to use hardcoded credentials to access other Azure services, which is insecure.

Impact

If a managed identity is not set, the app may store or transmit sensitive credentials, increasing the risk of credential leakage or misuse. Attackers could exploit these exposed secrets to gain unauthorized access to resources or escalate privileges within your Azure environment.

Property
Language
Severity
CWE	CWE-287: Improper Authentication
OWASP	A02:2017 - Broken Authentication
Confidence Level	Low
Impact Level	Low
Likelihood Level	Low

Description

The Azure Function App is deployed without authentication enabled in its ‘auth_settings’ configuration. This means users can access the app without verifying their identity, leaving endpoints unprotected.

Impact

Without authentication, anyone can invoke the function app’s endpoints, potentially exposing sensitive operations or data to unauthorized users. Attackers could exploit this to gain access, manipulate data, or abuse backend services, leading to data breaches or service misuse.

Property
Language
Severity
CWE	CWE-287: Improper Authentication
OWASP	A02:2017 - Broken Authentication
Confidence Level	Medium
Impact Level	Medium
Likelihood Level	Low

Description

The code allows anonymous binding to an LDAP server, meaning users can connect without providing any authentication. This makes it possible for anyone to query or interact with your LDAP directory without verifying their identity.

Impact

If exploited, attackers could gain unauthorized access to sensitive directory information, potentially exposing user accounts, organizational structure, or other confidential data. This can lead to data leaks, privilege escalation, or make it easier for attackers to move laterally within your systems.

Property
Language	java
Severity
CWE	CWE-287: Improper Authentication
OWASP	A02:2017 - Broken Authentication
Confidence Level	Low
Impact Level	High
Likelihood Level	Low

Description

The code allows connections to the LDAP directory without requiring any user authentication, meaning anyone can access the directory anonymously. This makes it easy for unauthorized users to interact with your LDAP server.

Impact

If exploited, attackers could query, modify, or access sensitive directory data without credentials, potentially exposing confidential information or enabling further attacks. This severely weakens your application’s security and could lead to data breaches or unauthorized changes.

Property
Language
Severity
CWE	CWE-287: Improper Authentication
OWASP	A05:2021 - Security Misconfiguration
Confidence Level	High
Impact Level	High
Likelihood Level	Medium

Description

The code decodes a JWT token without verifying its signature, which means it accepts any token as valid regardless of who created it. This allows untrusted or tampered tokens to be used in your application.

Impact

If exploited, an attacker could forge JWT tokens with arbitrary claims to impersonate users, escalate privileges, or access protected resources. This can lead to unauthorized access, data breaches, and loss of application integrity.

Property
Language
Severity
CWE	CWE-287: Improper Authentication
Confidence Level	Medium
Impact Level	High
Likelihood Level	Medium

Description

The Intercom Messenger is being initialized with user identifiers (like email or user_id) but without a user_hash for identity verification. This leaves user sessions unprotected and allows anyone to impersonate another user by guessing or providing their identifier.

Impact

Without a user_hash, attackers can easily access other users’ Intercom conversations and sensitive information by supplying someone else’s email or user_id. This can lead to unauthorized access, privacy breaches, and compromise of user data within your application.

Property
Language
Severity
CWE	CWE-287: Improper Authentication
OWASP	A02:2017 - Broken Authentication
Confidence Level	Low
Impact Level	Low
Likelihood Level	Low

Description

The code is binding to an LDAP server without providing a password, allowing anonymous access. This means anyone can connect to your LDAP server without authentication.

Impact

If exploited, attackers could access or query sensitive directory information without valid credentials. This can lead to data exposure, unauthorized access to user details, or facilitate further attacks against your application or infrastructure.

Property
Language
Severity
CWE	CWE-287: Improper Authentication
OWASP	A02:2017 - Broken Authentication
Confidence Level	Medium
Impact Level	Medium
Likelihood Level	Medium

Description

The code decodes JWT tokens with signature verification disabled (‘verify=False’), which means it does not check if the token has been tampered with. This allows accepting tokens that may have been altered by an attacker.

Impact

If exploited, attackers could forge or modify JWT tokens to impersonate users, escalate privileges, or bypass authentication and authorization controls. This can lead to unauthorized access to sensitive data or functionality within the application.

Property
Language
Severity
CWE	CWE-285: Improper Authorization
OWASP	A01:2021 - Broken Access Control
Confidence Level	Low
Impact Level	Medium
Likelihood Level	Low

Description

These hooks allow the developer to handle the custom AJAX endpoints.“wp_ajax_$action” hook get fires for any authenticated user and “wp_ajax_nopriv_$action” hook get fires for non-authenticated users.

Property
Language
Severity
CWE	CWE-285: Improper Authorization
OWASP	A01:2021 - Broken Access Control
Confidence Level	Low
Impact Level	Medium
Likelihood Level	Low

Description

These are some of the patterns used for authorisation. Look properly if the authorisation is proper or not.