TF 0180 - SymbioticSec/Symbiotic-Vulnerability-Database GitHub Wiki
Web App accepts incoming client certificate
| Property | Value |
|---|---|
| Language |  |
| Severity |  |
| Service | appservice |
| Provider | Azure |
Description
The web application is configured without requiring incoming client certificates, meaning mutual TLS authentication is not enforced. This allows any client to connect without verifying their identity through a certificate.
Impact
Without client certificate validation, unauthorized clients can access the application, increasing the risk of data exposure and unauthorized actions. Attackers could exploit this to impersonate legitimate users or automate malicious access, reducing the overall security of the app.
Resolution
Enable incoming certificates for clients