Update

jeongsoolee09 · jeongsoolee09 · commit 0a062cf4cac2 · 2024-08-12T15:19:18.000-07:00
diff --git a/javascript/frameworks/cap/src/bad-authn-authz/DefaultUserIsPrivileged/DefaultUserIsPrivileged.md b/javascript/frameworks/cap/src/bad-authn-authz/DefaultUserIsPrivileged/DefaultUserIsPrivileged.md
@@ -8,7 +8,7 @@ The user whose request cannot be verified as authenticated is represented as `cd
 
 It may be tempting to overwrite the `cds.User.default` as `cds.User.Privileged`, for ease of development. However, this may slip through production undeleted since the assignment to `cds.User.default` can be hard to detect because it may take various forms; e.g. the programmer may choose to store `cds.User` to a variable `v` and access `cds.User.default` by `v.default`.
 
-A safer and more elegant solution is to set up a development profile and opt in to use a non-production strategy such as basic, dummy, or mocked during its use. This can be done in `package.json` of the CAP application at its project root:
+A safer and more elegant solution is to set up a development profile and opt in to use a non-production strategy such as `"basic"`, `"dummy"`, or `"mocked"` during its use. This can be done in `package.json` of the CAP application at its project root:
 
 ``` json
 {
@@ -45,6 +45,6 @@ cds.serve("all").in(app);
 ## References
 
 - SAP CAPire Documentation: [cds.User.default](https://cap.cloud.sap/docs/node.js/authentication#default-user).
+- SAP CAPire Documentation: [cds.User.Privileged](https://cap.cloud.sap/docs/node.js/authentication#privileged-user).
 - SAP CAPire Documentation: [Authentication Strategies](https://cap.cloud.sap/docs/node.js/authentication#strategies).
-- Common Weakness Enumeration: [CWE-862](https://cwe.mitre.org/data/definitions/862.html).
-- Common Weakness Enumeration: [CWE-306](https://cwe.mitre.org/data/definitions/306.html).
+- Common Weakness Enumeration: [CWE-250](https://cwe.mitre.org/data/definitions/250.html).
diff --git a/javascript/frameworks/cap/src/bad-authn-authz/NonProductionStrategyUsed/NonProductionStrategyUsed.md b/javascript/frameworks/cap/src/bad-authn-authz/NonProductionStrategyUsed/NonProductionStrategyUsed.md
@@ -0,0 +1,63 @@
+# Non-Production Authentication Strategy Used without Profiles
+
+Using a non-production authentication strategy without setting up a distinct profile for development may pose allow unintended authentication and/or authorization if the application is deployed into production.
+
+## Recommendation
+
+### Isolate the use of development-level strategies to a development profile
+
+Use separate profiles for development and deployment and select one as needed. In this way, properties including authentication strategies can be substituted by changing a single command line option: `--profile`. For example, having the following section in the application's `package.json` states that the `"dummy"` authentication strategy must be used while `"xsuaa"`, a production-grade strategy, should be used when deployed:
+
+``` json
+{
+  "requires": {
+    "[dev]": {
+      "auth": "dummy"
+    },
+    "[deploy]": {
+      "auth": "xsuaa"
+    }
+  }
+}
+```
+
+The application can be now run in different modes depending on the `--profile` command line option:
+
+``` shell
+$ cds serve --profile dev    # Runs the application in development profile with strategy "dummy"
+$ cds serve --profile deploy # Runs the application in development profile with strategy "xsuaa"
+```
+
+## Example
+
+The following CAP application states that it uses `"basic"` authentication strategy along with mocked credentials. Using the pair of username and password, an attacker can gain access to certain assets by signing in to the application.
+
+``` json
+{
+  "cds": {
+    "requires": {
+      "auth": {
+        "kind": "basic",
+        "users": {
+          "JohnDoe": {
+            "password": "JohnDoesPassword",
+            "roles": ["JohnDoesRole"],
+            "attr": {}
+          },
+          "JaneDoe": {
+            "password": "JaneDoesPassword",
+            "roles": ["JaneDoesRole"],
+            "attr": {}
+          }
+        }
+      }
+    }
+  }
+}
+```
+
+## References
+
+- Common Weakness Enumeration: [CWE-288](https://cwe.mitre.org/data/definitions/288.html).
+- Common Weakness Enumeration: [CWE-798](https://cwe.mitre.org/data/definitions/798.html).
+- SAP CAPire Documentation: [Authentication Strategies](https://cap.cloud.sap/docs/node.js/authentication#strategies).
