High-risk tools in Fusionauth
23 of the 314 tools in Fusionauth are classified as high risk. This page profiles those tools specifically, with recommended policy actions and the attack patterns that target them.
Every operation listed below is an action PolicyLayer recommends controlling at the transport layer. Open any tool to see the full profile, risk score, and YAML policy snippet.
Tools at high risk
-
forgotPasswordWithIdExecuteBegins the forgot password sequence, which kicks off an email to the user so that they can reset their password.
-
reindexWithIdExecuteRequests Elasticsearch to delete and rebuild the index for FusionAuth users or entities. Be very careful when running this request as it will increase the CPU and I/O load on y...
-
startIdentityProviderLoginWithIdExecuteBegins a login request for a 3rd party login that requires user interaction such as HYPR.
-
startPasswordlessLoginWithIdExecuteStart a passwordless login request by generating a passwordless code. This code can be sent to the User using the Send Passwordless Code API or using a mechanism outside of Fusi...
-
startTwoFactorLoginWithIdExecuteStart a Two-Factor login request by generating a two-factor identifier. This code can then be sent to the Two Factor Send API (/api/two-factor/send)in order to send a one-time ...
-
startVerifyIdentityWithIdExecuteStart a verification of an identity by generating a code. This code can be sent to the User using the Verify Send API Verification Code API or using a mechanism outside of Fusio...
-
startWebAuthnLoginWithIdExecuteStart a WebAuthn authentication ceremony by generating a new challenge for the user
-
startWebAuthnRegistrationWithIdExecuteStart a WebAuthn registration ceremony by generating a new challenge for the user
-
completeWebAuthnAssertionWithIdExecuteComplete a WebAuthn authentication ceremony by validating the signature against the previously generated challenge without logging the user in
-
completeWebAuthnLoginWithIdExecuteComplete a WebAuthn authentication ceremony by validating the signature against the previously generated challenge and then login the user in
-
createDevice_authorizeExecuteStart the Device Authorization flow using a request body OR Start the Device Authorization flow using form-encoded parameters
-
createTokenExecuteExchange User Credentials for a Token. If you will be using the Resource Owner Password Credential Grant, you will make a request to the Token endpoint to exchange the user’s em...
-
exchangeRefreshTokenForJWTWithIdExecuteExchange a refresh token for a new JWT.
-
identityProviderLoginWithIdExecuteHandles login via third-parties including Social login, external OAuth and OpenID Connect, and other login systems.
-
issueJWTWithIdExecuteIssue a new access token (JWT) for the requested Application after ensuring the provided JWT is valid. A valid access token is properly signed and not expired. <p> This API may ...
-
loginWithIdExecuteAuthenticates a user to FusionAuth. This API optionally requires an API key. See <code>Application.loginConfiguration.requireAuthentication</code>.
-
passwordlessLoginWithIdExecuteComplete a login request using a passwordless code
-
sendEmailWithIdExecuteSend an email using an email template Id. You can optionally provide <code>requestData</code> to access key value pairs in the email template.
-
sendPasswordlessCodeWithIdExecuteSend a passwordless authentication code in an email to complete login.
-
sendTwoFactorCodeForLoginUsingMethodWithIdExecuteSend a Two Factor authentication code to allow the completion of Two Factor authentication.
-
sendVerifyIdentityWithIdExecuteSend a verification code using the appropriate transport for the identity type being verified.
-
twoFactorLoginWithIdExecuteComplete login using a 2FA challenge
-
vendJWTWithIdExecuteIt's a JWT vending machine! Issue a new access token (JWT) with the provided claims in the request. This JWT is not scoped to a tenant or user, it is a free form token that wi...
Attacks that target this class
High-risk tools in any server share these documented attack patterns. Each links to the full case and the defensive policy.