>myctrl.tools
Preferences
Under active development Content is continuously updated and improved

API2Broken Authentication

>Control Description

Authentication endpoints and flows are assets that need to be protected. Additionally, "Forgot password / reset password" should be treated the same way as authentication mechanisms. An API is vulnerable if it permits credential stuffing with lists of valid usernames and passwords, permits brute force attacks without captcha or account lockout, permits weak passwords, sends sensitive authentication details such as auth tokens and passwords in the URL, allows changing email or password without requiring password confirmation, doesn't validate token authenticity, accepts unsigned or weakly signed JWT tokens, doesn't validate JWT expiration dates, uses plain text or weakly hashed passwords, or uses weak encryption keys.

>Prevention & Mitigation Strategies

  1. 1.Make sure you know all the possible flows to authenticate to the API (mobile, web, one-click authentication, etc.).
  2. 2.Read about your authentication mechanisms. Make sure you understand what and how they are used. OAuth is not authentication, and neither are API keys.
  3. 3.Don't reinvent the wheel in authentication, token generation, or password storage. Use the standards.
  4. 4.Credential recovery/forgot password endpoints should be treated as login endpoints in terms of brute force, rate limiting, and lockout protections.
  5. 5.Require re-authentication for sensitive operations (e.g. changing the account owner email address/2FA phone number).
  6. 6.Use the OWASP Authentication Cheatsheet.
  7. 7.Where possible, implement multi-factor authentication.
  8. 8.Implement anti-brute force mechanisms to mitigate credential stuffing, dictionary attacks, and brute force attacks on your authentication endpoints. This mechanism should be stricter than the regular rate limiting mechanisms on your APIs.
  9. 9.Implement account lockout/captcha mechanisms to prevent brute force attacks against specific users. Implement weak-password checks.
  10. 10.API keys should not be used for user authentication. They should only be used for API client authentication.

>Attack Scenarios

#1GraphQL batching brute force

To perform user authentication, the API expects a GraphQL mutation with username and password. Because the login has rate limiting of three requests per minute per IP, an attacker exploits GraphQL query batching to send many login credential combinations in a single request, bypassing the rate limiting restriction and accelerating brute force attacks.

#2Account takeover via unprotected email change

An attacker starts the password reset workflow by issuing a POST request to /api/reset-password. The API does not require the current password or an auth token. By changing the email address tied to the user account using a separate endpoint that doesn't validate ownership, the attacker gains full control of the account by resetting the password via the newly assigned email.

>Related CWEs

CWE-204
CWE-307

>References

Ask AI

Configure your API key to use AI features.