Broken Authentication in APIs and Web Apps: Risks and Mitigations

Golan Yosef
April 7, 2024
min to read

What Is Broken Authentication?

Broken authentication occurs when a web application or API fails to properly implement authentication controls, allowing attackers to assume other users' identities. This flaw can result in unauthorized access to sensitive information or privileged accounts, significantly compromising the security of an application. It exploits weaknesses in the authentication process to bypass credential verification, enabling unauthorized access.

Broken authentication poses significant threats to web applications and APIs, impacting the security of systems and the privacy of users.

The impact of broken authentication vulnerabilities can include:

  • Compromised user data: Attackers can exploit broken authentication vulnerabilities to access personal information, financial details, and other confidential data stored within the application. This can lead to identity theft, financial loss, and reputational damage.
  • System compromise: Attackers gaining unauthorized access can escalate privileges within the system, allowing them to modify, delete, or steal data at will. This can disrupt services, manipulate business logic, and introduce malicious code.
  • Financial costs: The aftermath of an incident involving broken authentication often involves significant financial costs. These costs can include the expenses associated with security audits and fixes, legal fees, and compensations to affected users 
  • Regulatory penalties: Many jurisdictions have strict regulations protecting user data, such as the General Data Protection Regulation (GDPR) in Europe. Violations resulting from broken authentication can lead to fines and legal sanctions.

Broken authentication was identified by the Open Web Application Security Project (OWASP) as the second most severe risk, in both the 2017 Web Application Top 10 Risks and the 2023 API Security Top 10 Risks.

What Scenarios Can Cause Broken Authentication?

There are several situations that can result in broken authentication.

Poor Credential Management

Weak passwords can be easily guessed or cracked, while insecure storage can lead to credential exposure through database breaches. Inadequate credential protection mechanisms, like lacking password complexity requirements or not encrypting passwords at rest and in transit, exacerbate the risk. This makes it easier for attackers to intercept or retrieve credentials.

Poor Session Management

Sessions without proper expiration or insecure handling of session tokens allow attackers to hijack active sessions. This can result in unauthorized access to a user's account without needing their login credentials. Failing to securely generate and validate session tokens can lead to session fixation and replay attacks. Attackers exploit these weaknesses to assume a user's identity, bypassing authentication processes.

Lack of Adequate Encryption

Without strong encryption, sensitive information such as passwords and session tokens can be intercepted or accessed by unauthorized parties. The use of outdated or weak encryption algorithms, failing to implement encryption across all data transfers, and not securing data at rest are common pitfalls. 

Inadequate Authentication Protocols

Relying on single-factor authentication, such as only a password, makes systems vulnerable to unauthorized access if those credentials are compromised. Many systems lack multi-factor authentication (MFA), which requires additional verification steps. Implementing outdated or insecure authentication methods, such as basic HTTP authentication without secure sockets layer (SSL) or transport layer security (TLS), can expose credentials to interception.

Examples of Broken Authentication Attacks in APIs

Here are some examples of API attacks that may result from broken authentication. These examples were adapted from the official OWASP cheat sheet.

Account Takeover via Unauthorized Email Updates

Consider an API that allows users to update their email addresses without adequate authentication checks. If an API endpoint for updating user email addresses does not require users to verify their identity (e.g., by entering the current password), it becomes vulnerable to unauthorized account takeovers.

An attacker, having obtained a user's authentication token through other means, could issue a request to update the email address associated with the user's account. Without the need for the current password as an additional layer of verification, the attacker can change the victim's email address. This enables the attacker to initiate a password reset process, gaining control over the account.

Bypassing Password Rate Limit with GraphQL Query Batching

Attackers often exploit GraphQL, an API query language, to bypass security measures like rate limiting. Rate limiting is designed to prevent brute-force attacks by restricting the number of login attempts within a certain timeframe. However, GraphQL's ability to batch multiple queries into a single request can be misused to circumvent this protection.

For example, consider an API that implements rate limiting by allowing only three login attempts per minute to protect against brute-force attacks. An attacker can exploit GraphQL's query batching to send multiple login attempts in a single request. Each mutation within the batched request can attempt a different password for the same user account. By batching these attempts, the attacker can make numerous login attempts in a short period, bypassing rate limiting measures and increasing the chances of unauthorized access.

How to Prevent Broken Authentication in APIs

Here are several measures that can be taken to ensure adequate authentication in an API.

1. Implement Token-Based Authentication

Token-based authentication is a method where a user receives a token after successfully presenting their credentials. This token, often a JSON Web Token (JWT), is then used for subsequent requests, eliminating the need to send credentials repeatedly. It's crucial to securely generate, transmit, and store these tokens to prevent interception or misuse. Token expiration and rotation policies ensure that if a token is compromised, its useful life is limited.

2. Use OAuth/OpenID for Third-Party Authentication

OAuth and OpenID Connect (OIDC) are standards for secure, third-party authentication, enabling users to log in using their credentials from known providers like Google or Facebook. This approach offloads the responsibility of managing user credentials to external, trusted services, reducing the risk of broken authentication. To correctly implement these protocols, ensure that redirect URIs are validated and tokens are securely handled.

3. Apply SSL/TLS Encryption

Secure Sockets Layer (SSL) and Transport Layer Security (TLS) encryption protect data in transit between clients and servers, including authentication tokens and credentials. This encryption helps prevent Man-in-the-Middle (MitM) attacks, where attackers intercept or tamper with authentication data. APIs should only accept connections over HTTPS and use strong, up-to-date cipher suites.

4. Implement API Rate Limiting

Rate limiting is a control that protects APIs from brute-force attacks by limiting the number of requests a user or IP can make within a specific timeframe. Implementing more sophisticated rate limiting based on behavior patterns can further improve security, making it harder for attackers to automate attacks on the authentication mechanism.

5. Collect Audit Logs

Detailed audit logs for authentication attempts provide visibility into potential security breaches and helps in identifying suspicious activities. Logs should capture successful and failed login attempts, including timestamps, source IP addresses, and user identifiers. Regular monitoring and analysis of these logs can detect patterns that indicate attacks, such as an unusually high number of failed login attempts.

Examples of Broken Authentication Attacks in Web Apps

There are several types of attacks that exploit broken authentication.

Phishing Campaigns

Phishing campaigns trick users into providing their credentials on fraudulent websites, a direct attack on authentication mechanisms. By impersonating legitimate services, attackers deceive users into unknowingly compromising their account security. This method bypasses the need to exploit technical vulnerabilities directly.

Credential Stuffing

Credential stuffing involves using breached or stolen credentials on multiple websites, exploiting users' tendency to reuse passwords. This automated attack attempts access to various accounts with the same credentials, bypassing authentication controls. High success rates result from widespread password reuse across services.

Man-in-the-Middle (MitM) Attacks

Man-in-the-Middle (MitM) attacks intercept and manipulate communication between a user and a web service to gain unauthorized access. Attackers can steal or manipulate data in transit, including authentication credentials. These attacks exploit weaknesses in communication encryption and session management.

Session Fixation

Session fixation attacks exploit the vulnerability in a web application's session management system that allows an attacker to hijack a valid user session. This type of attack occurs when a web application allows a user to authenticate with a session identifier (ID) that has been predefined or fixed by an attacker. Once the victim logs in using the attacker’s predefined session ID, the attacker gains access to the user's session and their authenticated account.

Brute Force Attacks

Brute force attacks are a method by which attackers attempt to gain unauthorized access to a system by systematically guessing the password of a user account. These attacks exploit weak password policies, such as the use of common passwords or short password lengths, making it easier for attackers to guess credentials through repeated attempts.

How to Prevent Broken Authentication in Web Applications

It’s important to know how to ensure robust authentication in a web application to prevent attacks.

1. Enforce Strong Password Policies

Policies should require complex passwords that are difficult to guess or brute-force. This includes using a mix of characters, numbers, and symbols, with regular mandatory changes and prohibiting common passwords. Educating users about the importance of password security complements technical measures, reducing the likelihood of weak passwords and enhancing the overall security posture.

2. Implement Multi-Factor Authentication (MFA)

MFA enhances security by requiring additional verification beyond just a password. This could be a text message, email verification link, or biometric verification. MFA adds an extra layer of defense, making unauthorized access more challenging. Even if credentials are compromised, MFA prevents attackers from gaining access, as they need the secondary authentication factor.

3. Implement Account Lockout Mechanisms

Account lockout mechanisms prevent brute-force attacks by temporarily disabling access after a certain number of failed login attempts. This measure protects against attackers trying multiple password combinations. Implementing progressive delays in response to failed attempts further enhances security.

4. Use Secure Session Management

Secure session management involves creating and managing session tokens in a secure manner. This includes generating unique session identifiers, implementing secure token storage, and requiring tokens to be refreshed or expire. Securely managing sessions prevents session hijacking and replay attacks. 

5. Perform Regular Security Audits

Security audits identify and mitigate authentication vulnerabilities before they can be exploited. Audits should encompass password policies, session management practices, and other authentication mechanisms. Automated tools coupled with expert reviews ensure comprehensive vulnerability detection. 

Discovering Broken Authentication in APIs With Automated API Security Testing

Protecting your APIs against OWASP Top 10, Broken Authentication included through API security testing is critical in the threat climate of 2024. 'Shifting-left', and focusing your efforts on early discovery and resolution of vulnerabilities is proven to be the most effective way to handle such vulnerabilities. This proactive stance in the software development life cycle allows for:

  • Early Detection: Identifying API vulnerabilities early in the development process, reducing potential security risks.
  • Leverages functional tests to detect complex business logic scenarios, providing targeted security insights.
  • Seamless Integration: Facilitating easy integration with existing development tools and pipelines, enhancing developer productivity without compromising security.
  • Comprehensive API Discovery: Automated discovery of APIs, ensuring complete visibility from development to production, crucial for identifying shadow APIs and other hidden risks.

These aspects collectively enhance the overall security posture by addressing API vulnerabilities at their inception, rather than as an afterthought.

Want to learn more about Pynt’s secret sauce?