API2:2019 — Broken authentication

Poorly implemented API authentication allows attackers to assume other users’ identities.

Having broken authentication in front of your API can give attackers the keys to access it.

Use case

  • Unprotected APIs that are considered “internal”
  • Weak authentication that does not follow industry best practices
  • Weak API keys that are not rotated
  • Passwords that are weak, plain text, encrypted, poorly hashed, shared, or default passwords
  • Authentication susceptible to brute force attacks and credential stuffing
  • Credentials and keys included in URLs
  • Lack of access token validation (including JWT validation)
  • Unsigned or weakly signed non-expiring JWTs

How to prevent

  • Check all possible ways to authenticate to all APIs.
  • APIs for password reset and one-time links also allow users to authenticate, and should be protected just as rigorously.
  • Use standard authentication, token generation, password storage, and multi-factor authentication (MFA).
  • Use short-lived access tokens.
  • Authenticate your apps (so you know who is talking to you).
  • Use stricter rate-limiting for authentication, and implement lockout policies and weak password checks.