OWASP Top 10 API security risks: Broken authentication

Number two on the draft list of the Open Worldwide Application Security Project® (OWASP) Top 10 API Security Risks is broken authentication.

Broken authentication allows attackers to bypass authentication methods by exploiting vulnerabilities in authentication or session management tools.

Attack vectors

Since authentication methods are available to anyone connecting with a server, it is an easy target for attackers. Weak or easily guessed passwords and brute force attacks can provide entry, as can session fixation attacks, poor session tokens/cookies, or a failure to invalidate sessions after users log out.

As OWASP points out, authentication in APIs is complex. Software engineers often make mistakes in implementing authentication tools and boundaries.

OWASP assigned an exploitability score of three to broken authentication, meaning it is somewhat exploitable by hackers.

Security weaknesses

There are two key issues when it comes to broken authentication in API security. There is often a lack of protection for authentication with API endpoints. They must be treated differently from regular endpoints with additional layers of protection. Secondly, it’s common for the wrong mechanism to be used given the various attack vectors. For example, authentication mechanisms designed for web applications may not be suitable for internet-of things (IoT) clients.

OWASP scores broken authentication as a two on their scale of prevalence and detectability, denoting that the vulnerability is commonplace and can be detected with a moderate effort.

Business impacts

While it may not be the most severe vulnerability from a technical standpoint, unauthorized users gaining access can create significant risks for businesses.

Breaches can cause serious harm, including:

• Unauthorized access to sensitive data
• Account takeovers
• Data manipulation
• Identity theft

Once an attacker has access to a user account, they can also exploit other potential vulnerabilities, such as privilege escalation, or move laterally within a network. Such attacks can also create problems in maintaining regulatory compliance for protecting data, such as GDPR, CCPA, HIPAA, or PCI-DSS.

How broken authentication attacks work

Attackers probe systems for vulnerabilities and launch a variety of tactics to gain access. One of the most common methods includes brute force, using computer-generated passwords to guess user credentials at scale. Despite years of warnings, many users still use weak passwords, or systems maintain unhashed passwords.

Other attacks include:

• Session hijacking: Attackers intercept user session tokens/cookies.
• Session fixation: Attackers set a user’s session token or cookie to a known value and then force the user to log in using that token or cookie, allowing attackers to hijack the session.
• Password spraying: Attackers “spray” common passwords across user accounts to find a threat vector.
• Credential stuffing: Attackers use stolen passwords from one application to gain unauthorized access to systems where users have reused credentials.
• URL tampering: Attackers manipulate URLs to bypass authentication, exploiting common formatting in URLs.

Real-world examples

Such broken authentication attacks were used in a series of high-profile incidents, such as one aimed at the Marriott hotel chain. The stolen login credentials of two employees were used to access the information of more than 5.2 million guests.

Similar attacks in 2023 have been carried out against Yum Brands (Taco Bell, KFC), Chick-fil-A, Norton LifeLock, T-Mobile, and Mailchimp.

Detecting broken authentication vulnerabilities

Detecting broken authentication vulnerabilities requires a comprehensive security audit of authentication mechanisms, including user authentication, password management, session management, and access control. 

Automated vulnerability scanners can help identify common API security threats. Manual testing can also be deployed to identify broken authentication vulnerabilities.

Preventing broken authentication vulnerabilities

Software engineers and security teams can help prevent broken authentication vulnerabilities by deploying several simple strategies. While each step alone will not prevent API pathway attacks, a layered approach helps mitigate risks.

Employ multifactor authentication

One-time passwords (OTP) emailed or texted to users, multifactor authentication (MFA) passcodes, and other additional validation measures can help prevent brute force attacks and credential stuffing.

Mandate strong passwords

Force users to employ more complex passwords using combinations of upper-case and lower-case letters, alphanumeric symbols, and special characters. Administrators should also follow guidelines set in NIST 800-63B for credentials.

Enforce rate limiting

System administrators should limit the number of failed login attempts to prevent brute force attacks or credential stuffing. Rate limiting can also be a deterrent to denial-of-service attacks. There should also be an automated alert system for repeated failed login attempts to surface potential threats for further evaluation.

Ensure login forms send consistent responses

Account enumeration attacks can occur when attackers send multiple requests using different usernames and passwords. If the system responds with different error messages for valid and invalid combinations, attackers can determine which users are registered in the system, prompting brute force or phishing attacks.

Generate random session IDs

Generating random session IDs once users log in can make it difficult for attackers to predict. Random IDs ensure each session has a unique ID and is only valid for a limited time. All session IDs should expire upon logout. This can help mitigate session fixation attacks by eliminating weak or predictable tokens.

Use API gateways or reverse proxy

Microservices that allow access to APIs without additional authentication can significantly increase the attack surface. Using an API gateway or reverse proxy creates a single entry point for all incoming requests, mandating authentication and authorization policies for all API requests.

A comprehensive API security plan

As part of a comprehensive security plan, IT teams should also deploy end-to-end encryption for all data in transit, API endpoint protection, hashing of passwords, and regular testing for vulnerabilities.