API2:2023 - Broken Authentication

Introduction

Broken Authentication refers to failures in managing authentication tokens or implementing session controls, enabling attackers to impersonate legitimate users.

Threat Agents / Attack Vectors

Attackers target session tokens or abuse weaknesses in login endpoints. Weak token expiration, brute-forceable credentials, or predictable tokens are common issues.

Security Weakness

Failure to follow best practices like MFA, rate-limiting login attempts, or storing credentials securely causes authentication flaws.

Impacts

Account takeovers, privilege escalation, and full compromise of user or administrative accounts.

Example of an Attack

If password reset tokens are predictable, an attacker can guess them: GET /reset-password?token=123456

If valid, they can set a new password.

Example: Missing rate limits:

POST /login

Body: {"user": "admin", "pass": "guess"}

Automated brute-force tools can cycle through credentials.

Detection

Test endpoints for weak session handling, predictable reset tokens, and lack of MFA enforcement. Use tools to simulate brute-force attempts.

Prevention

• Enforce strong password policies.