OWASP API Security Top 10 API2:2019 Broken User Authentication with Example



In the previous blog, we learn about OWASP API Top 10 API1:2019 Broken Object Level Authorization. In this blog, we will learn about OWASP API Top 10 API2:2019 Broken User Authentication.

In this blog, we will learn what User authentication is, its Types, Broken User Authentication, a demo of Broken User Authentication, and its remediations.


First, we will see what user authentication is

User authentication is the process of verifying the user's identity as a prerequisite to allowing access to resources in an application.


Types of authentication in API

HTTP basic: In this authentication, mechanism user will submit the username and password to the application, and the user will send the username and password in base64 format in the authorization header



API Key: The API key is a unique secret token issued by the application to each user. The API key is used by the application to verify the identity of the end user, API keys expire depending on the application authentication mechanic and configuration.




OAuth2: It allows authorization without sharing the username and password to the application. Instead, the application receives an access token from the third party that authorizes the use and then shares the token with the application on behalf of the user.

Request


Response


Now we will see what is broken user authentication.

Due to misconfiguration, if an attacker can access other users' accounts, read other users' personal or sensitive data, or perform sensitive on behalf of other users, it is broken user authentication.

An API is vulnerable to broken user authentication if

  • The application discloses users credentials (username and password)
  • There is no lockout mechanism if the same user enters invalid credentials number of times
  • Weak Password policy
  • Credentials (API token or Username and password) transmitted via URL
  • No integrity check on the API token
  • The token is not signed, or there is expire time for token
  • Transit of sensitive data (token or password) in plain text

Now we will see a demo of broken user authentication.

So for the demo, we have an API endpoint that allows us to generate an authentication token by providing a username and password as a POST request. That authentication token we can use in further requests to authenticate the user.





Once the Authentication token is generated, we can use that token to get the details about the user.




But we if the change the token generation POST request to GET, then it will give the response that contains the user_ID, username, and password of all users. 




Once we get the username and password of all the users, then we can easily generate an authentication token by providing a username and password.

Remediation

  • Implement multi-factor mechanism
  • Implement a Strong password policy
  • Implement anti brute force mechanism and account lock-out mechanism 
  • Sanitize user Input (Username and Password) to block malicious characters used in injection attacks
  • use parameterized queries instead of string concatenation within the query to prevent SQL injection 

Sahil Gupta

Application Security | DevSecOps | Secure SDLC | Penetration Tester (Web and API) | CEHv10 | IBM Certified Cybersecurity Analyst Professional

Previous Post Next Post

Contact Form