With authentication, you can face serious consequences if you follow the old motto, “if it ain’t broke, don’t fix it.” From applications to APIs, authentication tells you whether the person or technology accessing a resource is legitimate. In 2017, the Open Worldwide Application Security Project (OWASP), identified broken authentication as #2 on its list of Top 10 application security threats. It changed the name to Identification and Authentication Failures for the 2021 Top 10 list as the threat moved to #7 on the list. Meanwhile, Broken Authentication snagged the illustrious #2 spot for the 2023 API Top 10 threat list.
As a Top 10 threat across applications and Application Programming Interfaces (APIs), broken authentication poses significant risks to your company’s security and privacy.
What Is Broken Authentication?
Broken authentication refers to any vulnerability related to identification, authorization, and authentication. At the application level, OWASP focuses on authentication weaknesses that attackers can leverage when trying to use a legitimate user account to gain unauthorized access. At the API level, OWASP focuses on issues related to software and security engineers’ misconceptions about the authentication boundaries and implementation complexity across authentication endpoints and flows.
At the application and API levels, identification and authentication failures can look like:
- Permitting automated attacks, like credential stuffing, brute force, and password spraying
- Using weak or ineffective credential recovery and forgotten password processes
- Using plain text, encrypted, or weakly hashed passwords or data stores
Specifically at the application level, identification and authentication failures can look like:
- Lacking strong multi-factor authentication (MFA)
- Exposing session identifiers in URLs
- Reusing session identifiers after successful logins
- Incorrectly invaliding Session IDs
Additionally, for APIs, broken authentication can also look like:
- Sending sensitive authentication details, like auth tokens or passwords, in the URL
- Allowing users to change login information or complete sensitive operations without asking for password confirmation
- Failing to validate token authenticity
- Accepting unsigned/weakly signed JSON Web Tokens (JWT) tokens
- Failing to validate JWT expiration date
- Using weak encryption keys
- Lacking authentication for microservices accessing the API
- Using weak or predictable tokens for microservices accessing the API
Attacks Targeting Broken Authentication Vulnerabilities
Any attack that targets user or API access can leverage broken authentication vulnerabilities. However, these typically fall into two categories.
Session Management
Session management is the ability to keep users logged into an application as they move between modules so that they don’t need to keep providing their credentials. However, because the user is already authenticated, attackers target session management vulnerabilities so they can gain what appears to be “legitimate” access to hide from defenders.
The primary attack types include:
- Session Hijacking: using a standard request to observe unencrypted, easily decrypted, or easily guessable session token that contain sensitive user information
- Session ID URL Rewriting: discovering and intercepting the session’s unique identifier in the URL when passed between the client and server
- Session Fixation: tricking a user into authenticating into an application to steal the valid session ID during the login rather than afterward
When attackers target APIs and their session tokens, the attacks typically focus on use cases:
- Man-In-the-Middle: SSL/TLS Scripting by downgrading HTTPS connections to HTTP and packet sniffing
- Application-to-Application: misconfigurations in an application’s native integrations that accidentally expose tokens that create sessions when two applications share data
- Sensitive Data Exposure: exposing and transmitting or storing sensitive data insecurely like leaking data in error messages or exposing internal endpoints externally
Password Management
With “authentication” in the vulnerability’s title, you may be able to guess why attackers target passwords during attacks. As a typical authentication factor, people use passwords as one step in proving that they are who they say they are.
The primary attack types include:
- Brute force: submitting various passwords to a target user login ID
- Password Spraying: submitting various user login IDs for a target password
- Credential Stuffing: submitting known compromised login ID and password combinations hoping that the person re-used them for the target application
When attackers target APIs, the attackers typically focus on login APIs or APIs that fail to require MFA prior to approving sensitive calls.
Checklist for Mitigating Broken Authentication Vulnerabilities
Whether you’re a developer or a security analyst, you should follow best practices to help mitigate identification, authentication, and broken authentication vulnerabilities.
Application-Level Risk Mitigations
At the application level, some controls that mitigate risk include:
- Implementing MFA to mitigate risks arising from automated credential-based attacks
- Changing default credentials, especially for administrative users with privileged access
- Implementing weak password checks, like testing them against known weak password lists
- Aligning password requirements with the ones outlined in the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-63b guidelines
- Hardening registration, credential recovery, and API pathways against enumeration attacks
- Limiting or delaying failed login in attempts
- Logging failures and incorporating them into security alerts
- Using server-side, secure, built-in session managers to generate new, random session IDs after users login to applications
- Reviewing URLs to make sure they don’t include session identifiers
- Storing session identifiers securely
- Invalidating session identifiers after logout, idle, and absolute timeouts
API-Level Risk Mitigations
At the API level, some activities that mitigate risk include:
- Identifying all possible flows to authenticate to the API, including across mobile, web, and one-click authentication links
- Sharing identified flows with engineers to ensure comprehensiveness
- Understanding authentication mechanisms to ensure they are appropriate mechanisms and used correctly
- Following standards for authentication, token generation, and password storage
- Applying login endpoint brute force, rate limiting, and lockout protections to credential recovery and forgotten password endpoints
- Requiring re-authentication for sensitive operations
- Implementing MFA when possible
- Implementing anti-brute force mechanisms that are more strict than the API’s regular rate-limiting mechanisms
- Implementing account lockout and CAPTCHA mechanisms where possible
- Implementing weak password checks, like testing them against known weak password lists
- Using API keys only for API client authentication, not user authentication
Graylog: Visibility into Broken Authentication Risk Across Organization and API Security
With Graylog Security and Graylog API Security, you can create a comprehensive security monitoring program with end-to-end API threat, monitoring, detection, and response. Graylog Security’s out-of-the-box content and security analytics enable you to build high-fidelity alerts and pivot directly into researching the log data that matters most. Our platform gives you all the functionality of a SIEM without the complexity, providing a robust technology that empowers users of all experience levels.
With Graylog API Security, you supplement your Web Application Firewall (WAF) and API gateway monitoring for enhanced security. Graylog API Security provides Continuous API Discovery, automated risk assessment scoring, and full API request and response capture so you have all the data necessary to detect and investigate common threats and API failures faster.
Contact us today to see how our combined operations, security, and API monitoring platform can help you.
