HawkScan Test Info for API Broken Authentication

API Broken Authentication

Reference

Plugin Id: 40053 | CWE: 287

Resource

https://cheatsheetseries.owasp.org/cheatsheets/Authentication_Cheat_Sheet.html

Remediation

To mitigate API Broken Authentication vulnerabilities, implement the following security measures:

Secure Authentication Mechanisms: Implement robust authentication using secure protocols and avoid weak authentication schemes.
JWT Security: If using JWT tokens, ensure proper secret management, algorithm validation, and signature verification. Avoid the ‘none’ algorithm.
Session Management: Implement secure session management with proper token rotation, expiration, and invalidation mechanisms.
Multi-Factor Authentication: Consider implementing MFA for sensitive API operations and administrative functions.

About

API Broken Authentication vulnerabilities occur when authentication mechanisms are improperly implemented, allowing attackers to compromise user accounts or bypass authentication controls. This corresponds to OWASP API Security Top 10 2023 - API02: Broken Authentication.

Risks

Broken Authentication in APIs can result in:

Account takeover and unauthorized access
JWT token forgery and manipulation
Session hijacking and impersonation
Bypass of authentication controls
Access to sensitive user data and functionality