Mitigation of OWASP API Security Risk: Broken Authentication using F5 XC Platform

Introduction to Broken Authentication:  

Authentication in APIs adds friction, so during the initial development phase and for the sake of simplicity developers try to not implement authentication and authorization processes. As the application keeps growing, they will add these recommendations to existing code and during this transition they may have left some of the old internal APIs without authentication. Hackers will try to find these kinds of poorly authenticated flaws to bypass the login validation and gain access to their application data. According to Okta, most of the data breaches in 2020 fall under this category and so this is one of the most preferred approaches to attackers.

Authentication is said to be broken if hackers are able to compromise passwords, keys, session tokens and user account information. As per OWASP, APIs may fall under this category if

1. API doesn’t have authentication validation
2. API permits credential stuffing
3. API permits attackers to perform a brute force attack without presenting captcha/account lockout mechanism
4. Permits weak passwords
5. Sends sensitive authentication details, such as auth tokens and passwords in the URL
6. Strong password policy not implemented 

Below are some of the preventive measures which are to be followed to protect application from these kinds of exploits:

1. Authentication support for all API’s
2. Authorization design developed in a good and structured way using access controls
3. Session tokens need to be expired in shorter time
4. Rate limiting and account locking after specific invalid logins
5. Rotation of keys and certs
6. Internal APIs should be audited and not exposed to outside
7. Multi factor authentication support for critical APIs
8. Enforcing strong password policy with special chars, capitals, numbers and minimum of 8 characters length

In short, if the application doesn’t have authentication mechanism, supports weak passwords or even if we are unable to identify the authentication details of our requests, our application can be prone to broken authentication. And to prevent this risk we need different kinds of solutions to identify authentication details, enforce authentication policies, prevent credential stuffing & bot attacks, continuous monitoring of API’s, etc.

So, let’s delve into F5 Distributed Cloud Platform (XC) and check how it can detect and protect applications against these vulnerabilities.

Authentication Vulnerabilities Detection: 

1. Login to Distributed Cloud console and navigate to your load balancer configuration
2. Enable API Discovery feature on this load balancer
   
   
3. Once we have enabled this feature, Web Application and API Protection (WAAP) inbuilt AI/ML engine will start tracking all incoming traffic and after some time we will be able to see API endpoint details as below
   
4. Change to table view and observe different types of authentication details along with some of the vulnerabilities discovered by WAAP as below 
   a. API type and authentication state
   
   b. Auth type like JWT and insights on user role
   
   c. Security assessment for API endpoint vulnerabilities, threat level and risk score
   
   d. Sensitive data leakage like IP, credentials, etc
   

Mitigation Steps:

AppSec/SecOps can navigate to the Security & API endpoint dashboards and analyze these requests data & authentication insights. If they are not familiar with any kind of requests, they can explore the solutions below and as per their requirements they can configure them to prevent these vulnerabilities.

1. Configure rate limiting to keep a limit on number of requests - check here for more details on rate limiting
2. Configure API Protection rules on load balancer to restrict access to applications – check here for more details on API rules
3. Configure Bot Defense to prevent credential stuffing and bot attacks – check here for more details on bot protection
4. Configure OpenAPI schema validation to detect/block invalid and abnormal requests – for more details check this article
5. Malicious user detection – check this existing article for more details
6. Configure Mutual Transport Layer Security (mTLS)  authentication using client certificates - check here for more information

Conclusion:

Wrapping up, this article covered an overview of broken authentication risk and then we also shed light on how WAAP can extract valuable authentication vulnerabilities. Lastly, we also discussed some of the XC mitigation steps to prevent this API Security risk.

For more information or to get started check links below: 

• OWASP API Security Top 10 2019
• OWASP API Security Top 10 2023 
• F5 Distributed Cloud WAAP