Technical Articles
F5 SMEs share good practice.
cancel
Showing results for 
Search instead for 
Did you mean: 
Janibasha
F5 Employee
F5 Employee

Introduction to Broken User Authentication : 

Authentication in APIs is a little tricky and difficult to develop, so during the initial development phase and for the sake of simplicity developers try to not implement authentication and authorization processes. As the application keeps growing, they will add these recommendations to existing code and during this transition they may have left some of the old internal APIs without authentication. Hackers will try to find these kinds of poorly authenticated flaws to bypass the login validation and gain access to their application data. According to Okta, most of the data breaches in 2020 fall under this category and so this is one of the most preferred approaches to attackers. 

Authentication is said to be broken if hackers are able to compromise passwords, keys, session tokens and user account information. As per OWASP, APIs may fall under this category if 

  1. API doesn’t have authentication validation
  2. API permits credential stuffing
  3. API permits attackers to perform a brute force attack without presenting captcha/account lockout mechanism
  4. Permits weak passwords
  5. Sends sensitive authentication details, such as auth tokens and passwords in the URL
  6. Strong password policy not implemented

Below are some of the preventive measures which are to be followed to protect application from these kinds of exploits: 

  1. Authentication support for all API’s
  2. Authorization design developed in a good and structured way using access controls
  3. Session tokens need to be expired in shorter time
  4. Rate limiting and account locking after specific invalid logins
  5. Rotation of keys and certs
  6. Internal APIs should be audited and not exposed to outside
  7. Multi factor authentication support for critical APIs
  8. Enforcing strong password policy with special chars, capitals, numbers and minimum of 8 characters length
Version history
Last update:
‎19-Apr-2023 00:19
Updated by: