Authentication in APIs adds friction, so during the initial development phase and for the sake of simplicity developers try to not implement authentication and authorization processes. As the application keeps growing, they will add these recommendations to existing code and during this transition they may have left some of the old internal APIs without authentication. Hackers will try to find these kinds of poorly authenticated flaws to bypass the login validation and gain access to their application data. According to Okta, most of the data breaches in 2020 fall under this category and so this is one of the most preferred approaches to attackers.
Authentication is said to be broken if hackers are able to compromise passwords, keys, session tokens and user account information. As per OWASP, APIs may fall under this category if
API doesn’t have authentication validation
API permits credential stuffing
API permits attackers to perform a brute force attack without presenting captcha/account lockout mechanism
Permits weak passwords
Sends sensitive authentication details, such as auth tokens and passwords in the URL
Strong password policy not implemented
Below are some of the preventive measures which are to be followed to protect application from these kinds of exploits:
Authentication support for all API’s
Authorization design developed in a good and structured way using access controls
Session tokens need to be expired in shorter time
Rate limiting and account locking after specific invalid logins
Rotation of keys and certs
Internal APIs should be audited and not exposed to outside
Multi factor authentication support for critical APIs
Enforcing strong password policy with special chars, capitals, numbers and minimum of 8 characters length
In short, if the application doesn’t have authentication mechanism, supports weak passwords or even if we are unable to identify the authentication details of our requests, our application can be prone to broken authentication. And to prevent this risk we need different kinds of solutions to identify authentication details, enforce authentication policies, prevent credential stuffing & bot attacks, continuous monitoring of API’s, etc.
So, let’s delve into F5 Distributed Cloud Platform (XC) and check how it can detect and protect applications against these vulnerabilities.
Authentication Vulnerabilities Detection:
Login to Distributed Cloud console and navigate to your load balancer configuration
Enable API Discovery feature on this load balancer
Once we have enabled this feature, Web Application and API Protection (WAAP) inbuilt AI/ML engine will start tracking all incoming traffic and after some time we will be able to see API endpoint details as below
Change to table view and observe different types of authentication details along with some of the vulnerabilities discovered by WAAP as below a. API type and authentication state b. Auth type like JWT and insights on user role c. Security assessment for API endpoint vulnerabilities, threat level and risk score d. Sensitive data leakage like IP, credentials, etc
AppSec/SecOps can navigate to the Security & API endpoint dashboards and analyze these requests data & authentication insights. If they are not familiar with any kind of requests, they can explore the solutions below and as per their requirements they can configure them to prevent these vulnerabilities.
Configure rate limiting to keep a limit on number of requests - check here for more details on rate limiting
Configure API Protection rules on load balancer to restrict access to applications – check here for more details on API rules
Configure Bot Defense to prevent credential stuffing and bot attacks – check here for more details on bot protection
Configure OpenAPI schema validation to detect/block invalid and abnormal requests – for more details check this article
Malicious user detection – check this existing article for more details
Configure Mutual Transport Layer Security (mTLS) authentication using client certificates - check here for more information
Wrapping up, this article covered an overview of broken authentication risk and then we also shed light on how WAAP can extract valuable authentication vulnerabilities. Lastly, we also discussed some of the XC mitigation steps to prevent this API Security risk.
For more information or to get started check links below: