Help
Technical Articles
F5 SMEs share good practice.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Technical Forum Quicklinks: No Replies | Active-Not Solved | Recent Solutions
Custom Alert Banner

F5 AppWorld 2024 session proposal deadline extended to Friday, December 8th!

Mitigation of OWASP API Security Risk: Broken Authentication using F5 XC Platform

Janibasha
F5 Employee
F5 Employee

‎15-Feb-2023 05:00 - edited ‎24-Nov-2023 09:15

Introduction to Broken Authentication:  

Authentication in APIs adds friction, so during the initial development phase and for the sake of simplicity developers try to not implement authentication and authorization processes. As the application keeps growing, they will add these recommendations to existing code and during this transition they may have left some of the old internal APIs without authentication. Hackers will try to find these kinds of poorly authenticated flaws to bypass the login validation and gain access to their application data. According to Okta, most of the data breaches in 2020 fall under this category and so this is one of the most preferred approaches to attackers.

Authentication is said to be broken if hackers are able to compromise passwords, keys, session tokens and user account information. As per OWASP, APIs may fall under this category if

  1. API doesn’t have authentication validation
  2. API permits credential stuffing
  3. API permits attackers to perform a brute force attack without presenting captcha/account lockout mechanism
  4. Permits weak passwords
  5. Sends sensitive authentication details, such as auth tokens and passwords in the URL
  6. Strong password policy not implemented 

Below are some of the preventive measures which are to be followed to protect application from these kinds of exploits:

  1. Authentication support for all API’s
  2. Authorization design developed in a good and structured way using access controls
  3. Session tokens need to be expired in shorter time
  4. Rate limiting and account locking after specific invalid logins
  5. Rotation of keys and certs
  6. Internal APIs should be audited and not exposed to outside
  7. Multi factor authentication support for critical APIs
  8. Enforcing strong password policy with special chars, capitals, numbers and minimum of 8 characters length

In short, if the application doesn’t have authentication mechanism, supports weak passwords or even if we are unable to identify the authentication details of our requests, our application can be prone to broken authentication. And to prevent this risk we need different kinds of solutions to identify authentication details, enforce authentication policies, prevent credential stuffing & bot attacks, continuous monitoring of API’s, etc.

So, let’s delve into F5 Distributed Cloud Platform (XC) and check how it can detect and protect applications against these vulnerabilities.

 

Authentication Vulnerabilities Detection: 

  1. Login to Distributed Cloud console and navigate to your load balancer configuration
  2. Enable API Discovery feature on this load balancer
    broken-auth-api-discovery.jpg
  3. Once we have enabled this feature, Web Application and API Protection (WAAP) inbuilt AI/ML engine will start tracking all incoming traffic and after some time we will be able to see API endpoint details as below
    broken-auth-endpoints.JPG
  4. Change to table view and observe different types of authentication details along with some of the vulnerabilities discovered by WAAP as below 
    a. API type and authentication state
    broken-auth-discovered.JPG
    b. Auth type like JWT and insights on user role
    broken-auth-role-data.jpg
    c. Security assessment for API endpoint vulnerabilities, threat level and risk score
    broken-auth-security-posture.JPG
    d. Sensitive data leakage like IP, credentials, etc
    broken-auth-sensitive-details.jpg

 

Mitigation Steps:

AppSec/SecOps can navigate to the Security & API endpoint dashboards and analyze these requests data & authentication insights. If they are not familiar with any kind of requests, they can explore the solutions below and as per their requirements they can configure them to prevent these vulnerabilities.

  1. Configure rate limiting to keep a limit on number of requests - check here for more details on rate limiting
  2. Configure API Protection rules on load balancer to restrict access to applications – check here for more details on API rules
  3. Configure Bot Defense to prevent credential stuffing and bot attacks – check here for more details on bot protection
  4. Configure OpenAPI schema validation to detect/block invalid and abnormal requests – for more details check this article
  5. Malicious user detection – check this existing article for more details
  6. Configure Mutual Transport Layer Security (mTLS)  authentication using client certificates - check here for more information

 

Conclusion:

Wrapping up, this article covered an overview of broken authentication risk and then we also shed light on how WAAP can extract valuable authentication vulnerabilities. Lastly, we also discussed some of the XC mitigation steps to prevent this API Security risk.

 

For more information or to get started check links below: 

Version history
Last update:
‎24-Nov-2023 09:15
Updated by:
F5 Employee
Copyright © 2023 Khoros, LLC