🤩

API2:2019 Broken User Authentication

Introduction

API2:2019 Broken User Authentication

Threat agents/Attack vectorsSecurity weaknessImpacts
It's not easy to implement authentication correctly. A lot of developers and architects get confused by what to include in the authentication control because software these days is oftenmade up of complex multi-layered systems. Authentication mechanisms are also an often targeted system due to it being publicly available. One of the issues that can arise is that we implement the authentication control incorrectly. API endpoints that handle authentication need to be designed differently from other endpoints and this is often overlooked.This vulnerability can easily lead to an attacker taking over the complete account of the victim. They can then Impersonate the victim and steal their private data that is saved on the site.
Untitled

What is Broken User Authentication?

Broken User Authentication can manifest in several issues. Whenever we come across an API endpoint that handles authentication we need to be extra careful since these endpoints will often determine how a user can flow through the application and what data they see. Whenever one of the following conditions is true, we can speak of a "Broken User Authentication".

Example Attack Scenarios

password recovery

The attacker might start the workflow to reset a password by triggering the /api/v1/reset-password endpoint.

POST /api/v1/reset-password
{
	userID=123
}

This will trigger a password reset for a user with the id of 123 and the user will receive a password reset token in their mailbox which is a 4 digit number. Since there is no rate limiting on the endpoint, the attacker can try to send all 4 digit numbers in rapid succession and simply brute force it.

POST /api/v1/reset-password-token
{
	userID=123
	tokenID=xxxx
	newPass=test
}

the attacker can then guess the token and reset the password for the user.

JWT validation endpoint accepts "None" algorithm

A JWT endpoint should always validate the token with the proper algorithm, most JWT frameworks have the None algorithm enabled by default, and this is very bad, to know why we should have a look at how JWT works first.

A JWT token is Json Web Token. They are tokens containing information about users for example and the beauty is that we can always easily decode these and view the information. If we want to change anything though we have to sign it with an algorith.

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6IjIzNCIsInN1YiI6IjEyMzQ1Njc4OTAiLCJuYW1lIjoiSm9obiBEb2UiLCJpYXQiOjE1MTYyMzkwMjJ9.lt2GhI6wX0D46cGiKk7wSiqUXdGYZXtHXZIXrKQThNI

This is an example of a JWT token, when we decode it we get the following:
{
  "alg": "HS256",
  "typ": "JWT"
}
{
  "userID": "123",
	"sub": "1234567890",
  "name": "John Doe",
  "iat": 1516239022
}

If we want to edit this JWT token we will have to know the HS256 key.

Now that you know how JWT's work, you can see why it's bad if the verification mechanismins accepts the None algorith. We can simply change something in the JWT and encode it again when we change the algorith to None.

{
  "alg": "None",
  "typ": "JWT"
}
{
  "userID": "567",
	"sub": "1234567890",
  "name": "John Doe",
  "iat": 1516239022
}
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6IjU2NyIsInN1YiI6IjEyMzQ1Njc4OTAiLCJuYW1lIjoiSm9obiBEb2UiLCJpYXQiOjE1MTYyMzkwMjJ9.NhHRUCQw5Wtuc7Jn2ImmC8URY0UmcuEkukmNA9Frccs

If we now replace this token in our headers when we make a request, we should see an error because our token should not be valid, however if the server is still configured to accept requests signed with the None algorithm, they will be vulnerable to Broken User Authentication.

Preventive measures against Broken User Authentication

Conclusion

When dealing with authentication endpoints we need to implement much stricter security mechanisms than when dealing with normal endpoints. We need to make sure we have good rate-limiting, lockout, and CAPTCHA mechanisms to prevent attackers from brute-forcing or credential stuffing our APIs. Make sure you implement safe authentication mechanisms and if you are unsure you can always refer to the OWASP Authentication Cheatsheet.