Authentication Attacks & API Security
60 min
Authentication Attack Vectors
AUTHENTICATION WEAKNESS CHECKLIST
══════════════════════════════════════════════
□ Weak password policy (no complexity/length requirements)
□ No account lockout after failed attempts
□ Username enumeration via different error messages
□ Insecure "Forgot Password" flow
□ Default credentials not changed (admin/admin)
□ Password stored in plaintext or weak hash (MD5)
□ No Multi-Factor Authentication (MFA)
□ JWT with "none" algorithm accepted
□ Predictable session tokens
□ Sessions not invalidated on logout
══════════════════════════════════════════════
JWT (JSON Web Token) Security
JWT ATTACK TECHNIQUES
──────────────────────────────────────────────
Structure: header.payload.signature
None Algorithm Attack:
Change alg to "none" → signature ignored
Modify payload (admin:true) → privilege escalation
RS256 to HS256 Confusion:
Server uses public key as HMAC secret
Sign token with public key → valid signature!
Weak Secret Brute Force:
hashcat -a 0 -m 16500 jwt.txt wordlist.txt
Missing Validation:
No expiry check → tokens valid forever
──────────────────────────────────────────────
API Security (OWASP API Top 10)
- Broken Object Level Auth (BOLA/IDOR) — Most common API vulnerability. Access objects you don't own.
- Broken Function Level Auth — Access admin endpoints as regular user
- Excessive Data Exposure — API returns full object; client filters display
- Lack of Rate Limiting — Brute force, resource exhaustion
- Mass Assignment — Binding request params to internal object properties
MASS ASSIGNMENT EXAMPLE (Node.js)
──────────────────────────────────────────────
Endpoint: POST /api/users/update
Body: { "name": "Anirban", "isAdmin": true }
Vulnerable code: User.update(req.body)
→ isAdmin gets set to true!
Fix: Whitelist allowed fields only
User.update({ name: req.body.name })