SecLeafOWASP API Security Top 10 - 2. Broken Authentication
Broken Authentication remains one of the most impactful API vulnerabilities.
When authentication is weak, attackers can take over accounts, access personal data, and even modify sensitive records (like financial or healthcare info).
Authentication is supposed to be the first line of defense — when it’s weak, everything else falls apart.
Why Broken Authentication Happens
Because of things like:
1️⃣ Weak Password Policies
When the system allows:
- Simple, guessable passwords
- Unlimited brute-force attempts
- Changing password/email without re-authentication
- Passwords/tokens leaking via URLs
- GraphQL endpoints allowing multiple auth attempts in one request
It becomes easy to break in.
2️⃣ Credential Stuffing
Attackers take username + password combos leaked in previous data breaches and try them automatically.
If the API:
- Allows rapid login attempts
- Doesn’t have lockout/rate limiting
→ Accounts are getting owned.
3️⃣ Predictable / Weak Tokens
If tokens are:
- Incremental
- Pattern-based
- Easy to guess
→ An attacker can generate valid tokens themselves.
4️⃣ Misconfigured JSON Web Tokens (JWT)
JWT is powerful — but easy to misconfigure:
❌ Accepting unsigned tokens
❌ Not checking expiration
❌ Sensitive data in payload
❌ Signed with weak or hardcoded secret keys
These mistakes = account takeover made simple.
The Bigger Picture
APIs are stateless, so they rely on:
- Registration
- Token generation
- Token storage
- Password reset flows
If any of these are weak → game over.
Example:
If the reset password flow uses a 6-digit code and has no rate limit,
an attacker can just brute force all 1,000,000 possibilities and reset anyone’s password.
✅ OWASP Recommended Defenses
-Understand every authentication flow (mobile, web, deep links, etc.)
-Do not use API keys for user authentication
-Use standardized auth libraries (don’t reinvent)
-Protect password reset endpoints like login endpoints
(rate limit, CAPTCHA, lockout)
-Require re-authentication for sensitive changes
-Use Multi-Factor Authentication wherever possible
-Enable anti-brute-force protections
-Implement weak password checks
-Use OWASP Authentication Cheat Sheet as reference
Tags: —