**Note: The content in this article is only for educational purposes and understanding of cybersecurity concepts. It should enable people and organizations to have a better grip on threats and know how to protect themselves against them. Please use this information responsibly.**
Broken Authentication in APIs poses a major security risk. This happens when systems fail to configure authentication methods. As a result, hackers can get around these checks and access things they are not authorized to view. We often see this problem in APIs because of weak rules for passwords, poor handling of user sessions, or not using two-step verification. Bad actors take advantage of these gaps to pretend they’re real users, steal login info, or escalate their privileges in the system. This makes Broken Authentication a major threat to any system that uses APIs. In order to keep APIs safe from unwanted access and protect data, it is essential to know how to spot and fix these authentication problems.
Walkthrough
- Update User (Ashish’s) Password
Make sure Ashish’s JWT is currently active and set in Postman.
Endpoint: PUT /users/v1/:username/password
Replace :username with ashish, making it /users/v1/ashish/password
Authorization: Bearer {{ashish_jwt}}
Body:
{
“password”: “ashish_new”
}
Send the request:
The server responds with a 204 NO CONTENT status, indicating the password change was successful.
- Attempt to Change Edward’s Password Using Ashish’s JWT
Endpoint: PUT /users/v1/:username/password
Replace :username with edward.
Authorization: Bearer {{ashish_jwt}}
Body:
{
“password”: “edward_new”
}
Send the request:
Observe that the server responds with a 204 NO CONTENT status, indicating that Edward’s password has been changed.
- Verify the Password Changes
Endpoint: GET /users/v1
This endpoint retrieves details for all users.
Authorization: Bearer {{ashish_jwt}}
Send the request:
Check the response to confirm that both users’ passwords have been updated.
Ashish’s password should now be ashish_new.
Edward’s password should now be edward_new.
- Ashish can now log in to Edward’s account after changing his password in the previous steps.
Body:
{
“username”: “edward”,
“password”: “edward_new”
}
Conclusion
In this walkthrough, we demonstrated an API vulnerability related to Broken Authentication. We first updated Ashish’s password using his valid JWT. Then, we exploited the weak authentication controls by changing Edward’s password using Ashish’s JWT. This flaw allowed us to bypass access restrictions and update the password for a different user (Edward), even though Ashish should not have permission to do so.
By verifying the password changes, we confirmed that Ashish could now log in as Edward after successfully altering Edward’s password. This highlights the severity of broken authentication, as unauthorized users can gain access to sensitive accounts and data.
We performed these actions to illustrate how easily a system without proper authentication mechanisms can be compromised. This emphasizes the need for robust security controls, such as proper JWT validation, strict password policies, and two-factor authentication, to prevent such vulnerabilities from being exploited.
