Authentication Bypass

Delve into Pynt's documentation on authentication bypass security tests! Learn how Pynt ensures robust protection against authentication vulnerabilities.

Intro

Authentication bypass in API refers to a security vulnerability where an attacker is able to access an API endpoint or functionality without providing the necessary authentication credentials. This can happen due to various reasons such as:

Weak authentication mechanisms: If an API uses a weak authentication mechanism such as storing passwords in plain text, an attacker may be able to easily guess or obtain the credentials and bypass authentication.
Improper access control: If an API does not properly enforce access control rules, an attacker may be able to access sensitive resources or functionality without providing the required authentication credentials.
Exploiting vulnerabilities: If an API has vulnerabilities such as injection flaws or buffer overflows, an attacker may be able to exploit these vulnerabilities to bypass authentication and gain access to the API.

Authentication bypass can be a serious security risk as it allows attackers to access sensitive information or perform unauthorized actions.

What are the common mistakes done by developers ?

A very common case for broken authentication is when the Authentication token validation is disabled for testing purposes and find its way to production code.

While JSON web tokens (JWTs) are widely used in modern application, sometimes developers use a weak validation function from the JWT library or even worse, implement the JWT validation function themselves.

Consider the following vulnerability found and fixed in jwt-simple library:

The function jwt_decode accepted the JWT token and the key but not the expected hash algorithm, allowing an attacker to craft his own JWT with "alg": "none" in the algorithm header and the function will accept his token.

More info about this vulnerability

How can I fix Authentication Bypass issues ?

To prevent authentication bypass, APIs should implement strong authentication mechanisms, and enforce proper access control

Test cases in this category:

This test case test the enforce of authentication token in authenticated request:

Test case	OWASP	CWE
[AB001] Ignored authentication token	API2 OWASP API Top 10	CWE-425, CWE-287, CWE-284, CWE-303

Test case

OWASP

CWE

[AB001] Ignored authentication token

API2 OWASP API Top 10

CWE-425, CWE-287, CWE-284, CWE-303

These test cases test for common flaws when JWTs are used for authentication:

Test case	OWASP	CWE
[AB002] No signature validation in JWT	API2 OWASP API Top 10	CWE-287, CWE-284, CWE-303
[AB003] JWT hashed without secret	API2 OWASP API Top 10	CWE-287, CWE-284, CWE-303
[AB004] No signature in JWT	API2 OWASP API Top 10	CWE-287, CWE-284, CWE-303
[AB005] Unsigned JWT	API2 OWASP API Top 10	CWE-287, CWE-284, CWE-303

Test case

OWASP

CWE

[AB002] No signature validation in JWT

API2 OWASP API Top 10

CWE-287, CWE-284, CWE-303

[AB003] JWT hashed without secret

API2 OWASP API Top 10

CWE-287, CWE-284, CWE-303

[AB004] No signature in JWT

API2 OWASP API Top 10

CWE-287, CWE-284, CWE-303