保護DataHogo
Security Encyclopedia/OWASP API Top 10
highCWE-287API2:2023

Broken Authentication (API)

API authentication mechanisms are weak or improperly implemented — JWT without proper validation, tokens not in httpOnly cookies, or missing token expiration.

How It Works

API authentication failures include not validating JWT signatures, accepting expired tokens, using weak signing algorithms, exposing tokens in URLs, missing rate limiting on auth endpoints, and not using httpOnly cookies. Attackers exploit these by forging tokens, brute-forcing credentials, or stealing tokens through XSS. APIs are especially vulnerable because they're designed for programmatic access, making automated attacks easy.

Vulnerable Code
// JWT verification without algorithm check
const decoded = jwt.verify(token, SECRET);
// Accepts any algorithm, including 'none'

// Token in URL
app.get('/api/data?token=eyJhbG...');
Secure Code
// JWT verification with strict algorithm
const decoded = jwt.verify(token, SECRET, {
  algorithms: ['HS256'],
  maxAge: '1h'
});
// Token from httpOnly cookie only
const token = req.cookies.auth_token;

Real-World Example

In 2015, a critical vulnerability in the jsonwebtoken npm library allowed attackers to bypass JWT verification by using the 'none' algorithm. Any application not explicitly restricting algorithms was vulnerable to authentication bypass.

How to Prevent It

  • Always specify allowed JWT algorithms explicitly
  • Set token expiration and validate it on every request
  • Use httpOnly, secure cookies instead of Authorization headers when possible
  • Implement rate limiting on authentication endpoints

Affected Technologies

Node.jsPythonGoJavaPHPC#

Data Hogo detects this vulnerability automatically.

Scan Your Repo Free

Related Vulnerabilities

Broken Object Level Authorization (BOLA)

high

API endpoints don't verify that the requesting user owns the resource they're accessing — allowing attackers to access other users' data by changing object IDs.

CWE-639API1:2023

Broken Object Property Level Authorization

medium

API allows users to read or modify object properties they shouldn't have access to — mass assignment, excessive data exposure, or missing field-level access control.

CWE-915API3:2023

Unrestricted Resource Consumption

medium

API endpoints without rate limiting, pagination, or resource limits — allowing attackers to exhaust server resources, rack up costs, or extract large datasets.

CWE-770API4:2023

Broken Function Level Authorization

high

Admin or privileged API endpoints accessible to regular users — missing role checks allow privilege escalation to administrative functions.

CWE-285API5:2023