Critical Severity | OWASP API Top 10
🔴 Broken API Authentication
🧠 Description
API authentication mechanisms are flawed or bypassed, allowing attackers to compromise tokens, exploit implementation flaws, or assume other users' identities.
Impact: Account Takeover, Token Theft, Identity Impersonation, Data Breach
🎯 Attack Surface
- JWT tokens (weak signing, algorithm confusion)
- API Keys (in URL, weak storage)
- OAuth flows (redirect URI bypass)
- Session management
- Multi-factor authentication
🔍 Detection Techniques
- Test JWT with 'none' algorithm
- Test key injection in Authorization header
- Check token expiration
- Analyze token storage (localStorage vs cookies)
- Test password reset flows
💣 JWT Attack Payloads
{"alg":"none"}
{"alg":"HS256","typ":"JWT"} → sign with public key
{"alg":"RS256"} → switch to HS256 with known key
kid=../../../../etc/passwd (path traversal in JWT)
⚡ Bypass Techniques
- Algorithm Confusion: Use RS256 key as HS256 secret
- Key Injection: Inject kid/jku/x5u parameters
- Token Reuse: Use expired tokens
- OAuth Redirect: Bypass redirect_uri validation
🛡️ Mitigation
✅ Use strong JWT signing (RS256/ES256)
✅ Validate algorithm and audience
✅ Set short token expiration
✅ Use HTTP-only, Secure cookies
✅ Implement proper OAuth redirect validation
✅ Validate algorithm and audience
✅ Set short token expiration
✅ Use HTTP-only, Secure cookies
✅ Implement proper OAuth redirect validation