Skip to main content
Version: v1

API A2 - Broken User Authentication (BUA)

BOLA

OWASP Mapping​

RankVulnerabilityCWE
A2Broken User Authentication (BUA)CWE-287, CWE-522

What is it?​

Broken User Authentication (BUA) occurs when authentication mechanisms in APIs are improperly implemented, allowing attackers to compromise credentials, tokens, or authentication flows.

Unlike traditional web authentication issues, API authentication is often stateless and token-driven (e.g., JWT, API keys), making it highly susceptible to misconfigurations such as improper token validation, weak signing, or credential leakage.

Failure to securely authenticate users compromises the system’s ability to correctly identify clients, leading to account takeover, unauthorized access, and full API compromise.

What are specific examples?​

  • Weak or improperly implemented authentication mechanisms.
  • API keys that are predictable, hardcoded, or not rotated.
  • Weak password policies (default, reused, or poorly hashed passwords).
  • Credentials transmitted in URLs or stored insecurely.
  • Authentication endpoints vulnerable to brute force or credential stuffing attacks.
  • Missing or improper validation of access tokens (e.g., JWT signature not verified).
  • Unsigned, weakly signed, or non-expiring JWT tokens.
  • Lack of token expiration, revocation, or rotation mechanisms.
  • Exposure of authentication tokens in client-side code or logs.
  • Internal APIs exposed without authentication.

Test case FAQs​

When is this test case applicable?​

  • Applicable to all API endpoints that require authentication.
  • Critical for endpoints handling sensitive operations (user data, payments, admin actions).

How does it work?​

The system performs a comprehensive set of authentication security tests, including:

  • Token validation checks (signature, expiry, issuer, audience).
  • Brute force and credential stuffing simulation.
  • Weak password and default credential detection.
  • API key strength and rotation validation.
  • Detection of credentials in URLs, headers, and logs.
  • JWT security analysis (signing algorithm, expiration, claims validation).
  • Authentication bypass attempts on protected endpoints.

What is the solution?​

  • Maintain a complete and up-to-date inventory of all API endpoints.
  • Clearly define which endpoints require authentication and enforce it consistently.
  • Use well-established authentication frameworks and libraries (avoid custom implementations).
  • Enforce Multi-Factor Authentication (MFA) wherever applicable.
  • Use short-lived access tokens with secure refresh mechanisms.
  • Properly validate all tokens (signature, expiration, claims).
  • Implement strong password policies and secure hashing algorithms (e.g., bcrypt, Argon2).
  • Enforce rate limiting and account lockout policies for authentication endpoints.
  • Avoid transmitting credentials in URLs or storing them in logs.
  • Regularly rotate API keys and secrets.
  • Continuously test authentication mechanisms in CI/CD and production environments.

References​

OWASP API Security Top 10
Authentication Cheat Sheet

Was this page helpful?