Issue link: https://axway.uberflip.com/i/991646
02 | The Curious Case of Weak Authentication WEAK AUTHENTICATION CONTEXT Once companies bring their APIs under management via an API gateway, the next job is to answer the foundational question — Who are you? APIs are designed to be exposed externally, so they cannot trust who is calling them. APIs have to authenticate users to be able to tell friend from foe. VULNERABILITIES IDENTIFICATION & TRACKING There are numerous vulnerabilities in authentication protocols. Exploring weaknesses should begin with: • Unauthenticated access (open APIs) • Poorly protected secrets and tokens • Use of password-based authentication • Hard-coded secrets • Lack of replay protection • Guessable secrets and tokens Follow the authentication lifecycle from end to end, from login request to verification to usage to termination. Look for use of approved authentication standards. COUNTERMEASURE(S) API authentication is best analyzed in two parts: 1. Login authentication and minting the API token 2. Validating the calling application's token (This is subtly different from initial login because it's the token that is authenticated by the API layer.) To implement a stronger API authentication approach, consider SAML and OAuth over TLS as a way to issue and verify API authentication for API consumer applications. ASSURANCE Use application-level testing to verify the use and strength of approved API authentication protocols. All protocols have vulnerabilities. Non-standard protocols should be heavily scrutinized. Even if industry standards like SAML and OAuth are implemented, thorough testing should be performed to check for replayability, session bugs, storage, scoping issues and protocol-level vulnerabilities.