API Broken Authentication leads to account take-over
Authentication is a crucial element of web API security. Web APIs employ different authentication mechanisms to ensure data confidentiality. An API is vulnerable to Broken Authentication if any of its authentication methods can be bypassed or circumvented.
Improper Restriction of Excessive Authentication Attempts
The endpoint we will be practising against is vulnerable to CWE-307: Improper Restriction of Excessive Authentication Attempts.
Come to points during the API assessment we have received one credential and received the user’s email address.
During the assessment, we understood rate limiting was not implemented during the API build and design.
We were planning for an account takeover by exploiting the password reset endpoints, but we found that an OTP (One-Time Password) had been implemented. After some enumeration, we discovered that there was no rate limiting on the OTP parameter. This allowed us to update the password for another user.
Let’s explain in detail step-wise with screenshots.
- Send the email OTP to the different user
2. Check the below response
3. We do not know the OTP because we do not have the other email id access on our system. So we planned for the brute force. For this we used ffuf or burpsuite tool to get the 4-digit OTP and reset other customer password
Prevention for this attack:
- Implement rate-limiting to prevent brute-force attacks.
- Implement the current password parameter with the new password.
Hope you enjoyed this attack and got the useful information from here.
Thanks and happy hunting.
