Insecure auth scheme

owasp:api2:2019-auth-insecure-schemes

Rule Severity:

Medium

Ensure endpoints specify a strong authentication scheme.
This rule applies at the API Specification level (OAS/Swagger).
Endpoints with weak authentication mechanisms are at risk of being breached. Examples of these include OAuth 1 or Microsoft Negotiate Authentication Protocol.
An HTTP Authentication scheme is the way an API is set up to challenge the credentials of users who want to interact with it. OAuth v1 and Microsoft Negotiate Authentication Protocol are both considered outdated schemes and should not be used by APIs to challenge the credentials of users. Bearer authentication requires an API to only authenticate users who bear an appropriate access token. The access token (bearer token) in Bearer auth is a cryptic object usually provided by an API after a successful login. Bearer format JWT (JSON Web Token) is the recommended object structure for the access token.

Example Attack Scenario

Injection Attacks: If the missing properties are related to input validation or sanitization, hackers may exploit injection vulnerabilities. For instance, in a web application, if additional properties are missing in a form validation process, attackers could inject malicious code (like SQL injection or cross-site scripting) into input fields to manipulate data or execute arbitrary commands.

1. How to Identify with Example Scenario

securitySchemes:
 authType:
  # arbitrary name for the security scheme
  type: http
  scheme: oauth

1. How to Resolve with Example Scenario

securitySchemes:  
 authType:
  # arbitrary name for the security scheme    
  type: http    
  scheme: bearer

2. How to Identify with Example Scenario

Find the text in bold to identify issues such as these in API specifications
securitySchemes:
 authType:
  # arbitrary name for the security scheme
  type: http
  scheme: negotiate

2. How to Resolve with Example Scenario

Modify the text in bold to resolve issues such as these in API specifications
References:
https://swagger.io/docs/specification/2-0/authentication/

More findings

All Findings