Time
1 hour 43 minutes
Difficulty
Beginner
CEU/CPE
2

Video Transcription

00:00
Hey, everyone, welcome back to the course. So in this video, we're gonna talk about broken authentication, so we'll talk about what it actually is. We'll talk about some use cases, and what that really means is we're gonna talk about ways that this could occur,
00:13
and then we'll also talk about ways we can prevent or mitigate against it.
00:17
So what is broken authentication? Well, basically, this is where we have poorly implemented a p I authentication, and that allows an attacker to assume someone else's or some other users identity.
00:29
So how do you like, How could this actually happen?
00:32
Well, we could have
00:35
AP eyes that we consider in quote unquote internal, and so that we might leave those a little more unprotected than are publicly facing once. And so that might be a way that the attacker exploits this. We could have weak authentication that doesn't actually follow the best practices of the industry.
00:51
We could have weaker a P I keys or we could also not be rotating r a p I keys.
00:56
We could have weaker passwords.
00:59
We could also have a P eyes that are susceptible to you brute force attacks or things like credential stuffy.
01:03
We could have credentials and keys just in the u. R L
01:08
We could also have where we don't actually validate the token. So when the attacker sends it and says, Hey, I'm Suzy and we don't actually validate that it that is Susie, that's sending us that toke it.
01:22
So how can we prevent or mitigate this type of attack?
01:26
Well, number one weaken taken inventory, right? So what that means is we assess all possible ways,
01:32
uh, that weaken that that we can authenticate to r AP, eyes that were using and so we can kind of determine the attack surface. From there,
01:40
we could use token generations a random tokens as well ish make sure their short lives. So that just means that there's a short amount of time that that token is actually valid.
01:49
We could use things like multi factor authentication. We can also make sure we authenticator app so some white listing
01:57
and we can use rate limiting. So for the authentication. And so basically, as there's ah lot of different attempts, rate limiting says there can only be so many attempts and this certain time period from this particular I p address for this origins area.
02:13
So just a quick quiz question. Broken authentication is not caused by a lack of a P I key rotation. Is that true or false?
02:22
All right, so that's false, right? We talked about
02:24
many different ways that someone could exploit this. And so one of the ways was that we're not rotating r A P I Keys also, that we're using a weaker A p I key. Some other common ones are things like with your passwords or ah, having the credentials or keys or other information in the U. R. L.
02:43
So in this video, we just talked about what broken authentication is as well as like how it could actually occur, and we talked about ways to prevent or mitigate against it.

Up Next

Introduction to the OWASP API Security Top 10

The Introduction to the OWASP API Security Top 10 course will teach students why API security is needed. Students will get a brief refresher on the CIA triad and AAA, then move into learning about the OWASP Top 10 from an API security perspective.

Instructed By

Instructor Profile Image
Ken Underhill
Master Instructor at Cybrary
Master Instructor