OWASP Tactical Access Defense Series: Broken Authentication and BIG-IP APM

The threat of broken authentication poses a significant risk to organizations, potentially leading to unauthorized access and data breaches. In the face of this formidable challenge, F5's Access Policy Manager (APM) emerges as a robust and indispensable solution.

By seamlessly integrating advanced authentication mechanisms and comprehensive access controls, F5 BIG-IP APM stands as a stalwart guardian against the vulnerabilities associated with broken authentication. This article explores the pivotal role played by BIG-IP APM in fortifying authentication protocols, mitigating risks, and ensuring a resilient defense against unauthorized access, ultimately safeguarding the integrity and security of sensitive data in today's dynamic digital environment.

Broken Authentication

Authentication mechanism is an exposed target due to the nature of this function, as authentication is the first point of entry to any platform.

The difficulty to exploit authentication weaknesses differs based on how the authentication platform is secured. In the current digital era the security perimeters are very fluid, and so are the trust boundries for our authentication platforms those require more cautions from the developers and security architects regarding authentication flows.

Not only we need to protect authentication endpoints and flows, but also some overlooked items like forget and reset password endpoints.

How can we consider endpoint to be vulnerable?

Credential stuffing.
Brute force attacks targetting users' accounts.
Weak Passwords.
Sensitive details in the URL (passwords, Tokens).
Allow users sensitive actions without confirmation.
No validation for the tokens authenticity.
Accept unsigned or weak jwt tokens.
No validation for jwt expiration.
Use of plain-text, non-encrypted or non-hashed passwords.
Use of weak encryption algorithms.
Endpoint can access each other without proper authentication.
Use weak or predictable tokens for intra-endpoint authentication.

Broken Authentication Examples

Making use of GraphQL query patching to bypass API ratelimiting and brute force user's login.

POST /graphql
[
  {"query":"mutation{login(username:\"victim\",password:\"password\"){token}}"},
  {"query":"mutation{login(username:\"victim\",password:\"123456\"){token}}"},
  {"query":"mutation{login(username:\"victim\",password:\"qwerty\"){token}}"},
  ...
  {"query":"mutation{login(username:\"victim\",password:\"123\"){token}}"},
]

Update / modify user's sensitive information without API authorization token.

PUT /account
Authorization: Bearer <token>

{ "newpassword": "<new_password>" }

BIG-IP APM and Broken Authentication

We start with creating our Per-Request policy, this policy works in a different way than the per-session policy, as the flow will be evaluted on a per-request basis, making sure to consider variations throught the session life-time. Below are some of the key benefits:

Wide range of Authentication, SSO, and MFA mechanisms to properly identify the initiating machine or user.
- Ability to integrate with 3rd parties to provide additional enforcement decisions based on the organization's policy.
Ability to apply endpoint checks on the client side before session initiation.
This goes to BIG-IP in general, the ability to apply custom traffic control on both of the traffic sides, Client and Server.

The ability to create whitelist / blacklist for API Access tokens, JSON Web Tokens ID (JTI) or a different element based on the used authentication method, below example steps for JWT:
- Extract JTI value from Access token.
- Add JTI value to whether Allow/Block lists.

OWASP Tactical Access Defense Series: Broken Authentication and BIG-IP APM

Broken Authentication

Broken Authentication Examples

BIG-IP APM and Broken Authentication

Related Content