OWASP_API_TOP10API2:2023voice-validated
OWASP_API_TOP10 API02: API2:2023
OWASP_API_TOP10
AL
Founder at SQUR · last verified 2026-06-20
Regulation text
Authentication mechanisms are often implemented incorrectly, allowing attackers to compromise authentication tokens or to exploit implementation flaws to assume other users' identities temporarily or permanently. Includes credential stuffing, weak password policies, no rate-limiting on auth endpoints, JWT signature bypass, and incorrect OAuth implementation.
ATT&CK techniques this article tests · 15
| Technique | Why it maps | Confidence |
|---|---|---|
| T1110.004 | This technique directly addresses 'credential stuffing' as described in API2:2023, where attackers use stolen credentials to gain unauthorized access to API accounts. | 90% |
| T1110.003 | This technique directly addresses 'weak password policies' mentioned in API2:2023, enabling attackers to guess common passwords across multiple accounts. | 90% |
| T1078 | Attackers use compromised credentials, obtained through methods like credential stuffing or exploiting weak policies, to gain initial access or escalate privileges within the API, as per API2:2023. | 80% |
| T1550.001 | This technique involves using stolen or forged authentication tokens, such as those resulting from 'JWT signature bypass' in API2:2023, to bypass authentication and assume identities. | 90% |
| T1539 | Attackers steal web session cookies, which often contain authentication tokens, to 'compromise authentication tokens' and assume user identities, as highlighted in API2:2023. | 90% |
| T1552.008 | This technique involves collecting authentication tokens or credentials that are not securely stored or transmitted, a common outcome of 'incorrect authentication implementation' in API2:2023. | 80% |
| T1098 | Attackers exploit authentication flaws, as described in API2:2023, to modify account details, such as changing passwords or adding new credentials, to maintain persistent access. | 80% |
| T1098.005 | Specific to API environments, attackers manipulate or create cloud API keys due to authentication flaws, ensuring persistent access and identity assumption, as per API2:2023. | 80% |
| T1068 | Attackers exploit 'implementation flaws' in authentication, including 'incorrect OAuth implementation' mentioned in API2:2023, to gain higher privileges within the API. | 80% |
| T1498.001 | The absence of 'rate-limiting on auth endpoints' in API2:2023 allows attackers to flood the API with requests, leading to service disruption and denial of service. | 90% |
| T1087.004 | Flaws in API authentication or authorization, as per API2:2023, can allow attackers to enumerate valid user accounts or roles within a cloud API environment. | 80% |
| T1550.004 | Attackers use stolen web session cookies to bypass re-authentication, directly related to 'compromise authentication tokens' and assuming identities, as described in API2:2023. | 90% |
| T1552.007 | If API authentication relies on cloud instance metadata, misconfigurations can expose credentials, allowing attackers to 'assume other users' identities' as per API2:2023. | 80% |
| T1078.004 | Attackers use compromised cloud account credentials, often obtained via authentication flaws, to access cloud-based APIs and resources, as highlighted in API2:2023. | 80% |
| T1556.006 | Weak authentication implementations, as described in API2:2023, can allow attackers to bypass multi-factor authentication, enabling unauthorized identity assumption. | 80% |
Defending mitigations · 6
| Mitigation | What it does | Confidence |
|---|---|---|
| M1035 | Implementing multi-factor authentication significantly reduces the risk of identity compromise, even if credentials are stolen, directly countering identity assumption as per API2:2023. | 90% |
| M1036 | Enforcing strong password policies and account lockout mechanisms directly counters 'weak password policies' and 'credential stuffing' attempts mentioned in API2:2023. | 90% |
| M1038 | Implementing automated rate-limiting and bot detection on authentication endpoints prevents 'credential stuffing' and brute-force attacks, addressing 'no rate-limiting' in API2:2023. | 90% |
| M1047 | Regular auditing of authentication logs helps identify and respond to 'compromise authentication tokens' and 'implementation flaws' by detecting suspicious activity, as per API2:2023. | 80% |
| M1056 | Secure configuration of authentication mechanisms, including robust JWT validation and correct OAuth implementation, directly addresses 'JWT signature bypass' and 'incorrect OAuth implementation' in API2:2023. | 90% |
| M1037 | Protecting privileged accounts with robust authentication and access controls prevents attackers from easily assuming high-value identities through compromised tokens or flaws, as per API2:2023. | 80% |
Underlying weaknesses · 7
| CWE | Why it persists | Confidence |
|---|---|---|
| CWE-287 | This weakness directly covers the core issue of 'authentication mechanisms are often implemented incorrectly' as stated in API2:2023, leading to various attack vectors. | 90% |
| CWE-307 | This weakness, 'Improper Restriction of Excessive Authentication Attempts', directly enables 'credential stuffing' and brute-force attacks due to 'no rate-limiting on auth endpoints' in API2:2023. | 90% |
| CWE-521 | This weakness, 'Weak Password Requirements', directly contributes to 'weak password policies' mentioned in API2:2023, making accounts vulnerable to password guessing. | 90% |
| CWE-347 | This weakness, 'Improper Verification of Cryptographic Signature', directly enables 'JWT signature bypass' in API2:2023, allowing attackers to forge authentication tokens. | 90% |
| CWE-288 | This weakness, 'Authentication Bypass Using an Alternate Path or Channel', allows attackers to circumvent standard authentication flows, often seen in 'incorrect OAuth implementation' or other 'implementation flaws' in API2:2023. | 80% |
| CWE-306 | This weakness, 'Missing Authentication for Critical Function', allows unauthorized access to sensitive API functions, enabling attackers to 'assume other users' identities' or perform unauthorized actions, as per API2:2023. | 80% |
| CWE-290 | This weakness, 'Authentication Bypass by Spoofing', allows attackers to impersonate legitimate users or systems by spoofing authentication credentials or tokens, directly enabling 'identity assumption' as per API2:2023. | 80% |
What SQUR Covers
Web application + API pentesting for OWASP Top 10, business logic flaws, authentication bypass, injection attacks, and other application-layer vulnerabilities. €1,995 per scan, 24-hour turnaround, EU-only data.
What SQUR Does Not Cover
Internal network pentesting, endpoint security testing, physical security assessments, social engineering, or ICT third-party concentration risk reviews. Engage a complementary provider for those scope items.
Provenance
Mapped Q2.2026 using gemini-2.5-flash · €0.0187 compute · voice-rubric self-validated