Definition

Broken Authentication occurs when an API has weak, missing, or improperly implemented authentication mechanisms, allowing attackers to access systems or data without proper identity verification.

Common causes

• No authentication on API endpoints
• Weak login systems
• No CAPTCHA or bot protection
• Lack of rate limiting (enables brute force attacks)
• Vulnerable to credential stuffing
• Poor session/token management

Key risk

If authentication is broken or missing, attackers can directly access sensitive API functions and data without needing valid credentials.

Real-world impact

Broken Authentication can lead to:

• Unauthorized access to user accounts
• Exposure of personal data (PII)
• Data harvesting at scale