Links
Comment on page

Unauthenticated APIs

API2:2019 Broken User Authentication
Unauthenticated APIs, specially the ones which are public facing are highly vulnerable to attacks. This is especially true for APIs that handle sensitive user or business information. This could be a big compliance issue for some companies.
Business impact: Attackers can gain control to other users’ accounts in the system, read their personal data, and perform sensitive actions on their behalf, like money transactions and sending personal messages.

Review all unauthenticated endpoints

Akto will auto detect if an API can be accessed without an auth token and will mark it unauthenticated. Here is an example of how you can review unauthenticated endpoints in Akto:
  1. 1.
    Go to the open APIs tab. This will show you list of all the endpoints which are unauthenticated. 🔐
2. If an endpoint is intentionally unauthenticated, ignore it.
3. Click on the endpoint that shouldn't be unauthenticated. You will be taken to the endpoint . details page.
4. Check its sample values in the values tab. Click on curl command.
5. Test these these sample values in your terminal using curl command.
OWASP lists this as one of the top 10 API vulnerabilities here​