Findings

Insecure auth scheme

Updated: June 19, 2025

findings design based findings api finding

Description

Severity: High

An endpoint has an insecure authentication scheme set.

An HTTP Authentication scheme is the way an API is set up to challenge the credentials of users who want to interact with it. OAuth v1 and Microsoft Negotiate Authentication Protocol are both considered outdated schemes and should not be used by APIs to challenge the credentials of users. Bearer authentication requires an API to only authenticate users who bear an appropriate access token. The access token (bearer token) in Bearer auth is a cryptic object usually provided by an API after a successful login. Bearer format JWT (JSON Web Token) is the recommended object structure for the access token.

This rule applies at the API Specification level (OAS/Swagger).

Example Attack

Injection Attacks: If the missing properties are related to input validation or sanitization, hackers may exploit injection vulnerabilities. For instance, in a web application, if additional properties are missing in a form validation process, attackers could inject malicious code (like SQL injection or cross-site scripting) into input fields to manipulate data or execute arbitrary commands.

Remediation

Ensure endpoints specify a strong authentication scheme. Endpoints with weak authentication mechanisms are at risk of being breached. Examples of these include OAuth 1 or Microsoft Negotiate Authentication Protocol.

Security Frameworks

OWASP API 2023

API2:2023 Broken Authentication

Authentication mechanisms are often implemented incorrectly, allowing attackers to compromise authentication tokens or to exploit implementation flaws to assume other user's identities temporarily or permanently. Compromising a system's ability to identify the client/user, compromises API security overall.

OWASP API 2019

API2:2019 Broken User Authentication

Authentication mechanisms are often implemented incorrectly, allowing attackers to compromise authentication tokens or to exploit implementation flaws to assume other user's identities temporarily or permanently. Compromising the system's ability to identify the client or user, compromises API security overall.

MITRE CWE Top 25

CWE-287: Improper Authentication

When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.

Need help?

Contact FireTail support

Previous (Findings - Design based findings)
Index creation failed
Next (Findings - Design based findings)
Insecure host (OAS2)