Skip to main content

API2:2023 Broken Authentication

Endpoints that should require an authenticated caller accept anonymous traffic, or accept tokens the server cannot verify (JWT alg:none, HS256 with the public key as the HMAC secret, missing signature verification on cookies, etc.).

What Vulkro detects

Vulkro tracks every route through the auth-pipeline. Routes whose handler is reachable without any auth middleware, dependency, or guard are flagged. Separately, JWT misconfigurations (alg: 'none', hardcoded HS256 secret, verify=False) are flagged on their own line.

Framework-specific guidance

FastAPI

@app.get(...) -> Depends(get_current_user)
Use OAuth2PasswordBearer or your existing dep.

Flask

Decorate handler with @login_required (Flask-Login) or check `current_user.is_authenticated`.

Express

app.use('/api', authMiddleware): apply before the route is mounted.

NestJS

@UseGuards(JwtAuthGuard) on the controller method or class.

Django

@login_required decorator, or LoginRequiredMixin on the CBV.

Non-compliant code (examples)

FastAPI — no dependency, anonymous traffic accepted

@app.get('/admin/users')
def list_users():
    return db.fetch_all(User)  # no auth check anywhere on the path

Express — handler mounted without middleware

app.get('/admin/users', (req, res) => {
  // no req.user check; route is reachable anonymously
  res.json(db.query('SELECT * FROM users'));
});

Compliant code (examples)

FastAPI — OAuth2 dependency on the route

@app.get('/admin/users')
def list_users(user: User = Depends(get_current_user)):
    return db.fetch_all(User)

Express — auth middleware before the handler

app.use('/admin', requireAuth);  // applied before the route definition
app.get('/admin/users', (req, res) => {
  res.json(db.query('SELECT * FROM users'));
});

See also

  • Confidence model - what High, Medium, and Low mean for findings in this category.
  • Safety - what Vulkro does and does not access on your machine.

References

This page is generated by vulkro rules export <out-dir> from the catalog in src/rule_docs.rs. Edits made by hand are overwritten on the next regeneration.

Last updated on