Api Default Credentials Accepted
Description
This detector identifies API endpoints that accept default or weak credentials during authentication attempts. It tests login endpoints by attempting authentication with common default username/password combinations and reports when these credentials are successfully accepted, indicating a serious authentication bypass vulnerability.
Detection Strategy
• Targets HTTP POST, PUT, or PATCH requests to endpoints identified as login URLs
• Analyzes request bodies to ensure they contain password fields for authentication
• Attempts authentication using common default credential combinations
• Reports vulnerability when default credentials are successfully accepted by the API endpoint
Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.