Api Weak Password Policy
Description
This detector identifies API endpoints with weak password policies that allow users to register or update accounts with inadequate passwords. It tests password creation/update endpoints by submitting weak passwords and checking if the API accepts them without proper validation, indicating insufficient security controls that could lead to account compromise.
Detection Strategy
• Target HTTP requests must use POST, PUT, or PATCH methods to API endpoints
• The endpoint URL path must indicate user registration or password update functionality (contains patterns like 'register', 'signup', 'password', 'update', etc.)
• Request body must contain password-related fields (password, passwd, pwd, etc.) in JSON or form data
• Request must include either login credentials (username, email, etc.) or authentication headers
• When weak passwords are submitted to the endpoint, the API accepts them without rejecting due to insufficient complexity requirements
• A vulnerability is reported when the API allows weak passwords, indicating missing or inadequate password policy enforcement
Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.