Api Empty Credential Login
Description
This detector identifies API endpoints that accept empty or missing credentials during login attempts. It tests login endpoints by sending requests with blank username/password fields to check if the application improperly authenticates users with empty credentials, which could allow unauthorized access.
Detection Strategy
• The target request must use POST, PUT, or PATCH HTTP method
• The request path must be identified as a login endpoint (contains patterns like /login, /signin, /auth, etc.)
• The request body must contain recognizable password fields (password, passwd, pwd, etc.)
• The detector sends a test request with empty credential values
• A vulnerability is reported if the application accepts the empty credentials and returns a successful authentication response
Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.