Himan10 · April 15, 2025 16:45
diff --git a/template.yaml b/template.yaml
 id: REMOVE_TOKENS
 info:
  name: "Broken Authentication by removing auth token"
  description: "API doesn't validate the authenticity of token. Attacker can remove the auth token and access the endpoint."
  details: >
    "The endpoint appears to be vulnerable to broken authentication attack. The original request was replayed by removing victim's <b>auth</b> token. The server responded with 2XX success codes.<br>"
    "<b>Background:</b> Authentication is the process of attempting to verify the digital identity of the sender of a communication. Testing the authentication schema means understanding how the authentication process works and using that information to
    circumvent the authentication mechanism. While most applications require authentication to gain access to private information or to execute tasks, not every authentication method is able to provide adequate security. Negligence, ignorance, or simple
    understatement of security threats often result in authentication schemes that can be bypassed by simply skipping the log in page and directly calling an internal page that is supposed to be accessed only after authentication has been performed."
  impact: "Broken User authentication is a serious vulnerability. Attackers can gain control to other users’ accounts in the system, read their personal data, and perform sensitive actions on their behalf, like money transactions and sending personal messages."
  category:
    name: NO_AUTH
    shortName: Broken Authentication
    displayName: Broken User Authentication (BUA)
  subCategory: REMOVE_TOKENS
  severity: HIGH
  tags:
    - Business logic
    - OWASP top 10
    - HackerOne top 10
  references:
    - "https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/"
    - "https://github.com/OWASP/API-Security/blob/master/editions/2023/en/0xa2-broken-authentication.md"
    - "https://cheatsheetseries.owasp.org/cheatsheets/Authentication_Cheat_Sheet.html"
    - "https://cwe.mitre.org/data/definitions/798.html"
  cwe:
    - CWE-287
    - CWE-306
  cve:
    - CVE-2023-22501

 attributes:
  nature: NON_INTRUSIVE
  plan: FREE
  duration: FAST


 api_selection_filters:
  response_code:
    gte: 200
    lt: 300
  response_payload:
    length:
      gt: 0
    not_contains:
      - Error
      - Internal Server
      - Failed
      - Unauthorized
      - access denied
      - Forbidden
      - Method Not allowed
      - Gateway timeout
      - request timeout
      - server error
      - server busy
      - authentication error
      - authorization error
      - validation error
      - Permission Denied
      - invalid
      - token expired
      - session expired
      - session timeout
      - unexpected error
      - unable to process request
      - bad request
      - service unavailable
      - account is locked
      - account is blocked
      - multiple failed attempts
  method:
    neq: OPTIONS

 execute:
  type: single
  requests:
    - req:
        - remove_auth_header: true

 validate:
  response_code:
    gte: 200
    lt: 300
  response_payload:
    length:
      gt: 0
    percentage_match:
      gte: 80
    not_contains:
      - Error
      - Internal Server
      - Failed
      - Unauthorized
      - access denied
      - Forbidden
      - Method Not allowed
      - Gateway timeout
      - request timeout
      - server error
      - server busy
      - authentication error
      - authorization error
      - validation error
      - Permission Denied
      - invalid token
      - token expired
      - session expired
      - session timeout
      - unexpected error
      - unable to process request
      - bad request
      - service unavailable
      - account is locked
      - account is blocked
      - multiple failed attempts
      - invalid credentials
	id: REMOVE_TOKENS
	info:
	name: "Broken Authentication by removing auth token"
	description: "API doesn't validate the authenticity of token. Attacker can remove the auth token and access the endpoint."
	details: >
	"The endpoint appears to be vulnerable to broken authentication attack. The original request was replayed by removing victim's <b>auth</b> token. The server responded with 2XX success codes.<br>"
	"<b>Background:</b> Authentication is the process of attempting to verify the digital identity of the sender of a communication. Testing the authentication schema means understanding how the authentication process works and using that information to
	circumvent the authentication mechanism. While most applications require authentication to gain access to private information or to execute tasks, not every authentication method is able to provide adequate security. Negligence, ignorance, or simple
	understatement of security threats often result in authentication schemes that can be bypassed by simply skipping the log in page and directly calling an internal page that is supposed to be accessed only after authentication has been performed."
	impact: "Broken User authentication is a serious vulnerability. Attackers can gain control to other users’ accounts in the system, read their personal data, and perform sensitive actions on their behalf, like money transactions and sending personal messages."
	category:
	name: NO_AUTH
	shortName: Broken Authentication
	displayName: Broken User Authentication (BUA)
	subCategory: REMOVE_TOKENS
	severity: HIGH
	tags:
	- Business logic
	- OWASP top 10
	- HackerOne top 10
	references:
	- "https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/"
	- "https://github.com/OWASP/API-Security/blob/master/editions/2023/en/0xa2-broken-authentication.md"
	- "https://cheatsheetseries.owasp.org/cheatsheets/Authentication_Cheat_Sheet.html"
	- "https://cwe.mitre.org/data/definitions/798.html"
	cwe:
	- CWE-287
	- CWE-306
	cve:
	- CVE-2023-22501

	attributes:
	nature: NON_INTRUSIVE
	plan: FREE
	duration: FAST


	api_selection_filters:
	response_code:
	gte: 200
	lt: 300
	response_payload:
	length:
	gt: 0
	not_contains:
	- Error
	- Internal Server
	- Failed
	- Unauthorized
	- access denied
	- Forbidden
	- Method Not allowed
	- Gateway timeout
	- request timeout
	- server error
	- server busy
	- authentication error
	- authorization error
	- validation error
	- Permission Denied
	- invalid
	- token expired
	- session expired
	- session timeout
	- unexpected error
	- unable to process request
	- bad request
	- service unavailable
	- account is locked
	- account is blocked
	- multiple failed attempts
	method:
	neq: OPTIONS

	execute:
	type: single
	requests:
	- req:
	- remove_auth_header: true

	validate:
	response_code:
	gte: 200
	lt: 300
	response_payload:
	length:
	gt: 0
	percentage_match:
	gte: 80
	not_contains:
	- Error
	- Internal Server
	- Failed
	- Unauthorized
	- access denied
	- Forbidden
	- Method Not allowed
	- Gateway timeout
	- request timeout
	- server error
	- server busy
	- authentication error
	- authorization error
	- validation error
	- Permission Denied
	- invalid token
	- token expired
	- session expired
	- session timeout
	- unexpected error
	- unable to process request
	- bad request
	- service unavailable
	- account is locked
	- account is blocked
	- multiple failed attempts
	- invalid credentials