Broken Auth.api - Holiday 2025

In modern APIs, authentication isn’t just about checking a username and password, it’s about establishing trust boundaries and enforcing them consistently.

Take a simple API design: login issues a token, protected routes enforce it. At first glance, everything seems correct. But right next to it sits a password reset endpoint that accepts an email and a new password, but returns success without any verification. No session, no token, no proof that the requester actually owns the account.

This is a textbook example of Broken Authentication, one of the most common and dangerous categories in the OWASP API Security Top 10 (API2:2023). Authentication endpoints like login, password reset, and account recovery are critical assets. If an attacker can bypass or manipulate them, they can take over accounts, read personal data, or perform actions on behalf of other users all while appearing legitimate to the system.

APIs become vulnerable when they:

• Permit account recovery without verifying identity

• Accept weak or predictable credentials Fail to validate the authenticity or expiration of tokens

• Send sensitive authentication details in unsafe ways

• Allow attackers to brute-force accounts without rate-limiting or lockouts

We made a challenge inspired by this vulnerability, it is available right now for free as part of our Holiday 7x7 Wargame.

Try the challenge yourself: Play - SecDim