HIGH CWE-521 Authentication

CWE-521 in APIs

CWE ID
CWE-521
Category
Authentication
Severity
MEDIUM
Short Name
Weak Passwords
Scan for CWE-521

What is CWE-521?

CWE-521 refers to the weakness Weak Password Requirements. This occurs when an application allows users to choose passwords that are easily guessable or susceptible to brute-force attacks due to insufficient complexity requirements. The weakness manifests when authentication systems accept passwords that are too short, lack character variety, or use common patterns that attackers can quickly enumerate.

CWE-521 in API Contexts

In API authentication systems, CWE-521 appears when endpoints accept weak credentials during registration, password reset, or authentication flows. APIs often handle authentication at scale, making weak password requirements particularly dangerous since automated attacks can exploit them across many users simultaneously.

Common manifestations in APIs include:

  • Registration endpoints accepting passwords under 8 characters
  • No enforcement of character variety (uppercase, lowercase, numbers, symbols)
  • Acceptance of common passwords from breach databases
  • Lack of checks against password similarity (e.g., 'password123')
  • No rate limiting on authentication attempts

Consider this vulnerable API endpoint:

POST /api/v1/auth/register
{
  "username": "user1",
  "password": "123456"
}

// Server accepts without validation
// Returns: 201 Created

This allows attackers to create accounts with trivially guessable passwords, then potentially escalate privileges or access other users' data if the system has broader vulnerabilities.

Detection

Detecting CWE-521 requires examining both the API specification and runtime behavior. middleBrick's API security scanner automatically tests password requirements by attempting to register accounts with progressively weaker passwords and analyzing the responses.

middleBrick scans for this weakness by:

  • Testing minimum password length enforcement
  • Checking character variety requirements
  • Attempting common weak passwords from breach databases
  • Analyzing authentication error messages for information disclosure
  • Verifying rate limiting on authentication endpoints

The scanner reports findings with severity levels and provides specific recommendations for each detected weakness. For example, if an API accepts 'password' as a valid credential, middleBrick flags this as a critical finding with immediate remediation guidance.

Manual detection methods include:

curl -X POST https://api.example.com/register \
  -H "Content-Type: application/json" \
  -d '{"username":"test","password":"123"}'

# If this succeeds, weak password requirements exist
# Test progressively weaker passwords to find the actual minimum

Remediation

Fixing CWE-521 requires implementing strong password policies at the API level. Here are effective remediation strategies with code examples:

1. Minimum Length and Character Requirements

// Node.js/Express validation middleware
const passwordValidator = (req, res, next) => {
  const { password } = req.body;
  
  if (!password) {
    return res.status(400).json({ 
      error: 'Password is required' 
    });
  }
  
  if (password.length < 12) {
    return res.status(400).json({ 
      error: 'Password must be at least 12 characters long' 
    });
  }
  
  const hasUppercase = /[A-Z]/.test(password);
  const hasLowercase = /[a-z]/.test(password);
  const hasNumber = /[0-9]/.test(password);
  const hasSymbol = /[^A-Za-z0-9]/.test(password);
  
  if (!hasUppercase || !hasLowercase || !hasNumber || !hasSymbol) {
    return res.status(400).json({ 
      error: 'Password must include uppercase, lowercase, number, and symbol' 
    });
  }
  
  next();
};

2. Common Password Prevention

// Using a common passwords list (simplified example)
const commonPasswords = require('./common-passwords.json'); // 100k+ entries

const checkCommonPassword = (password) => {
  const normalized = password.toLowerCase().trim();
  return commonPasswords.includes(normalized);
};

// In your validation middleware
if (checkCommonPassword(password)) {
  return res.status(400).json({ 
    error: 'Password is too common and easily guessable' 
  });
}

3. Rate Limiting Authentication

const rateLimit = require('express-rate-limit');

const authLimiter = rateLimit({
  windowMs: 15 * 60 * 1000, // 15 minutes
  max: 5, // limit each IP to 5 requests per windowMs
  message: 'Too many authentication attempts, please try again later',
  skipSuccessfulRequests: true
});

// Apply to authentication routes
app.post('/api/v1/auth/login', authLimiter, loginHandler);
app.post('/api/v1/auth/register', authLimiter, registerHandler);

4. Password Strength Feedback

// Return specific feedback for password requirements
const validatePassword = (password) => {
  const errors = [];
  
  if (password.length < 12) {
    errors.push('At least 12 characters long');
  }
  
  if (!/[A-Z]/.test(password)) {
    errors.push('At least one uppercase letter');
  }
  
  if (!/[a-z]/.test(password)) {
    errors.push('At least one lowercase letter');
  }
  
  if (!/[0-9]/.test(password)) {
    errors.push('At least one number');
  }
  
  if (!/[^A-Za-z0-9]/.test(password)) {
    errors.push('At least one symbol');
  }
  
  if (checkCommonPassword(password)) {
    errors.push('Not a common or compromised password');
  }
  
  return errors;
};

// Client-side can call this first for immediate feedback
// Server still validates on submission
Detect CWE-521 in your APIs View all CWEs

Frequently Asked Questions

How does CWE-521 relate to other authentication weaknesses?
CWE-521 often appears alongside other authentication issues like CWE-307 (Improper Restriction of Excessive Authentication Attempts) and CWE-307 (Weak Password Requirements). Together, they create a compound vulnerability where weak passwords combined with insufficient rate limiting enable credential stuffing and brute-force attacks. middleBrick's scanner tests these weaknesses in combination to provide a complete security assessment.
Should APIs enforce password policies or leave this to clients?
APIs must enforce password policies server-side regardless of client implementation. Client-side validation can be bypassed, and different clients may have varying enforcement. Server-side validation ensures consistent security across all access methods, including direct API calls, mobile apps, and third-party integrations. middleBrick's scanner tests the actual API behavior, not just documentation.

Related Pages

CWE-521 in ActixLearn how CWE‑521 weak password requirements appear in Actix‑web APIs, how to detect them with middleBrick, and how to fCWE-521 in AspnetLearn how CWE-521 weak password requirements manifest in ASP.NET applications, with specific detection methods and remedCWE-521 in AxumCWE-521 weak password requirements in Axum APIs: detection, prevention, and remediation with middleBrick's automated secCWE-521 in AdonisjsHow CWE-521 Weak Password Requirements manifests in Adonisjs applications, detection methods using middleBrick, and AdonCWE-521 in GoLearn how CWE-521 (weak credentials) manifests in Go APIs, how to detect it with middleBrick, and how to fix it using bcCWE-521 in CsharpLearn about CWE-521 (insufficient session expiration) in C# ASP.NET Core: attack patterns, detection with middleBrick, aCWE-521 in JavascriptCWE-521 in JavaScript: how weak encryption appears in code, how to detect it with middleBrick, and secure remediation usCWE-521 in JavaLearn how CWE-521 (Weak Password Requirements) appears in Java APIs, how middleBrick detects it via black-box scanning, CWE-521 in Adonisjs (Typescript)CWE-521 in AdonisJS with TypeScript: causes and TypeScript-specific fixes using runtime schemas.CWE-521 in Aspnet (Csharp)CWE-521 in ASP.NET with C#: understanding weak data structure protections and secure C# remediation patterns.CWE-521 in Actix (Rust)CWE-521 in Actix with Rust: weak password requirements and how to enforce strong constraints in Actix handlers with RustCWE-521 in Axum (Rust)CWE-521 in Axum with Rust: causes, secure token generation code examples, and remediation steps.