criticalAuthentication

API Endpoints Without Authentication Checks

What Is This Vulnerability?

Missing authentication occurs when API endpoints or application routes are accessible without requiring any form of identity verification. This allows anonymous users or automated bots to access, modify, or delete data that should be restricted to authenticated users, potentially exposing the entire application's data layer.

Why It Happens

Developers sometimes forget to apply authentication middleware to new endpoints, especially during rapid development. Internal APIs originally intended for server-to-server communication get exposed publicly. Route-level middleware is missed when frameworks require explicit per-route application rather than global enforcement.

Example Code

Vulnerableroutes/users.ts
app.get("/api/users", async (req, res) => {
  const users = await db.query("SELECT * FROM users");
  res.json(users.rows);
});

app.delete("/api/users/:id", async (req, res) => {
  await db.query("DELETE FROM users WHERE id = $1", [req.params.id]);
  res.json({ deleted: true });
});
Fixedroutes/users.ts
import { requireAuth } from "@/middleware/auth";

app.get("/api/users", requireAuth, async (req, res) => {
  const users = await db.query("SELECT * FROM users");
  res.json(users.rows);
});

app.delete("/api/users/:id", requireAuth, async (req, res) => {
  if (req.user.role !== "admin") {
    return res.status(403).json({ error: "Forbidden" });
  }
  await db.query("DELETE FROM users WHERE id = $1", [req.params.id]);
  res.json({ deleted: true });
});

How Hackers Exploit It

Attackers use automated tools to scan for unprotected endpoints by testing common API paths (/api/users, /api/admin, /api/config). They enumerate routes using wordlists and check for responses that return data without requiring authentication headers. Once found, they can extract sensitive data, modify records, or escalate to admin operations.

How to Fix It

Apply authentication middleware globally and explicitly opt out only for public routes. Use a framework pattern where all routes are protected by default. Regularly audit your route definitions to ensure every endpoint has appropriate authentication. Implement integration tests that verify protected endpoints return 401 when called without credentials.

Frequently Asked Questions

How do I ensure all API endpoints require authentication?
Apply authentication middleware at the router or application level so it runs on every request by default. Then explicitly mark public routes (like login or health checks) as exceptions. This deny-by-default approach prevents accidentally exposing new endpoints.
Should internal APIs also require authentication?
Yes. Internal APIs should use service-to-service authentication such as API keys, mutual TLS, or JWT tokens. Even if the API is not exposed to the internet, a compromised internal service or SSRF vulnerability could allow an attacker to reach it.
How can I automatically detect unprotected endpoints?
Write integration tests that call every registered route without authentication and assert a 401 response. Use security scanning tools that crawl your API. Some frameworks also support route auditing to list all registered endpoints and their middleware chains.

Related Security Topics

Weak Password Hashing (MD5/SHA1)

Learn about weak password hashing (md5/sha1) and how to fix it.

Unrestricted File Upload Vulnerabilities

Learn about unrestricted file upload vulnerabilities and how to fix it.

Insecure OAuth Configuration

Learn about insecure oauth configuration and how to fix it.

Check Your Code for This Vulnerability

Run a free scan to check if your site is affected by api endpoints without authentication checks.