A malicious attack can use reflection attack to bypass authentication measures that protect your REST API. Authentication protocols that rely on a challenge-handshake or similar mechanisms are vulnerable to this type of attack.
The attack itself is trivial and easy to execute. However, it is also easy to mitigate with the correct security procedures.
- The attacker initiates a connection to the target and sends an appropriate authentication challenge.
- The server will respond to the challenge with an encrypted shared secret and a challenge of its own back to the attacker. The attacker in this instance does not know the pre-shared secret and cannot respond to the challenge.
- Instead, the attacker copies the challenge response from the target and uses it to initiate a second connection to the server. The server will treat the second connection as a typical handshake and respond with its own challenge back to the attacker.
- Finally, the attacker uses the response from the target in the second connection as the reply to the target for the first connection. This results in a successful authenticated handshake.
Successfully leveraging this vulnerability allows an attack full authenticated access to whatever application the REST API may serve leading to theft of data or elevation of privileges.
Luckily, an attack such as this is easily prevented through the use of a proxy to handle these authentication exchanges.