Broken Authentication

Usually there is an authentication API. APIs rely on proper authentication mechanisms or vulnerabilities like CWE-307: Improper Restriction of Excessive Authentication Attempts can arise.

Weak password policy can give us quick wins if we brute-force.

Applications allow users to reset their passwords by requesting a One Time Password (OTP) sent to a device they own or answering a security question they have chosen during registration. If brute-forcing passwords is infeasible due to strong password policies, we can attempt to brute-force OTPs or answers to security questions, given that they have low entropy or can be guessed (in addition to rate-limiting not being implemented).

Endpoint should implement rate-limiting to prevent brute-force attacks.