These types of weaknesses can allow an attacker to either capture or bypass the authentication methods that are used by a web application.
- Permits automated attacks such as credential stuffing, where the attacker has a list of valid usernames and passwords.
- Permits brute force or other automated attacks.
- Permits default, weak, or well-known passwords, such as "Password1" or "admin/admin“.
- Uses weak or ineffective credential recovery and forgot-password processes, such as "knowledge-based answers", which cannot be made safe.
- Uses plain text, encrypted, or weakly hashed passwords (see A3:2017-Sensitive Data Exposure).
- Has missing or ineffective multi-factor authentication.
- Exposes Session IDs in the URL (e.g., URL rewriting).
- Does not rotate Session IDs after successful login.
- Does not properly invalidate Session IDs. User sessions or authentication tokens (particularly single sign-on (SSO) tokens) aren't properly invalidated during logout or a period of inactivity.
The goal of an attack is to take over one or more accounts and for the attacker to get the same privileges as the attacked user.
Broken authentication examples
Example #1: Credential stuffing
The use of lists of known passwords, is a common attack. If an application does not implement automated threat or credential stuffing protections, the application can be used as a password oracle to determine if the credentials are valid.
Example #2: Application session timeouts aren't set properly.
A user uses a public computer to access an application. Instead of selecting “logout” the user simply closes the browser tab and walks away. An attacker uses the same browser an hour later, and the user is still authenticated.
Example #3: Passwords are not properly hashed and salted
An insider or external attacker gains access to the system’s password database. User passwords are not properly hashed and salted, exposing every user’s password.
- Stored username and password values should be salted and hashed, in addition to being encrypted.