Back to course

OWASP Top 10: Broken Authentication

Cyber Security Mastery: From Zero to Hero

A07:2021 - Identification and Authentication Failures

Authentication failures occur when an application incorrectly implements session management or identity functions, allowing attackers to compromise user accounts.

Key Authentication Vulnerabilities

  1. Weak Password Management: Allowing short, common passwords, or using outdated hashing (MD5).
  2. Exposed Session IDs: Storing session tokens (cookies) without the Secure or HttpOnly flags, making them vulnerable to XSS or network sniffing.
  3. Brute Force Vulnerability: Failing to implement account lockout policies after repeated failed login attempts, making dictionary attacks trivial.
  4. Improper Credential Recovery: Flaws in 'Forgot Password' functionality (e.g., sending the password in cleartext via email).

Defense: Implement MFA, use robust key-stretching algorithms (Bcrypt), and ensure session tokens are short-lived and securely transmitted.