Broken Authentication occurs when applications or APIs incorrectly implement authentication mechanisms, allowing adversaries to compromise credentials, bypass authentication controls, or impersonate other users. Common causes include weak password storage, predictable session tokens, missing multi-factor authentication, and flaws in token or session lifecycle management. Exploitation can lead to full account takeover and lateral movement within systems.
Remediation
Use secure, industry-standard authentication protocols (e.g., OAuth 2.0, OpenID Connect) with strict server-side validation of tokens.
Enforce secure credential handling: store passwords using strong adaptive hashing algorithms (e.g., bcrypt, Argon2) with unique per-user salts.
Implement short-lived, signed access tokens (e.g., JWT with audience/issuer claims) with secure refresh workflows; revoke tokens immediately upon logout, password reset, or compromise.
Apply rate limiting, exponential backoff, and account lockout policies for repeated failed login attempts.
Require multi-factor authentication (MFA) for sensitive operations and administrative access.
Protect session identifiers using the `HttpOnly`, `Secure`, and `SameSite` cookie attributes.
Metadata
Severity: critical
Slug: broken-authentication
CWEs
613: Insufficient Session Expiration
798: Use of Hard-coded Credentials
287: Improper Authentication
384: Session Fixation
522: Insufficiently Protected Credentials
OWASP
API2:2023: Broken Authentication
A07:2021: Identification and Authentication Failures
Available Labs
Select a language to explore available labs for this vulnerability.
Want to skill-up in secure coding and AppSec?
Try SecDim Wargames to learn how to find, hack
and fix security vulnerabilities inspired by real-world incidents.
Join our secure coding and AppSec community.
A discussion board to share and
discuss all aspects of secure
programming, AppSec, DevSecOps,
fuzzing, cloudsec, AIsec
code review, and more.
