Skip to content

Broken Authentication

Security Implications of Broken Authentication in Digital Systems

Stop Broken Authentication with our tools

WHAT IS BROKEN AUTHENTICATION?

Broken authentication was #2 on the 2017 OWASP Top 10 list. In 2021 the Broken Authentication category was renamed Identification and Authentication Failures and now includes Common Weakness Enumerations (CWEs) related to identification failures. Broken authentication is typically caused by poorly implemented authentication and session management functions. Broken authentication attacks aim to take over one or more accounts giving the attacker the same privileges as the attacked user. Authentication is “broken” when attackers are able to compromise passwords, keys or session tokens, user account information, and other details to assume user identities.

Due to poor design and implementation of identity and access controls, the prevalence of broken authentication is widespread. Common risk factors include:

  • Predictable login credentials
  • User authentication credentials that are not protected when stored
  • Session IDs exposed in the URL (e.g., URL rewriting)
  • Session IDs vulnerable to session fixation attacks
  • Session value that does not time out or get invalidated after logout
  • Session IDs that are not rotated after successful login
  • Passwords, session IDs, and other credentials sent over unencrypted connections

Broken Authentication attackers have only to gain access to a couple of accounts to compromise an entire system by using tools such as automated password tools and dictionary attacks.

Learn More About Contrast Security

Contrast is the clear customers’ choice

Contrast is named a Customers’ Choice in the 2021 Gartner Peer Insights “Voice of the Customer”: Application Security Testing report. With the highest percentage of 5-star ratings, this is the third consecutive year Contrast has received this powerful endorsement from customers.

gartner-peer-insight-2021

Built for Developers. Trusted by Security.

Infosys
ring-central-logo-1
bmw-logo-rgb
backbase-logo-2
intuit-logo
credit-suisse

Learn Secure Code

Cross Site Scripting (XSS)

CROSS SITE SCRIPTING (XSS)

Learn about Cross site scripting (XSS) and how it affects your Java source code

SQL Injection - Java-1

SQL INJECTION

Learn about SWL injection and how it affects your Java source code

Client Side Injection

CLIENT SIDE INJECTION

Learn about client-side injection and how it can affect your source code