Broken Authentication means that a web application’s login system or session management is flawed, letting attackers bypass authentication and gain unauthorized access to sensitive accounts—sometimes even administrative ones. Attackers exploit these issues through methods like stolen or weak credentials, brute-force attacks, or hijacking session identifiers. [1][2]
Problem Areas
Problem Areas
- Credential Management: Weak or default passwords, poor password storage (no hashing/salting), or flaws in password recovery make it easier for attackers to steal or guess passwords.Â
- Session Management: Vulnerabilities in how sessions are created, tracked, or terminated can lead to session hijacking—where attackers impersonate users by stealing session IDs, often through poorly protected browser cookies or unexpired sessions. [3]Â
Tips for Testers
-
Test for Common WeaknessesÂ
- Try default and weak passwords (“password”, “admin”, “123456”, etc.) and check the application’s password policies.Â
- Attempt brute-force and credential stuffing attacks (within allowed scope) to verify protections.Â
-
Check Session ManagementÂ
- Confirm that session tokens are not leaked in URLs and are changed after login.Â
- Validate session termination: users should be logged out everywhere after logging out or timing out.Â
-
Explore Forgot-Password and Recovery FlowsÂ
- Test for predictable, non-expiring, or re-usable reset tokens.Â
- Check for error messages or flow differences that might leak whether an account exists.Â
What New Security Testers Should Know
Broken authentication is one of the most impactful vulnerabilities, often leading to data breaches or account takeovers—even on major platforms.Â
Sources (Thanks to Perplexety AI for supporting the search [4]):Â
- Port Swigger (Home of BurpSuite, well know security tool)Â
- Bright SecurityÂ
- OWASP API2:2023 Broken AuthenticationÂ
- Prompt
