Broken Authentication

---

Broken authentication is a software vulnerability where the authentication mechanism allows an attacker to gain entry.

• e.g., displaying cleartext credentials, using weak session tokens, or permitting brute force login requests
• app that fails to restrict access to protected resources
• caused by many different vulnerabilities:
  • No requirement for strong passwords
  • Vulnerable password reset mechanisms that allow an attacker to reset user passwords
  • Unintended exposure of credentials or authorization tokens
    • often caused by:
      • hard-coding credentials within the app
      • cleartext transmission
      • weak cryptographic methods
      • or storing poorly protected credential storage
  • An app that is vulnerable to session hijacking