🚀 Join our AI Wargame at Black Hat Asia and our Workshop + Wargame at NDC Sydney .

Broken Authentication

Broken Authentication occurs when applications or APIs incorrectly implement authentication mechanisms, allowing adversaries to compromise credentials, bypass authentication controls, or impersonate other users. Common causes include weak password storage, predictable session tokens, missing multi-factor authentication, and flaws in token or session lifecycle management. Exploitation can lead to full account takeover and lateral movement within systems.

Remediation

  • Use secure, industry-standard authentication protocols (e.g., OAuth 2.0, OpenID Connect) with strict server-side validation of tokens.
  • Enforce secure credential handling: store passwords using strong adaptive hashing algorithms (e.g., bcrypt, Argon2) with unique per-user salts.
  • Implement short-lived, signed access tokens (e.g., JWT with audience/issuer claims) with secure refresh workflows; revoke tokens immediately upon logout, password reset, or compromise.
  • Apply rate limiting, exponential backoff, and account lockout policies for repeated failed login attempts.
  • Require multi-factor authentication (MFA) for sensitive operations and administrative access.
  • Protect session identifiers using the HttpOnly, Secure, and SameSite cookie attributes.

Metadata

  • Severity: critical
  • Slug: broken-authentication

CWEs

  • 613: Insufficient Session Expiration
  • 798: Use of Hard-coded Credentials
  • 287: Improper Authentication
  • 384: Session Fixation
  • 522: Insufficiently Protected Credentials

OWASP

  • API2:2023: Broken Authentication
  • A07:2021: Identification and Authentication Failures

Available Labs

Open Openapi labs in SecDim Play for this vulnerability.

Try it yourself

Find, Hack and Fix Your First Vulnerability

Reading about security bugs is one thing — fixing one is how the skill sticks. Play a free challenge from the wargame, no setup required.