#3 Broken Authentication — Security Basics

Authentication is the way toward confirming the identity of a user by ensuring that they truly are who they claim to be. Generally by design, the Web applications are exposed to any individual who is associated within the internet. In this manner, powerful authentication mechanisms are an indispensable part of the effective web application security.

Any security imperfection produced as a consequence of the error in implementation of authentication mechanism and session management falls under the broken authentication. In simpler words, broken authentication attacks permit the perpetrator to either gain access or bypass the user authentication system of a web application.

Authentication vs Authorization

The process of Verifying whether a user is allowed or permitted to perform an action is the authorization, whereas the process of verifying a user who they really claim to be is the authentication.

Types of Attacks to Exploit Authentication flaws

  • Man in the Middle Attacks — Permits an attacker to gain access to data in transit and pose as the solitary proprietor of the account. This attack can be executed by intercepting a dedicated network connection. To such attacks, even the encrypted data is helpless against the strategies of an attacker since the culprit can trick the victim into downloading a malicious certificate to decrypt the data.
  • Credential Stuffing — Large numbers of breached credentials are automatically injected into the application with the help of bots until they are potentially matched to an existing account. As a result of that the attacker can hijack for their own purposes.
  • Password Spraying — In Password Spraying attacks, the attacker goes around basic countermeasures such as account lock out by “spraying” the same password over numerous accounts prior to attempting another password.
  • Broad based Phishing campaigns — Accessing a couple of main accounts, particularly admin accounts which can compromise the entire application.

The Root Causes of Broken Authentication

  1. The passwords might not be encrypted either in storage or transit.
  2. The URL might contain the session id and leak it in the referrer header to someone else.
  3. Timeouts not implemented right or using HTTP (no SSL security) & Session hijacking might be possible.
  4. The session ids might be predictable, thus gaining access is trivial.
  5. Session fixation might be possible.
  6. Unprotected APIs that are considered as internal.

7. Authentication susceptible to brute force attacks and credential stuffing.

Broken Authentication, After-effects

The main targets of Broken authentication are session tokens, user credentials, keys or any other entities dealing with the identity of the users of a system. The flaws in session management and authentication mechanism permits an attacker to target a specific account or a group of account holders which provides the full access to harm the victim in many ways.

  • Data breaches
  • Administrative access
  • Sensitive Data exposure
  • Expose numerous user accounts
  • Identity theft

Also, it is possible to act as an impostor to malign the personal relationships of the victim and Selling the compromised credentials to the other parties.

Protecting against Broken Authentication

  • Error Responses — When an authentication request fails, the error response should not be specific as the reason for failure (“Invalid password”). It should be more generic as “Invalid username and/or password.”
  • Protection Against Brute-Force AttacksLimit the number of invalid login attempts, which will discourage the attacker (disable the account for a specific period)
  • Multifactor AuthenticationIt will make more difficult for an attacker to gain the access.
  • Password LengthGenerate a minimum of eight-character long strong password which makes the brute-force attacks harder.
  • Password ComplexityDefine your password alphanumeric which increases its complexity.


Broken Authentication Vulnerability is a critical issue in the event that it is prevailing in a Web Application since such loopholes can cause the Organization a large attack in terms of Data Breaches. Generally, it is simple for inspired attackers to sneak past on the grounds that even companies with enormous budgets for security often neglect these basic security defects. It is similar to barring every window in your home while leaving the front door fully open. The clearest approach to avoid this flaw is utilizing a framework since it may be able to implement this accurately, but the former is much easier and accurate.

If you any doubts feel free to ping me Fazal(fazalur rahman)





Hacker | Google VRP researcher | Fullstack developer

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

“Take responsibility or risk a SolarWinds repeat”

Where Your Privacy is Most Compromised on Your Computer

Three Reasons Media Has it Wrong About Data Collection Practices

How do I find if Log4J is installed in my server?

Just Because You’re Paranoid Doesn’t Mean They’re Not Out To Get You.

[SoW] W2 Sep | EN | Story of the week: Ransomware on the Darkweb

Charade Lie Warning Election 2020

Basic ways to improve your personal internet security in 2019

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store


Hacker | Google VRP researcher | Fullstack developer

More from Medium

My Experience With Log4j

Kioptrix Level 1 — VulnHub

Workaround defense against Follina MS Office vulnerability

Tips to Prevent Businesses From Cyber Attacks