A07 Identification and Authentication Failures - OWASP Top 10:2021

Overview

Previously known as Broken Authentication, this category slid down from the second position and now includes Common Weakness Enumerations (CWEs) related to identification failures. Notable CWEs included are CWE-297: Improper Validation of Certificate with Host Mismatch, CWE-287: Improper Authentication, and CWE-384: Session Fixation.

Description

How to Prevent ?

To prevent identification and authentication failures, it is recommended to implement multi-factor authentication, avoid using default credentials, implement password strength checks, align password policies with industry standards, secure registration and credential recovery processes, limit failed login attempts, and use a secure session management mechanism.

Example Attack Scenarios:

• Scenario #1: Credential Stuffing:  An attacker uses a list of known passwords to test if the credentials are valid by exploiting an application that does not have automated threat or credential stuffing protection.

• Scenario #2: Weak Password Usage:  Authentication attacks often occur due to the continued use of weak passwords. Organizations are recommended to implement stronger authentication mechanisms, such as multi-factor authentication, and discourage weak password practices.

• Scenario #3: Incorrect Session Timeout:  If an application's session timeouts are not set correctly, an attacker can gain unauthorized access to a user's account if they use a public computer that was previously used by an authenticated user.