Broken Authentication
Broken authentication covers flaws in the way an application verifies who a user is — weak passwords, predictable tokens, missing rate limits, credential leakage.
Definition
Broken authentication is the OWASP-cataloged family of flaws in how an application identifies users. The bug class spans many concrete failures: weak password policies, predictable session tokens, missing rate-limiting on login attempts, credentials in URLs that leak through `Referer`, missing logout invalidation, missing multi-factor enforcement, OAuth flows with broken state-parameter handling.
The pattern that recurs is "trust without verification". The application takes some token, decodes it, and acts on the decoded contents without confirming integrity, freshness, or audience. JWT-without-signature-check, session-without-rotation-after-privilege-change, and "remember me" cookies with absent expiry all sit in this family.
How it works
Class-specific. Examples include: a JWT verifier that accepts `alg: none` and trusts the unsigned token; a login endpoint with no per-IP rate limit that lets credential-stuffing run unimpeded; a session that is not rotated on privilege change so an attacker who stole the cookie before login still holds an authenticated session afterwards; an OAuth flow where the `state` parameter is unbound, enabling CSRF on the token-exchange step.
Impact
Account takeover, persistent unauthorised access, lateral movement once an attacker holds valid credentials.
Mitigation
Argon2id (or bcrypt at sufficient cost) for password storage. Per-IP and per-account rate limits on login. WebAuthn or TOTP-based MFA. Rotate session ids on every privilege change. Reject `alg: none` JWTs and pin verification to the expected algorithm. Force re-authentication for high-risk actions (password change, MFA enrolment).
Examples
- CVE-2015-9235 — JWT library accepting alg=none.