Vulnerabilities
Broken Authentication
Also known as: Identification and authentication failures, Authentication bypass
Definition
A category of vulnerabilities where flaws in authentication or session management let attackers impersonate legitimate users or take over accounts.
Examples
- An app that issues session IDs in the URL and never rotates them after login.
- Password reset that uses a 4-digit numeric token sent over email.
Related terms
Broken Access Control
A class of vulnerabilities where authorization rules are missing or incorrectly enforced, letting users perform actions or reach data outside their privileges.
Credential Stuffing
An automated attack that replays large lists of username/password pairs leaked from one service against other services, exploiting password reuse to take over accounts.
Session Hijacking
An attack that takes over a victim's authenticated session by stealing or forging the session identifier so the attacker can act as the user without their credentials.
Session Fixation
Session Fixation — definition coming soon.
Multi-Factor Authentication (MFA)
An authentication method that requires two or more independent factors — typically from different categories — before granting access.
OWASP Top 10
OWASP Top 10 — definition coming soon.