OWASP Top Ten 2021 Category A07:2021 - Identification and Authentication Failures

The authentication scheme or implementation uses key data elements that are assumed to be immutable, but can be controlled or modified by the attacker.

A capture-replay flaw exists when the design of the product makes it possible for a malicious user to sniff network traffic and bypass authentication by replaying it t...

This attack-focused weakness is caused by incorrectly implemented authentication schemes that are subject to spoofing attacks.

A product requires authentication, but the product has an alternate path or channel that does not require authentication.

The product does not adequately verify the identity of actors at both ends of a communication channel, or does not adequately ensure the integrity of the channel, in a...

When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.

The product does not validate, or incorrectly validates, a certificate.

The product does not implement sufficient measures to prevent multiple failed authentication attempts within a short time frame, making it more susceptible to brute fo...

The product communicates with a host that provides a certificate, but the product does not properly ensure that the certificate is actually associated with that host.

The product establishes a communication channel to handle an incoming request that has been initiated by an actor, but it does not properly verify that the request is ...

According to WASC, "Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization."

The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.

The product implements an authentication technique, but it skips a step that weakens the technique.

The product does not properly verify that the source of data or communication is valid.

Authenticating a user, or otherwise establishing a new user session, without invalidating any existing session identifier gives an attacker the opportunity to steal au...

When setting a new password for a user, the product does not require knowledge of the original password, or using another form of authentication.

The product contains hard-coded credentials, such as a password or cryptographic key, which it uses for its own inbound authentication, outbound communication to exter...

The product contains a hard-coded password, which it uses for its own inbound authentication or for outbound communication to external components.

The product contains a mechanism for users to recover or change their passwords without knowing the original password, but the mechanism is weak.

The product does not require that users should have strong passwords, which makes it easier for attackers to compromise user accounts.

Weaknesses in this category are related to the management of credentials.

Weaknesses in this category are related to a software system's lockout mechanism. Frequently these deal with scenarios that take effect in case of multiple failed atte...

CWE entries in this view (graph) are associated with the OWASP Top Ten, as released in 2021.