OWASP Top Ten 2021 Category A07:2021 - Identification and Authentication Failures

A category in the Common Weakness Enumeration published by The MITRE Corporation.


Summary

Categories in the Common Weakness Enumeration (CWE) group entries based on some common characteristic or attribute.

Weaknesses in this category are related to the A07 category "Identification and Authentication Failures" in the OWASP Top Ten 2021.

Weaknesses

Authentication Bypass by Assumed-Immutable Data

The authentication scheme or implementation uses key data elements that are assumed to be immutable, but can be controlled or modified by the attacker.

Authentication Bypass by Capture-replay

A capture-replay flaw exists when the design of the software makes it possible for a malicious user to sniff network traffic and bypass authentication by replaying it ...

Authentication Bypass by Spoofing

This attack-focused weakness is caused by improperly implemented authentication schemes that are subject to spoofing attacks.

Authentication Bypass Using an Alternate Path or Channel

A product requires authentication, but the product has an alternate path or channel that does not require authentication.

Channel Accessible by Non-Endpoint

The product does not adequately verify the identity of actors at both ends of a communication channel, or does not adequately ensure the integrity of the channel, in a...

Improper Authentication

When an actor claims to have a given identity, the software does not prove or insufficiently proves that the claim is correct.

Improper Certificate Validation

The software does not validate, or incorrectly validates, a certificate.

Improper Restriction of Excessive Authentication Attempts

The software does not implement sufficient measures to prevent multiple failed authentication attempts within in a short time frame, making it more susceptible to brut...

Improper Validation of Certificate with Host Mismatch

The software communicates with a host that provides a certificate, but the software does not properly ensure that the certificate is actually associated with that host.

Improper Verification of Source of a Communication Channel

The software establishes a communication channel to handle an incoming request that has been initiated by an actor, but it does not properly verify that the request is...

Insufficient Session Expiration

According to WASC, "Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization."

Missing Authentication for Critical Function

The software does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.

Missing Critical Step in Authentication

The software implements an authentication technique, but it skips a step that weakens the technique.

Origin Validation Error

The software does not properly verify that the source of data or communication is valid.

Session Fixation

Authenticating a user, or otherwise establishing a new user session, without invalidating any existing session identifier gives an attacker the opportunity to steal au...

Unverified Password Change

When setting a new password for a user, the product does not require knowledge of the original password, or using another form of authentication.

Use of Hard-coded Credentials

The software contains hard-coded credentials, such as a password or cryptographic key, which it uses for its own inbound authentication, outbound communication to exte...

Use of Hard-coded Password

The software contains a hard-coded password, which it uses for its own inbound authentication or for outbound communication to external components.

Weak Password Recovery Mechanism for Forgotten Password

The software contains a mechanism for users to recover or change their passwords without knowing the original password, but the mechanism is weak.

Weak Password Requirements

The product does not require that users should have strong passwords, which makes it easier for attackers to compromise user accounts.

Categories

Credentials Management Errors

Weaknesses in this category are related to the management of credentials.

Lockout Mechanism Errors

Weaknesses in this category are related to a software system's lockout mechanism. Frequently these deal with scenarios that take effect in case of multiple failed atte...

Concepts

Weaknesses in OWASP Top Ten (2021)

CWE entries in this view (graph) are associated with the OWASP Top Ten, as released in 2021.

See Also

  1. A07:2021 – Identification and Authentication Failures
  2. OWASP Top 10:2021

Common Weakness Enumeration content on this website is copyright of The MITRE Corporation unless otherwise specified. Use of the Common Weakness Enumeration and the associated references on this website are subject to the Terms of Use as specified by The MITRE Corporation.