Broken Authentication

Technical Description

Broken Authentication refers to a broad class of vulnerabilities in an application’s identity verification mechanisms. When authentication is improperly implemented, attackers can compromise passwords, session tokens, or exploit implementation flaws to assume the identity of other users, temporarily or permanently.

The vulnerability class encompasses multiple failure modes:

• Credential Stuffing / Brute Force: The application permits automated attacks against login endpoints. Without rate limiting, account lockout, or CAPTCHA, attackers can test stolen credential databases (from previous breaches) or brute-force weak passwords at scale.
• Weak Session Management: Session tokens that are predictable, insufficiently long, not invalidated on logout, or transmitted over unencrypted channels. Session fixation attacks where the attacker sets a known session ID before the victim authenticates.
• Password Reset Flaws: Predictable reset tokens, lack of token expiration, user enumeration through differential responses (e.g., “email not found” vs. “reset link sent”), or reset flows that do not invalidate previous tokens.
• Multi-Factor Authentication Bypass: MFA implementations that can be bypassed through response manipulation, race conditions, backup code brute-forcing, or by directly accessing post-authentication endpoints without completing the MFA challenge.
• JWT Vulnerabilities: Accepting "alg": "none", using weak HMAC secrets, confusing symmetric and asymmetric algorithms (algorithm confusion attack), or failing to validate token expiration and audience claims.

# Vulnerable - no rate limiting, no account lockout
@app.route('/login', methods=['POST'])
def login():
    user = User.query.filter_by(username=request.form['username']).first()
    if user and user.check_password(request.form['password']):
        session['user_id'] = user.id
        return redirect('/dashboard')
    return "Invalid credentials", 401

// Vulnerable JWT verification - accepts 'none' algorithm
const decoded = jwt.verify(token, secret, { algorithms: ['HS256', 'none'] });

Real-World Impact

Broken authentication is consistently one of the most exploited vulnerability classes:

• Uber (2016): Attackers accessed a private GitHub repository containing AWS credentials, which they used to exfiltrate data on 57 million riders and drivers. The breach was enabled by weak credential management and lack of MFA on developer accounts.
• Zoom (2020): Credential stuffing attacks using credentials from previous breaches compromised over 500,000 Zoom accounts. The lack of rate limiting and MFA enforcement made the attack trivial.
• Marriott/Starwood (2018): Compromised credentials provided attackers with access to the reservation system for four years, exposing 500 million guest records.

Authentication failures enable every subsequent attack: data theft, privilege escalation, lateral movement, and persistent access. They are the gateway vulnerability that unlocks an entire organization’s assets.

Detection Methodology

Testing authentication requires systematic examination of every identity-related flow:

1. Credential Policy Testing: Evaluate password complexity requirements, test for common password acceptance, verify that breached password databases (like HaveIBeenPwned) are checked during registration and password changes.
2. Brute Force Assessment: Attempt rapid login requests against the same account to verify rate limiting and lockout mechanisms. Test credential stuffing against multiple accounts simultaneously.
3. Session Analysis: Examine session token entropy, cookie attributes (HttpOnly, Secure, SameSite), session invalidation on logout and password change, and concurrent session handling.
4. Password Reset Testing: Map the complete reset flow. Test token predictability, expiration, reuse, and whether resetting a password invalidates all existing sessions.
5. MFA Bypass Testing: Attempt to skip MFA steps by navigating directly to post-authentication URLs. Test for rate limiting on OTP submission. Check if MFA can be disabled without re-authentication.
6. JWT Analysis: Decode JWTs to examine claims. Test algorithm confusion, none algorithm acceptance, secret key brute-forcing (for HMAC), and token expiration enforcement.

How Revaizor Discovers This

Revaizor’s AI agents test authentication with the thoroughness of an experienced red teamer:

• Full Authentication Flow Mapping: Revaizor maps every authentication-related endpoint: login, registration, password reset, MFA enrollment, session management, OAuth flows, and API key generation. This comprehensive surface mapping ensures no authentication pathway is untested.
• Intelligent Brute Force: Revaizor tests rate limiting and lockout thresholds with precision, determining the exact number of attempts before protection activates and whether bypass techniques (IP rotation, parameter manipulation, rate limit header abuse) can circumvent protections.
• Session Security Analysis: Revaizor’s agents evaluate session token randomness, analyze cookie security attributes, verify session invalidation across all relevant events (logout, password change, privilege change), and test for session fixation.
• Multi-Factor Bypass Testing: Revaizor systematically tests every known MFA bypass technique: step skipping, response manipulation, race conditions, code reuse, and backup code brute-forcing.
• JWT Deep Analysis: Revaizor decodes and analyzes JWT tokens, tests algorithm confusion attacks, attempts none algorithm bypass, and brute-forces weak HMAC secrets using common key dictionaries.

Remediation

Robust authentication requires defense in depth across every identity-related flow:

# Secure login with rate limiting and account lockout
from flask_limiter import Limiter

limiter = Limiter(app, key_func=get_remote_address)

@app.route('/login', methods=['POST'])
@limiter.limit("5 per minute")  # Rate limiting
def login():
    user = User.query.filter_by(username=request.form['username']).first()

    if user and user.is_locked():
        return "Account locked. Please try again later.", 429

    if user and user.check_password(request.form['password']):
        user.reset_failed_attempts()
        session.regenerate()  # Prevent session fixation
        session['user_id'] = user.id
        return redirect('/dashboard')

    if user:
        user.increment_failed_attempts()  # Track failures
    # Generic message prevents user enumeration
    return "Invalid credentials", 401

Comprehensive authentication hardening:

• Multi-Factor Authentication: Enforce MFA for all users, especially administrative accounts. Use TOTP or WebAuthn/FIDO2 rather than SMS-based OTP.
• Password Policy: Require minimum 12-character passwords. Check against breached password databases. Do not require arbitrary complexity rules (uppercase, special chars) that lead to predictable patterns.
• Session Security: Generate cryptographically random session tokens with at least 128 bits of entropy. Set HttpOnly, Secure, and SameSite=Strict on session cookies. Implement absolute and idle session timeouts.
• JWT Best Practices: Explicitly specify the allowed algorithm in verification. Use asymmetric algorithms (RS256, ES256) for distributed systems. Set short expiration times and implement token rotation.
• Monitoring: Alert on anomalous authentication patterns: credential stuffing (many failed logins across different accounts from the same source), brute force (many failed attempts against one account), and impossible travel (logins from geographically distant locations within short timeframes).